diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-320-avr.S b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-320-avr.S similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-320-avr.S rename to ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-320-avr.S index 98e5eaf..2522d5c 100644 --- a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-320-avr.S +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-320-avr.S @@ -188,10 +188,10 @@ sliscp_light320_permute: ldd r12,Z+33 ldd r11,Z+34 ldd r10,Z+35 - ldd r25,Z+26 - ldd r24,Z+27 - ldd r15,Z+28 - ldd r14,Z+29 + ldd r25,Z+36 + ldd r24,Z+37 + ldd r15,Z+38 + ldd r14,Z+39 push r31 push r30 ldi r30,lo8(table_0) diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c index 69b4519..dd3a688 100644 --- a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.c @@ -22,6 +22,8 @@ #include "internal-sliscp-light.h" +#if !defined(__AVR__) + /** * \brief Performs one round of the Simeck-64 block cipher. * @@ -173,11 +175,12 @@ void sliscp_light256_swap_spix(unsigned char block[32]) le_store_word32(block + 12, t2); } -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +void sliscp_light256_permute_spoc(unsigned char block[32]) { const unsigned char *rc = sliscp_light256_RC; uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t t0, t1; + unsigned round; /* Load the block into local state variables */ x0 = be_load_word32(block); @@ -190,7 +193,7 @@ void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) x7 = be_load_word32(block + 28); /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { + for (round = 0; round < 18; ++round, rc += 4) { /* Apply Simeck-64 to two of the 64-bit sub-blocks */ simeck64_box(x2, x3, rc[0]); simeck64_box(x6, x7, rc[1]); @@ -406,3 +409,5 @@ void sliscp_light320_swap(unsigned char block[40]) le_store_word32(block + 16, t1); le_store_word32(block + 4, t2); } + +#endif /* !__AVR__ */ diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h index fa6b9ba..8a5e8d5 100644 --- a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-sliscp-light.h @@ -92,7 +92,6 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * \brief Performs the sLiSCP-light permutation on a 256-bit block. * * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. * * The bytes of the block are assumed to be rearranged to match the * requirements of the SpoC-128 cipher. SpoC-128 interleaves the @@ -112,7 +111,7 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * * \sa sliscp_light256_swap_spoc() */ -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); +void sliscp_light256_permute_spoc(unsigned char block[32]); /** * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h +++ b/ace/Implementations/crypto_aead/aceae128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.c b/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.c deleted file mode 100644 index 7a68306..0000000 --- a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.c +++ /dev/null @@ -1,339 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "ace.h" -#include "internal-sliscp-light.h" -#include "internal-util.h" -#include - -/** - * \brief Size of the state for the internal ACE permutation. - */ -#define ACE_STATE_SIZE SLISCP_LIGHT320_STATE_SIZE - -/** - * \brief Rate for absorbing data into the ACE state and for - * squeezing data out again. - */ -#define ACE_RATE 8 - -aead_cipher_t const ace_cipher = { - "ACE", - ACE_KEY_SIZE, - ACE_NONCE_SIZE, - ACE_TAG_SIZE, - AEAD_FLAG_NONE, - ace_aead_encrypt, - ace_aead_decrypt -}; - -aead_hash_algorithm_t const ace_hash_algorithm = { - "ACE-HASH", - sizeof(ace_hash_state_t), - ACE_HASH_SIZE, - AEAD_FLAG_NONE, - ace_hash, - (aead_hash_init_t)ace_hash_init, - (aead_hash_update_t)ace_hash_update, - (aead_hash_finalize_t)ace_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/* Indices of where a rate byte is located in the state. We don't - * need this array any more because sliscp_light320_permute() operates - * on byte-swapped states where the rate bytes are contiguous in the - * first 8 bytes */ -/* -static unsigned char const ace_rate_posn[8] = { - 0, 1, 2, 3, 16, 17, 18, 19 -}; -*/ - -/** - * \brief Initializes the ACE state. - * - * \param state ACE permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void ace_init - (unsigned char state[ACE_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by interleaving the key and nonce */ - memcpy(state, k, 8); - memcpy(state + 8, npub, 8); - memcpy(state + 16, k + 8, 8); - memset(state + 24, 0, 8); - memcpy(state + 32, npub + 8, 8); - - /* Swap some of the state bytes to make the rate bytes contiguous */ - sliscp_light320_swap(state); - - /* Run the permutation to scramble the initial state */ - sliscp_light320_permute(state); - - /* Absorb the key in two further permutation operations */ - lw_xor_block(state, k, 8); - sliscp_light320_permute(state); - lw_xor_block(state, k + 8, 8); - sliscp_light320_permute(state); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= ACE_RATE) { - lw_xor_block(state, ad, ACE_RATE); - state[ACE_STATE_SIZE - 1] ^= 0x01; /* domain separation */ - sliscp_light320_permute(state); - ad += ACE_RATE; - adlen -= ACE_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state, ad, temp); - state[temp] ^= 0x80; /* padding */ - state[ACE_STATE_SIZE - 1] ^= 0x01; /* domain separation */ - sliscp_light320_permute(state); - } -} - -/** - * \brief Finalizes the ACE encryption or decryption operation. - * - * \param state ACE permutation state. - * \param k Points to the 128-bit key. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void ace_finalize - (unsigned char state[ACE_STATE_SIZE], const unsigned char *k, - unsigned char *tag) -{ - /* Absorb the key into the state again */ - lw_xor_block(state, k, 8); - sliscp_light320_permute(state); - lw_xor_block(state, k + 8, 8); - sliscp_light320_permute(state); - - /* Swap the state bytes back to the canonical order */ - sliscp_light320_swap(state); - - /* Copy out the authentication tag */ - memcpy(tag, state, 8); - memcpy(tag + 8, state + 16, 8); -} - -int ace_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[ACE_STATE_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ACE_TAG_SIZE; - - /* Initialize the ACE state and absorb the associated data */ - ace_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= ACE_RATE) { - lw_xor_block_2_dest(c, state, m, ACE_RATE); - state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light320_permute(state); - c += ACE_RATE; - m += ACE_RATE; - mlen -= ACE_RATE; - } - temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state, m, temp); - state[temp] ^= 0x80; /* padding */ - state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light320_permute(state); - c += mlen; - - /* Generate the authentication tag */ - ace_finalize(state, k, c); - return 0; -} - -int ace_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[ACE_STATE_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ACE_TAG_SIZE) - return -1; - *mlen = clen - ACE_TAG_SIZE; - - /* Initialize the ACE state and absorb the associated data */ - ace_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ACE_TAG_SIZE; - while (clen >= ACE_RATE) { - lw_xor_block_swap(m, state, c, ACE_RATE); - state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light320_permute(state); - c += ACE_RATE; - m += ACE_RATE; - clen -= ACE_RATE; - } - temp = (unsigned)clen; - lw_xor_block_swap(m, state, c, temp); - state[temp] ^= 0x80; /* padding */ - state[ACE_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light320_permute(state); - c += clen; - - /* Finalize the ACE state and compare against the authentication tag */ - ace_finalize(state, k, state); - return aead_check_tag(mtemp, *mlen, state, c, ACE_TAG_SIZE); -} - -/* Pre-hashed version of the ACE-HASH initialization vector */ -static unsigned char const ace_hash_iv[ACE_STATE_SIZE] = { - 0xb9, 0x7d, 0xda, 0x3f, 0x66, 0x2c, 0xd1, 0xa6, - 0x65, 0xd1, 0x80, 0xd6, 0x49, 0xdc, 0xa1, 0x8c, - 0x0c, 0x5f, 0x0e, 0xca, 0x70, 0x37, 0x58, 0x75, - 0x29, 0x7d, 0xb0, 0xb0, 0x72, 0x73, 0xce, 0xa8, - 0x99, 0x71, 0xde, 0x8a, 0x9a, 0x65, 0x72, 0x24 -}; - -int ace_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[ACE_STATE_SIZE]; - unsigned temp; - - /* Load the initialization vector and hash it, which can be pre-computed */ - /* - memset(state, 0, sizeof(state)); - state[8] = 0x80; - state[9] = 0x40; - state[10] = 0x40; - sliscp_light320_swap(state); - sliscp_light320_permute(state); - */ - memcpy(state, ace_hash_iv, ACE_STATE_SIZE); - - /* Absorb the input data */ - while (inlen >= ACE_RATE) { - lw_xor_block(state, in, ACE_RATE); - sliscp_light320_permute(state); - in += ACE_RATE; - inlen -= ACE_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state, in, temp); - state[temp] ^= 0x80; /* padding */ - sliscp_light320_permute(state); - - /* Squeeze out the hash value */ - memcpy(out, state, 8); - for (temp = 0; temp < 3; ++temp) { - out += 8; - sliscp_light320_permute(state); - memcpy(out, state, 8); - } - return 0; -} - -void ace_hash_init(ace_hash_state_t *state) -{ - memcpy(state->s.state, ace_hash_iv, ACE_STATE_SIZE); - state->s.count = 0; -} - -void ace_hash_update - (ace_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned len; - - /* Handle the left-over rate block from last time */ - if (state->s.count != 0) { - len = ACE_RATE - state->s.count; - if (len > inlen) - len = (unsigned)inlen; - lw_xor_block(state->s.state + state->s.count, in, len); - in += len; - inlen -= len; - state->s.count += len; - if (state->s.count >= ACE_RATE) { - sliscp_light320_permute(state->s.state); - state->s.count = 0; - } else { - /* Not enough input data yet to fill up the whole block */ - return; - } - } - - /* Process as many full rate blocks as we can */ - while (inlen >= ACE_RATE) { - lw_xor_block(state->s.state, in, ACE_RATE); - sliscp_light320_permute(state->s.state); - in += ACE_RATE; - inlen -= ACE_RATE; - } - - /* Handle any left-over data */ - len = (unsigned)inlen; - lw_xor_block(state->s.state, in, len); - state->s.count = len; -} - -void ace_hash_finalize(ace_hash_state_t *state, unsigned char *out) -{ - unsigned temp; - - /* Pad and hash the final input block */ - state->s.state[state->s.count] ^= 0x80; - sliscp_light320_permute(state->s.state); - state->s.count = 0; - - /* Squeeze out the hash value */ - memcpy(out, state->s.state, 9); - for (temp = 0; temp < 3; ++temp) { - out += 8; - sliscp_light320_permute(state->s.state); - memcpy(out, state->s.state, 8); - } -} diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.c b/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.c deleted file mode 100644 index dd3a688..0000000 --- a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sliscp-light.h" - -#if !defined(__AVR__) - -/** - * \brief Performs one round of the Simeck-64 block cipher. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - */ -#define simeck64_round(x, y) \ - do { \ - (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ - 0xFFFFFFFEU ^ (_rc & 1); \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck64_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck64_round(x, y); /* Round 1 */ \ - simeck64_round(y, x); /* Round 2 */ \ - simeck64_round(x, y); /* Round 3 */ \ - simeck64_round(y, x); /* Round 4 */ \ - simeck64_round(x, y); /* Round 5 */ \ - simeck64_round(y, x); /* Round 6 */ \ - simeck64_round(x, y); /* Round 7 */ \ - simeck64_round(y, x); /* Round 8 */ \ - } while (0) - -/* Helper macros for 48-bit left rotations */ -#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) - -/** - * \brief Performs one round of the Simeck-48 block cipher. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - */ -#define simeck48_round(x, y) \ - do { \ - (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ - 0x00FFFFFEU ^ (_rc & 1); \ - (y) &= 0x00FFFFFFU; \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck48_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck48_round(x, y); /* Round 1 */ \ - simeck48_round(y, x); /* Round 2 */ \ - simeck48_round(x, y); /* Round 3 */ \ - simeck48_round(y, x); /* Round 4 */ \ - simeck48_round(x, y); /* Round 5 */ \ - simeck48_round(y, x); /* Round 6 */ \ - } while (0) - -/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ -static unsigned char const sliscp_light256_RC[18 * 4] = { - 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, - 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, - 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, - 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, - 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, - 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, - 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, - 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, - 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 -}; - -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ - x4 = be_load_word32(block + 16); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 12); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 8, x2); - be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ - be_store_word32(block + 16, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 12, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spix(unsigned char block[32]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 12); - t2 = le_load_word32(block + 24); - le_store_word32(block + 24, t1); - le_store_word32(block + 12, t2); -} - -void sliscp_light256_permute_spoc(unsigned char block[32]) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x3 = be_load_word32(block + 20); - x4 = be_load_word32(block + 8); - x5 = be_load_word32(block + 12); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ - be_store_word32(block + 20, x3); - be_store_word32(block + 8, x4); - be_store_word32(block + 12, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spoc(unsigned char block[32]) -{ - uint64_t t1, t2; - t1 = le_load_word64(block + 8); - t2 = le_load_word64(block + 16); - le_store_word64(block + 16, t1); - le_store_word64(block + 8, t2); -} - -/* Load a big-endian 24-bit word from a byte buffer */ -#define be_load_word24(ptr) \ - ((((uint32_t)((ptr)[0])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[2]))) - -/* Store a big-endian 24-bit word into a byte buffer */ -#define be_store_word24(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 16); \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)_x; \ - } while (0) - -void sliscp_light192_permute(unsigned char block[24]) -{ - /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ - static unsigned char const RC[18 * 4] = { - 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, - 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, - 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, - 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, - 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, - 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, - 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, - 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, - 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables. Each 24-bit block is - * placed into a separate 32-bit word which improves efficiency below */ - x0 = be_load_word24(block); - x1 = be_load_word24(block + 3); - x2 = be_load_word24(block + 6); - x3 = be_load_word24(block + 9); - x4 = be_load_word24(block + 12); - x5 = be_load_word24(block + 15); - x6 = be_load_word24(block + 18); - x7 = be_load_word24(block + 21); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-48 to two of the 48-bit sub-blocks */ - simeck48_box(x2, x3, rc[0]); - simeck48_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0x00FFFFFFU; - x1 ^= 0x00FFFF00U ^ rc[2]; - x4 ^= 0x00FFFFFFU; - x5 ^= 0x00FFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word24(block, x0); - be_store_word24(block + 3, x1); - be_store_word24(block + 6, x2); - be_store_word24(block + 9, x3); - be_store_word24(block + 12, x4); - be_store_word24(block + 15, x5); - be_store_word24(block + 18, x6); - be_store_word24(block + 21, x7); -} - -void sliscp_light320_permute(unsigned char block[40]) -{ - /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ - static unsigned char const RC[16 * 6] = { - 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, - 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, - 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, - 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, - 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, - 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, - 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, - 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, - 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, - 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, - 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, - 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 12); - x4 = be_load_word32(block + 4); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - x8 = be_load_word32(block + 32); - x9 = be_load_word32(block + 36); - - /* Perform all permutation rounds */ - for (round = 0; round < 16; ++round, rc += 6) { - /* Apply Simeck-64 to three of the 64-bit sub-blocks */ - simeck64_box(x0, x1, rc[0]); - simeck64_box(x4, x5, rc[1]); - simeck64_box(x8, x9, rc[2]); - x6 ^= x8; - x7 ^= x9; - x2 ^= x4; - x3 ^= x5; - x8 ^= x0; - x9 ^= x1; - - /* Add step constants */ - x2 ^= 0xFFFFFFFFU; - x3 ^= 0xFFFFFF00U ^ rc[3]; - x6 ^= 0xFFFFFFFFU; - x7 ^= 0xFFFFFF00U ^ rc[4]; - x8 ^= 0xFFFFFFFFU; - x9 ^= 0xFFFFFF00U ^ rc[5]; - - /* Rotate the sub-blocks */ - t0 = x8; - t1 = x9; - x8 = x2; - x9 = x3; - x2 = x4; - x3 = x5; - x4 = x0; - x5 = x1; - x0 = x6; - x1 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ - be_store_word32(block + 8, x2); - be_store_word32(block + 12, x3); - be_store_word32(block + 4, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); - be_store_word32(block + 32, x8); - be_store_word32(block + 36, x9); -} - -void sliscp_light320_swap(unsigned char block[40]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 4); - t2 = le_load_word32(block + 16); - le_store_word32(block + 16, t1); - le_store_word32(block + 4, t2); -} - -#endif /* !__AVR__ */ diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.h b/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.h deleted file mode 100644 index 8a5e8d5..0000000 --- a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-light.h +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SLISCP_LIGHT_H -#define LW_INTERNAL_SLISCP_LIGHT_H - -/** - * \file internal-sliscp-light.h - * \brief sLiSCP-light permutation - * - * There are three variants of sLiSCP-light in use in the NIST submissions: - * - * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. - * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. - * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, - * https://uwaterloo.ca/communications-security-lab/lwc/spix, - * https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for sLiSCP-light-256. - */ -#define SLISCP_LIGHT256_STATE_SIZE 32 - -/** - * \brief Size of the state for sLiSCP-light-192. - */ -#define SLISCP_LIGHT192_STATE_SIZE 24 - -/** - * \brief Size of the state for sLiSCP-light-320. - */ -#define SLISCP_LIGHT320_STATE_SIZE 40 - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SPIX cipher. SPIX places the rate bytes at - * positions 8, 9, 10, 11, 24, 25, 26, and 27. - * - * This function assumes that bytes 24-27 have been pre-swapped with - * bytes 12-15 so that the rate portion of the state is contiguous. - * - * The sliscp_light256_swap_spix() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spix() - */ -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spix() - */ -void sliscp_light256_swap_spix(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SpoC-128 cipher. SpoC-128 interleaves the - * rate bytes and the mask bytes. This version assumes that the - * rate and mask are in contiguous bytes of the state. - * - * SpoC-128 absorbs bytes using the mask bytes of the state at offsets - * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. - * It squeezes bytes using the rate bytes of the state at offsets - * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. - * - * This function assumes that bytes 8-15 have been pre-swapped with 16-23 - * so that the rate and mask portions of the state are contiguous. - * - * The sliscp_light256_swap_spoc() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spoc() - */ -void sliscp_light256_permute_spoc(unsigned char block[32]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spoc() - */ -void sliscp_light256_swap_spoc(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 192-bit block. - * - * \param block Points to the block to be permuted. - */ -void sliscp_light192_permute(unsigned char block[24]); - -/** - * \brief Performs the sLiSCP-light permutation on a 320-bit block. - * - * \param block Points to the block to be permuted. - * - * The ACE specification refers to this permutation as "ACE" but that - * can be confused with the name of the AEAD mode so we call this - * permutation "sLiSCP-light-320" instead. - * - * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. - * Efficiency can suffer because of the discontinuity in rate byte positions. - * - * To counteract this, we assume that the input to the permutation has been - * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so - * that the rate is contiguous at the start of the state. - * - * The sliscp_light320_swap() function can be used to switch between the - * canonical order and the pre-swapped order. - * - * \sa sliscp_light320_swap() - */ -void sliscp_light320_permute(unsigned char block[40]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light320_permute() - */ -void sliscp_light320_swap(unsigned char block[40]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/ace.c b/ace/Implementations/crypto_hash/acehash256v1/rhys/ace.c similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/ace.c rename to ace/Implementations/crypto_hash/acehash256v1/rhys/ace.c diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/ace.h b/ace/Implementations/crypto_hash/acehash256v1/rhys/ace.h similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/ace.h rename to ace/Implementations/crypto_hash/acehash256v1/rhys/ace.h diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/aead-common.c b/ace/Implementations/crypto_hash/acehash256v1/rhys/aead-common.c similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/aead-common.c rename to ace/Implementations/crypto_hash/acehash256v1/rhys/aead-common.c diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/aead-common.h b/ace/Implementations/crypto_hash/acehash256v1/rhys/aead-common.h similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/aead-common.h rename to ace/Implementations/crypto_hash/acehash256v1/rhys/aead-common.h diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/api.h b/ace/Implementations/crypto_hash/acehash256v1/rhys/api.h similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/api.h rename to ace/Implementations/crypto_hash/acehash256v1/rhys/api.h diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/hash.c b/ace/Implementations/crypto_hash/acehash256v1/rhys/hash.c similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/hash.c rename to ace/Implementations/crypto_hash/acehash256v1/rhys/hash.c diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-320-avr.S b/ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-320-avr.S similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-320-avr.S rename to ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-320-avr.S index 98e5eaf..2522d5c 100644 --- a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-sliscp-320-avr.S +++ b/ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-320-avr.S @@ -188,10 +188,10 @@ sliscp_light320_permute: ldd r12,Z+33 ldd r11,Z+34 ldd r10,Z+35 - ldd r25,Z+26 - ldd r24,Z+27 - ldd r15,Z+28 - ldd r14,Z+29 + ldd r25,Z+36 + ldd r24,Z+37 + ldd r15,Z+38 + ldd r14,Z+39 push r31 push r30 ldi r30,lo8(table_0) diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-light.c b/ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-light.c similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-light.c rename to ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-light.c diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-light.h b/ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-light.h similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-sliscp-light.h rename to ace/Implementations/crypto_hash/acehash256v1/rhys/internal-sliscp-light.h diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-util.h b/ace/Implementations/crypto_hash/acehash256v1/rhys/internal-util.h similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/internal-util.h rename to ace/Implementations/crypto_hash/acehash256v1/rhys/internal-util.h diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/ascon128.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/ascon128.c deleted file mode 100644 index 80b2e46..0000000 --- a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/ascon128.c +++ /dev/null @@ -1,383 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "ascon128.h" -#include "internal-ascon.h" -#include - -/** - * \brief Initialization vector for ASCON-128. - */ -#define ASCON128_IV 0x80400c0600000000ULL - -/** - * \brief Initialization vector for ASCON-128a. - */ -#define ASCON128a_IV 0x80800c0800000000ULL - -/** - * \brief Initialization vector for ASCON-80pq. - */ -#define ASCON80PQ_IV 0xa0400c06U - -aead_cipher_t const ascon128_cipher = { - "ASCON-128", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128_aead_encrypt, - ascon128_aead_decrypt -}; - -aead_cipher_t const ascon128a_cipher = { - "ASCON-128a", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128a_aead_encrypt, - ascon128a_aead_decrypt -}; - -aead_cipher_t const ascon80pq_cipher = { - "ASCON-80pq", - ASCON80PQ_KEY_SIZE, - ASCON80PQ_NONCE_SIZE, - ASCON80PQ_TAG_SIZE, - AEAD_FLAG_NONE, - ascon80pq_aead_encrypt, - ascon80pq_aead_decrypt -}; - -/** - * \brief Absorbs data into an ASCON state. - * - * \param state The state to absorb the data into. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_absorb - (ascon_state_t *state, const unsigned char *data, - unsigned long long len, uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block(state->B, data, rate); - ascon_permute(state, first_round); - data += rate; - len -= rate; - } - lw_xor_block(state->B, data, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; - ascon_permute(state, first_round); -} - -/** - * \brief Encrypts a block of data with an ASCON state. - * - * \param state The state to encrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to encrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_encrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_2_dest(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -/** - * \brief Decrypts a block of data with an ASCON state. - * - * \param state The state to decrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to decrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_decrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_swap(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_swap(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -int ascon128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 16, 4); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 16, 4); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon80pq_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); - return 0; -} - -int ascon80pq_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON80PQ_TAG_SIZE) - return -1; - *mlen = clen - ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k + 4, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); -} diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon-avr.S b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon-avr.S similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon-avr.S rename to ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon-avr.S diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h index e79158c..e30166d 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h +++ b/ascon/Implementations/crypto_aead/ascon128av12/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/ascon128.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/ascon128.c deleted file mode 100644 index 80b2e46..0000000 --- a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/ascon128.c +++ /dev/null @@ -1,383 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "ascon128.h" -#include "internal-ascon.h" -#include - -/** - * \brief Initialization vector for ASCON-128. - */ -#define ASCON128_IV 0x80400c0600000000ULL - -/** - * \brief Initialization vector for ASCON-128a. - */ -#define ASCON128a_IV 0x80800c0800000000ULL - -/** - * \brief Initialization vector for ASCON-80pq. - */ -#define ASCON80PQ_IV 0xa0400c06U - -aead_cipher_t const ascon128_cipher = { - "ASCON-128", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128_aead_encrypt, - ascon128_aead_decrypt -}; - -aead_cipher_t const ascon128a_cipher = { - "ASCON-128a", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128a_aead_encrypt, - ascon128a_aead_decrypt -}; - -aead_cipher_t const ascon80pq_cipher = { - "ASCON-80pq", - ASCON80PQ_KEY_SIZE, - ASCON80PQ_NONCE_SIZE, - ASCON80PQ_TAG_SIZE, - AEAD_FLAG_NONE, - ascon80pq_aead_encrypt, - ascon80pq_aead_decrypt -}; - -/** - * \brief Absorbs data into an ASCON state. - * - * \param state The state to absorb the data into. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_absorb - (ascon_state_t *state, const unsigned char *data, - unsigned long long len, uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block(state->B, data, rate); - ascon_permute(state, first_round); - data += rate; - len -= rate; - } - lw_xor_block(state->B, data, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; - ascon_permute(state, first_round); -} - -/** - * \brief Encrypts a block of data with an ASCON state. - * - * \param state The state to encrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to encrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_encrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_2_dest(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -/** - * \brief Decrypts a block of data with an ASCON state. - * - * \param state The state to decrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to decrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_decrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_swap(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_swap(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -int ascon128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 16, 4); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 16, 4); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon80pq_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); - return 0; -} - -int ascon80pq_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON80PQ_TAG_SIZE) - return -1; - *mlen = clen - ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k + 4, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); -} diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon-avr.S b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon-avr.S similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon-avr.S rename to ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon-avr.S diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h index e79158c..e30166d 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h +++ b/ascon/Implementations/crypto_aead/ascon128v12/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/api.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/api.h deleted file mode 100644 index f99b349..0000000 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 20 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.c deleted file mode 100644 index 80b2e46..0000000 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.c +++ /dev/null @@ -1,383 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "ascon128.h" -#include "internal-ascon.h" -#include - -/** - * \brief Initialization vector for ASCON-128. - */ -#define ASCON128_IV 0x80400c0600000000ULL - -/** - * \brief Initialization vector for ASCON-128a. - */ -#define ASCON128a_IV 0x80800c0800000000ULL - -/** - * \brief Initialization vector for ASCON-80pq. - */ -#define ASCON80PQ_IV 0xa0400c06U - -aead_cipher_t const ascon128_cipher = { - "ASCON-128", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128_aead_encrypt, - ascon128_aead_decrypt -}; - -aead_cipher_t const ascon128a_cipher = { - "ASCON-128a", - ASCON128_KEY_SIZE, - ASCON128_NONCE_SIZE, - ASCON128_TAG_SIZE, - AEAD_FLAG_NONE, - ascon128a_aead_encrypt, - ascon128a_aead_decrypt -}; - -aead_cipher_t const ascon80pq_cipher = { - "ASCON-80pq", - ASCON80PQ_KEY_SIZE, - ASCON80PQ_NONCE_SIZE, - ASCON80PQ_TAG_SIZE, - AEAD_FLAG_NONE, - ascon80pq_aead_encrypt, - ascon80pq_aead_decrypt -}; - -/** - * \brief Absorbs data into an ASCON state. - * - * \param state The state to absorb the data into. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_absorb - (ascon_state_t *state, const unsigned char *data, - unsigned long long len, uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block(state->B, data, rate); - ascon_permute(state, first_round); - data += rate; - len -= rate; - } - lw_xor_block(state->B, data, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; - ascon_permute(state, first_round); -} - -/** - * \brief Encrypts a block of data with an ASCON state. - * - * \param state The state to encrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to encrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_encrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_2_dest(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_2_dest(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -/** - * \brief Decrypts a block of data with an ASCON state. - * - * \param state The state to decrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to decrypt from \a src into \a dest. - * \param rate Block rate, which is either 8 or 16. - * \param first_round First round of the permutation to apply each block. - */ -static void ascon_decrypt - (ascon_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len, - uint8_t rate, uint8_t first_round) -{ - while (len >= rate) { - lw_xor_block_swap(dest, state->B, src, rate); - ascon_permute(state, first_round); - dest += rate; - src += rate; - len -= rate; - } - lw_xor_block_swap(dest, state->B, src, (unsigned)len); - state->B[(unsigned)len] ^= 0x80; -} - -int ascon128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 16, 4); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k, 16); - return 0; -} - -int ascon128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON128_TAG_SIZE) - return -1; - *mlen = clen - ASCON128_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word64(state.B, ASCON128a_IV); - memcpy(state.B + 8, k, ASCON128_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON128_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, ASCON128_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 16, 4); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 16, 4); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 16, k, ASCON128_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON128_TAG_SIZE); -} - -int ascon80pq_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Encrypt the plaintext to create the ciphertext */ - ascon_encrypt(&state, c, m, mlen, 8, 6); - - /* Finalize and compute the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block_2_src(c + mlen, state.B + 24, k + 4, 16); - return 0; -} - -int ascon80pq_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ascon_state_t state; - (void)nsec; - - /* Set the length of the returned plaintext */ - if (clen < ASCON80PQ_TAG_SIZE) - return -1; - *mlen = clen - ASCON80PQ_TAG_SIZE; - - /* Initialize the ASCON state */ - be_store_word32(state.B, ASCON80PQ_IV); - memcpy(state.B + 4, k, ASCON80PQ_KEY_SIZE); - memcpy(state.B + 24, npub, ASCON80PQ_NONCE_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 20, k, ASCON80PQ_KEY_SIZE); - - /* Absorb the associated data into the state */ - if (adlen > 0) - ascon_absorb(&state, ad, adlen, 8, 6); - - /* Separator between the associated data and the payload */ - state.B[39] ^= 0x01; - - /* Decrypt the ciphertext to create the plaintext */ - ascon_decrypt(&state, m, c, *mlen, 8, 6); - - /* Finalize and check the authentication tag */ - lw_xor_block(state.B + 8, k, ASCON80PQ_KEY_SIZE); - ascon_permute(&state, 0); - lw_xor_block(state.B + 24, k + 4, 16); - return aead_check_tag - (m, *mlen, state.B + 24, c + *mlen, ASCON80PQ_TAG_SIZE); -} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/encrypt.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/encrypt.c deleted file mode 100644 index 08b7dc9..0000000 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "ascon128.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return ascon80pq_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return ascon80pq_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon-avr.S b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon-avr.S similarity index 100% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon-avr.S rename to ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon-avr.S diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h index e79158c..e30166d 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h +++ b/ascon/Implementations/crypto_aead/ascon80pqv12/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.c b/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/aead-common.c b/ascon/Implementations/crypto_hash/asconhashv12/rhys/aead-common.c similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/aead-common.c rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/aead-common.c diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/aead-common.h b/ascon/Implementations/crypto_hash/asconhashv12/rhys/aead-common.h similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/aead-common.h rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/aead-common.h diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/api.h b/ascon/Implementations/crypto_hash/asconhashv12/rhys/api.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/api.h rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/api.h diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/ascon-hash.c b/ascon/Implementations/crypto_hash/asconhashv12/rhys/ascon-hash.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/ascon-hash.c rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/ascon-hash.c diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/ascon128.h b/ascon/Implementations/crypto_hash/asconhashv12/rhys/ascon128.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/ascon128.h rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/ascon128.h diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/hash.c b/ascon/Implementations/crypto_hash/asconhashv12/rhys/hash.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/hash.c rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/hash.c diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon-avr.S b/ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon-avr.S similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon-avr.S rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon-avr.S diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon.c b/ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon.c similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon.c rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon.c diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon.h b/ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-ascon.h rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-ascon.h diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-util.h b/ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-util.h similarity index 100% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/internal-util.h rename to ascon/Implementations/crypto_hash/asconhashv12/rhys/internal-util.h diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.c b/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/aead-common.c b/ascon/Implementations/crypto_hash/asconxofv12/rhys/aead-common.c similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/aead-common.c rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/aead-common.c diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/aead-common.h b/ascon/Implementations/crypto_hash/asconxofv12/rhys/aead-common.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/aead-common.h rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/aead-common.h diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/api.h b/ascon/Implementations/crypto_hash/asconxofv12/rhys/api.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/api.h rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/api.h diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/ascon-xof.c b/ascon/Implementations/crypto_hash/asconxofv12/rhys/ascon-xof.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/ascon-xof.c rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/ascon-xof.c diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/ascon128.h b/ascon/Implementations/crypto_hash/asconxofv12/rhys/ascon128.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/ascon128.h rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/ascon128.h diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/hash.c b/ascon/Implementations/crypto_hash/asconxofv12/rhys/hash.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/hash.c rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/hash.c diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon-avr.S b/ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon-avr.S similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon-avr.S rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon-avr.S diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon.c b/ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon.c similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon.c rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon.c diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon.h b/ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-ascon.h rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-ascon.h diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-util.h b/ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-util.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/internal-util.h rename to ascon/Implementations/crypto_hash/asconxofv12/rhys/internal-util.h diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/api.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.c deleted file mode 100644 index ceb0fd6..0000000 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.c +++ /dev/null @@ -1,556 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "comet.h" -#include "internal-cham.h" -#include "internal-speck64.h" -#include "internal-util.h" -#include - -aead_cipher_t const comet_128_cham_cipher = { - "COMET-128_CHAM-128/128", - COMET_KEY_SIZE, - COMET_128_NONCE_SIZE, - COMET_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_128_cham_aead_encrypt, - comet_128_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_cham_cipher = { - "COMET-64_CHAM-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_cham_aead_encrypt, - comet_64_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_speck_cipher = { - "COMET-64_SPECK-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_speck_aead_encrypt, - comet_64_speck_aead_decrypt -}; - -/** - * \brief Adjusts the Z state to generate the key to use on the next block. - * - * \param Z The Z state to be adjusted. - */ -static void comet_adjust_block_key(unsigned char Z[16]) -{ - /* Doubles the 64-bit prefix to Z in the F(2^64) field */ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); - for (index = 7; index > 0; --index) - Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); - Z[0] = (Z[0] << 1) ^ (mask & 0x1B); -} - -/* Function prototype for the encrypt function of the underyling cipher */ -typedef void (*comet_encrypt_block_t) - (const unsigned char *key, unsigned char *output, - const unsigned char *input); - -/** - * \brief Processes the associated data for COMET. - * - * \param Y Internal COMET block state of \a block_size bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param block_size Size of the block for the underlying cipher. - * \param encrypt Encryption function for the underlying cipher. - * \param ad Points to the associated data. - * \param adlen Number of bytes of associated data; must be >= 1. - */ -static void comet_process_ad - (unsigned char *Y, unsigned char Z[16], unsigned block_size, - comet_encrypt_block_t encrypt, const unsigned char *ad, - unsigned long long adlen) -{ - /* Domain separator for associated data */ - Z[15] ^= 0x08; - - /* Process all associated data blocks except the last partial block */ - while (adlen >= block_size) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, block_size); - ad += block_size; - adlen -= block_size; - } - - /* Pad and process the partial block on the end */ - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - Z[15] ^= 0x10; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Shuffles the words in a 128-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_128 - (unsigned char out[16], const unsigned char in[16]) -{ - uint32_t x0, x1, x2, x3; - x0 = le_load_word32(in); - x1 = le_load_word32(in + 4); - x2 = le_load_word32(in + 8); - x3 = le_load_word32(in + 12); - le_store_word32(out, x3); - le_store_word32(out + 4, rightRotate1(x2)); - le_store_word32(out + 8, x0); - le_store_word32(out + 12, x1); -} - -/** - * \brief Shuffles the words in a 64-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_64 - (unsigned char out[8], const unsigned char in[8]) -{ - uint32_t x01 = le_load_word32(in); - uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); - out[0] = in[6]; - out[1] = in[7]; - x2 = (x2 >> 1) | (x2 << 15); - out[2] = (uint8_t)x2; - out[3] = (uint8_t)(x2 >> 8); - le_store_word32(out + 4, x01); -} - -/** - * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, 16); - lw_xor_block_2_src(c, m, Ys, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, 8); - lw_xor_block_2_src(c, m, Ys, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 16); - lw_xor_block(Y, m, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 8); - lw_xor_block(Y, m, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -int comet_128_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_128_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_128_TAG_SIZE) - return -1; - *mlen = clen - COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_128_TAG_SIZE) - comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); -} - -int comet_64_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} - -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/encrypt.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/encrypt.c deleted file mode 100644 index 66c5ad7..0000000 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "comet.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_128_cham_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_128_cham_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.c deleted file mode 100644 index 23351a3..0000000 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-cham.h" -#include "internal-util.h" - -#if !defined(__AVR__) - -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t x0, x1, x2, x3; - uint32_t k[8]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word32(key); - k[1] = le_load_word32(key + 4); - k[2] = le_load_word32(key + 8); - k[3] = le_load_word32(key + 12); - k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); - k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); - k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); - k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); - k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); - k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); - k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); - k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); - - /* Unpack the input block */ - x0 = le_load_word32(input); - x1 = le_load_word32(input + 4); - x2 = le_load_word32(input + 8); - x3 = le_load_word32(input + 12); - - /* Perform the 80 rounds eight at a time */ - for (round = 0; round < 80; round += 8) { - x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); - x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); - x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); - x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); - x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); - x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); - x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); - x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); - } - - /* Pack the state into the output block */ - le_store_word32(output, x0); - le_store_word32(output + 4, x1); - le_store_word32(output + 8, x2); - le_store_word32(output + 12, x3); -} - -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint16_t x0, x1, x2, x3; - uint16_t k[16]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word16(key); - k[1] = le_load_word16(key + 2); - k[2] = le_load_word16(key + 4); - k[3] = le_load_word16(key + 6); - k[4] = le_load_word16(key + 8); - k[5] = le_load_word16(key + 10); - k[6] = le_load_word16(key + 12); - k[7] = le_load_word16(key + 14); - k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); - k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); - k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); - k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); - k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); - k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); - k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); - k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); - k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); - k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); - k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); - k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); - k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); - k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); - k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); - k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); - - /* Unpack the input block */ - x0 = le_load_word16(input); - x1 = le_load_word16(input + 2); - x2 = le_load_word16(input + 4); - x3 = le_load_word16(input + 6); - - /* Perform the 80 rounds four at a time */ - for (round = 0; round < 80; round += 4) { - x0 = leftRotate8_16 - ((x0 ^ round) + - (leftRotate1_16(x1) ^ k[round % 16])); - x1 = leftRotate1_16 - ((x1 ^ (round + 1)) + - (leftRotate8_16(x2) ^ k[(round + 1) % 16])); - x2 = leftRotate8_16 - ((x2 ^ (round + 2)) + - (leftRotate1_16(x3) ^ k[(round + 2) % 16])); - x3 = leftRotate1_16 - ((x3 ^ (round + 3)) + - (leftRotate8_16(x0) ^ k[(round + 3) % 16])); - } - - /* Pack the state into the output block */ - le_store_word16(output, x0); - le_store_word16(output + 2, x1); - le_store_word16(output + 4, x2); - le_store_word16(output + 6, x3); -} - -#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c index d068de2..ceb0fd6 100644 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/comet.c @@ -22,6 +22,7 @@ #include "comet.h" #include "internal-cham.h" +#include "internal-speck64.h" #include "internal-util.h" #include @@ -478,58 +479,6 @@ int comet_64_cham_aead_decrypt return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } -/** - * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \note This version differs from standard SPECK-64 in that it uses the - * little-endian byte order from the COMET specification which is different - * from the big-endian byte order from the original SPECK paper. - */ -static void speck64_128_comet_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t l[4]; - uint32_t x, y, s; - uint8_t round; - uint8_t li_in = 0; - uint8_t li_out = 3; - - /* Unpack the key and the input block */ - s = le_load_word32(key); - l[0] = le_load_word32(key + 4); - l[1] = le_load_word32(key + 8); - l[2] = le_load_word32(key + 12); - y = le_load_word32(input); - x = le_load_word32(input + 4); - - /* Perform all encryption rounds except the last */ - for (round = 0; round < 26; ++round) { - /* Perform the round with the current key schedule word */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - - /* Calculate the next key schedule word */ - l[li_out] = (s + rightRotate8(l[li_in])) ^ round; - s = leftRotate3(s) ^ l[li_out]; - li_in = (li_in + 1) & 0x03; - li_out = (li_out + 1) & 0x03; - } - - /* Perform the last encryption round and write the result to the output */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - le_store_word32(output, y); - le_store_word32(output + 4, x); -} - int comet_64_speck_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, @@ -547,23 +496,23 @@ int comet_64_speck_aead_encrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Encrypt the plaintext to produce the ciphertext */ if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); /* Generate the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, c + mlen, Y); + speck64_128_encrypt(Z, c + mlen, Y); return 0; } @@ -586,22 +535,22 @@ int comet_64_speck_aead_decrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Decrypt the ciphertext to produce the plaintext */ if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); /* Check the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, Y, Y); + speck64_128_encrypt(Z, Y, Y); return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham-avr.S b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham-avr.S rename to comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham-avr.S diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c index e097dbd..23351a3 100644 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-cham.c @@ -23,6 +23,8 @@ #include "internal-cham.h" #include "internal-util.h" +#if !defined(__AVR__) + void cham128_128_encrypt (const unsigned char *key, unsigned char *output, const unsigned char *input) @@ -132,3 +134,5 @@ void cham64_128_encrypt le_store_word16(output + 4, x2); le_store_word16(output + 6, x3); } + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64-avr.S b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64-avr.S rename to comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64-avr.S diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64.c b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64.c similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64.c rename to comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64.c diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64.h similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-speck64.h rename to comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-speck64.h diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h +++ b/comet/Implementations/crypto_aead/comet128chamv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/api.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/api.h deleted file mode 100644 index 9f9959f..0000000 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 15 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.c deleted file mode 100644 index ceb0fd6..0000000 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.c +++ /dev/null @@ -1,556 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "comet.h" -#include "internal-cham.h" -#include "internal-speck64.h" -#include "internal-util.h" -#include - -aead_cipher_t const comet_128_cham_cipher = { - "COMET-128_CHAM-128/128", - COMET_KEY_SIZE, - COMET_128_NONCE_SIZE, - COMET_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_128_cham_aead_encrypt, - comet_128_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_cham_cipher = { - "COMET-64_CHAM-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_cham_aead_encrypt, - comet_64_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_speck_cipher = { - "COMET-64_SPECK-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_speck_aead_encrypt, - comet_64_speck_aead_decrypt -}; - -/** - * \brief Adjusts the Z state to generate the key to use on the next block. - * - * \param Z The Z state to be adjusted. - */ -static void comet_adjust_block_key(unsigned char Z[16]) -{ - /* Doubles the 64-bit prefix to Z in the F(2^64) field */ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); - for (index = 7; index > 0; --index) - Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); - Z[0] = (Z[0] << 1) ^ (mask & 0x1B); -} - -/* Function prototype for the encrypt function of the underyling cipher */ -typedef void (*comet_encrypt_block_t) - (const unsigned char *key, unsigned char *output, - const unsigned char *input); - -/** - * \brief Processes the associated data for COMET. - * - * \param Y Internal COMET block state of \a block_size bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param block_size Size of the block for the underlying cipher. - * \param encrypt Encryption function for the underlying cipher. - * \param ad Points to the associated data. - * \param adlen Number of bytes of associated data; must be >= 1. - */ -static void comet_process_ad - (unsigned char *Y, unsigned char Z[16], unsigned block_size, - comet_encrypt_block_t encrypt, const unsigned char *ad, - unsigned long long adlen) -{ - /* Domain separator for associated data */ - Z[15] ^= 0x08; - - /* Process all associated data blocks except the last partial block */ - while (adlen >= block_size) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, block_size); - ad += block_size; - adlen -= block_size; - } - - /* Pad and process the partial block on the end */ - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - Z[15] ^= 0x10; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Shuffles the words in a 128-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_128 - (unsigned char out[16], const unsigned char in[16]) -{ - uint32_t x0, x1, x2, x3; - x0 = le_load_word32(in); - x1 = le_load_word32(in + 4); - x2 = le_load_word32(in + 8); - x3 = le_load_word32(in + 12); - le_store_word32(out, x3); - le_store_word32(out + 4, rightRotate1(x2)); - le_store_word32(out + 8, x0); - le_store_word32(out + 12, x1); -} - -/** - * \brief Shuffles the words in a 64-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_64 - (unsigned char out[8], const unsigned char in[8]) -{ - uint32_t x01 = le_load_word32(in); - uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); - out[0] = in[6]; - out[1] = in[7]; - x2 = (x2 >> 1) | (x2 << 15); - out[2] = (uint8_t)x2; - out[3] = (uint8_t)(x2 >> 8); - le_store_word32(out + 4, x01); -} - -/** - * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, 16); - lw_xor_block_2_src(c, m, Ys, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, 8); - lw_xor_block_2_src(c, m, Ys, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 16); - lw_xor_block(Y, m, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 8); - lw_xor_block(Y, m, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -int comet_128_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_128_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_128_TAG_SIZE) - return -1; - *mlen = clen - COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_128_TAG_SIZE) - comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); -} - -int comet_64_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} - -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/encrypt.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/encrypt.c deleted file mode 100644 index e832eac..0000000 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "comet.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_64_cham_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_64_cham_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.c deleted file mode 100644 index 23351a3..0000000 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-cham.h" -#include "internal-util.h" - -#if !defined(__AVR__) - -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t x0, x1, x2, x3; - uint32_t k[8]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word32(key); - k[1] = le_load_word32(key + 4); - k[2] = le_load_word32(key + 8); - k[3] = le_load_word32(key + 12); - k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); - k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); - k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); - k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); - k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); - k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); - k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); - k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); - - /* Unpack the input block */ - x0 = le_load_word32(input); - x1 = le_load_word32(input + 4); - x2 = le_load_word32(input + 8); - x3 = le_load_word32(input + 12); - - /* Perform the 80 rounds eight at a time */ - for (round = 0; round < 80; round += 8) { - x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); - x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); - x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); - x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); - x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); - x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); - x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); - x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); - } - - /* Pack the state into the output block */ - le_store_word32(output, x0); - le_store_word32(output + 4, x1); - le_store_word32(output + 8, x2); - le_store_word32(output + 12, x3); -} - -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint16_t x0, x1, x2, x3; - uint16_t k[16]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word16(key); - k[1] = le_load_word16(key + 2); - k[2] = le_load_word16(key + 4); - k[3] = le_load_word16(key + 6); - k[4] = le_load_word16(key + 8); - k[5] = le_load_word16(key + 10); - k[6] = le_load_word16(key + 12); - k[7] = le_load_word16(key + 14); - k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); - k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); - k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); - k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); - k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); - k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); - k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); - k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); - k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); - k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); - k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); - k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); - k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); - k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); - k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); - k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); - - /* Unpack the input block */ - x0 = le_load_word16(input); - x1 = le_load_word16(input + 2); - x2 = le_load_word16(input + 4); - x3 = le_load_word16(input + 6); - - /* Perform the 80 rounds four at a time */ - for (round = 0; round < 80; round += 4) { - x0 = leftRotate8_16 - ((x0 ^ round) + - (leftRotate1_16(x1) ^ k[round % 16])); - x1 = leftRotate1_16 - ((x1 ^ (round + 1)) + - (leftRotate8_16(x2) ^ k[(round + 1) % 16])); - x2 = leftRotate8_16 - ((x2 ^ (round + 2)) + - (leftRotate1_16(x3) ^ k[(round + 2) % 16])); - x3 = leftRotate1_16 - ((x3 ^ (round + 3)) + - (leftRotate8_16(x0) ^ k[(round + 3) % 16])); - } - - /* Pack the state into the output block */ - le_store_word16(output, x0); - le_store_word16(output + 2, x1); - le_store_word16(output + 4, x2); - le_store_word16(output + 6, x3); -} - -#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c index d068de2..ceb0fd6 100644 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/comet.c @@ -22,6 +22,7 @@ #include "comet.h" #include "internal-cham.h" +#include "internal-speck64.h" #include "internal-util.h" #include @@ -478,58 +479,6 @@ int comet_64_cham_aead_decrypt return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } -/** - * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \note This version differs from standard SPECK-64 in that it uses the - * little-endian byte order from the COMET specification which is different - * from the big-endian byte order from the original SPECK paper. - */ -static void speck64_128_comet_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t l[4]; - uint32_t x, y, s; - uint8_t round; - uint8_t li_in = 0; - uint8_t li_out = 3; - - /* Unpack the key and the input block */ - s = le_load_word32(key); - l[0] = le_load_word32(key + 4); - l[1] = le_load_word32(key + 8); - l[2] = le_load_word32(key + 12); - y = le_load_word32(input); - x = le_load_word32(input + 4); - - /* Perform all encryption rounds except the last */ - for (round = 0; round < 26; ++round) { - /* Perform the round with the current key schedule word */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - - /* Calculate the next key schedule word */ - l[li_out] = (s + rightRotate8(l[li_in])) ^ round; - s = leftRotate3(s) ^ l[li_out]; - li_in = (li_in + 1) & 0x03; - li_out = (li_out + 1) & 0x03; - } - - /* Perform the last encryption round and write the result to the output */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - le_store_word32(output, y); - le_store_word32(output + 4, x); -} - int comet_64_speck_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, @@ -547,23 +496,23 @@ int comet_64_speck_aead_encrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Encrypt the plaintext to produce the ciphertext */ if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); /* Generate the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, c + mlen, Y); + speck64_128_encrypt(Z, c + mlen, Y); return 0; } @@ -586,22 +535,22 @@ int comet_64_speck_aead_decrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Decrypt the ciphertext to produce the plaintext */ if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); /* Check the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, Y, Y); + speck64_128_encrypt(Z, Y, Y); return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham-avr.S b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham-avr.S rename to comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham-avr.S diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c index e097dbd..23351a3 100644 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-cham.c @@ -23,6 +23,8 @@ #include "internal-cham.h" #include "internal-util.h" +#if !defined(__AVR__) + void cham128_128_encrypt (const unsigned char *key, unsigned char *output, const unsigned char *input) @@ -132,3 +134,5 @@ void cham64_128_encrypt le_store_word16(output + 4, x2); le_store_word16(output + 6, x3); } + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64-avr.S b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64-avr.S rename to comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64-avr.S diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64.c b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64.c similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64.c rename to comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64.c diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-speck64.h rename to comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-speck64.h diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h +++ b/comet/Implementations/crypto_aead/comet64chamv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/api.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/api.h deleted file mode 100644 index 9f9959f..0000000 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 15 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.c deleted file mode 100644 index ceb0fd6..0000000 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.c +++ /dev/null @@ -1,556 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "comet.h" -#include "internal-cham.h" -#include "internal-speck64.h" -#include "internal-util.h" -#include - -aead_cipher_t const comet_128_cham_cipher = { - "COMET-128_CHAM-128/128", - COMET_KEY_SIZE, - COMET_128_NONCE_SIZE, - COMET_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_128_cham_aead_encrypt, - comet_128_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_cham_cipher = { - "COMET-64_CHAM-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_cham_aead_encrypt, - comet_64_cham_aead_decrypt -}; - -aead_cipher_t const comet_64_speck_cipher = { - "COMET-64_SPECK-64/128", - COMET_KEY_SIZE, - COMET_64_NONCE_SIZE, - COMET_64_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - comet_64_speck_aead_encrypt, - comet_64_speck_aead_decrypt -}; - -/** - * \brief Adjusts the Z state to generate the key to use on the next block. - * - * \param Z The Z state to be adjusted. - */ -static void comet_adjust_block_key(unsigned char Z[16]) -{ - /* Doubles the 64-bit prefix to Z in the F(2^64) field */ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)(Z[7])) >> 7); - for (index = 7; index > 0; --index) - Z[index] = (Z[index] << 1) | (Z[index - 1] >> 7); - Z[0] = (Z[0] << 1) ^ (mask & 0x1B); -} - -/* Function prototype for the encrypt function of the underyling cipher */ -typedef void (*comet_encrypt_block_t) - (const unsigned char *key, unsigned char *output, - const unsigned char *input); - -/** - * \brief Processes the associated data for COMET. - * - * \param Y Internal COMET block state of \a block_size bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param block_size Size of the block for the underlying cipher. - * \param encrypt Encryption function for the underlying cipher. - * \param ad Points to the associated data. - * \param adlen Number of bytes of associated data; must be >= 1. - */ -static void comet_process_ad - (unsigned char *Y, unsigned char Z[16], unsigned block_size, - comet_encrypt_block_t encrypt, const unsigned char *ad, - unsigned long long adlen) -{ - /* Domain separator for associated data */ - Z[15] ^= 0x08; - - /* Process all associated data blocks except the last partial block */ - while (adlen >= block_size) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, block_size); - ad += block_size; - adlen -= block_size; - } - - /* Pad and process the partial block on the end */ - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - Z[15] ^= 0x10; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - lw_xor_block(Y, ad, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Shuffles the words in a 128-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_128 - (unsigned char out[16], const unsigned char in[16]) -{ - uint32_t x0, x1, x2, x3; - x0 = le_load_word32(in); - x1 = le_load_word32(in + 4); - x2 = le_load_word32(in + 8); - x3 = le_load_word32(in + 12); - le_store_word32(out, x3); - le_store_word32(out + 4, rightRotate1(x2)); - le_store_word32(out + 8, x0); - le_store_word32(out + 12, x1); -} - -/** - * \brief Shuffles the words in a 64-bit block. - * - * \param out The output block after shuffling. - * \param in The input block to be shuffled. - */ -STATIC_INLINE void comet_shuffle_block_64 - (unsigned char out[8], const unsigned char in[8]) -{ - uint32_t x01 = le_load_word32(in); - uint16_t x2 = ((uint16_t)(in[4])) | (((uint16_t)(in[5])) << 8); - out[0] = in[6]; - out[1] = in[7]; - x2 = (x2 >> 1) | (x2 << 15); - out[2] = (uint8_t)x2; - out[3] = (uint8_t)(x2 >> 8); - le_store_word32(out + 4, x01); -} - -/** - * \brief Encrypts the plaintext with COMET-128 to produce the ciphertext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, 16); - lw_xor_block_2_src(c, m, Ys, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Encrypts the plaintext with COMET-64 to produce the ciphertext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param c Ciphertext on output. - * \param m Plaintext message on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_encrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, 8); - lw_xor_block_2_src(c, m, Ys, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block(Y, m, temp); - lw_xor_block_2_src(c, m, Ys, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-128 to produce the plaintext. - * - * \param Y Internal COMET block state of 16 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_128 - (unsigned char Y[16], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[16]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 16) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 16); - lw_xor_block(Y, m, 16); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_128(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -/** - * \brief Decrypts the ciphertext with COMET-64 to produce the plaintext. - * - * \param Y Internal COMET block state of 8 bytes in size. - * \param Z Internal COMET key state of 16 bytes in size. - * \param encrypt Encryption function for the underlying cipher. - * \param m Plaintext message on output. - * \param c Ciphertext on input. - * \param mlen Length of the plaintext message and the ciphertext. - */ -static void comet_decrypt_64 - (unsigned char Y[8], unsigned char Z[16], - comet_encrypt_block_t encrypt, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char Ys[8]; - - /* Domain separator for payload data */ - Z[15] ^= 0x20; - - /* Process all payload data blocks except the last partial block */ - while (mlen >= 8) { - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, 8); - lw_xor_block(Y, m, 8); - c += 8; - m += 8; - mlen -= 8; - } - - /* Pad and process the partial block on the end */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - Z[15] ^= 0x40; - comet_adjust_block_key(Z); - encrypt(Z, Y, Y); - comet_shuffle_block_64(Ys, Y); - lw_xor_block_2_src(m, c, Ys, temp); - lw_xor_block(Y, m, temp); - Y[temp] ^= 0x01; - } -} - -int comet_128_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_128(Y, Z, cham128_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_128_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[16]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_128_TAG_SIZE) - return -1; - *mlen = clen - COMET_128_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memcpy(Y, k, 16); - cham128_128_encrypt(Y, Z, npub); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 16, cham128_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_128_TAG_SIZE) - comet_decrypt_128(Y, Z, cham128_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham128_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_128_TAG_SIZE); -} - -int comet_64_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, cham64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - cham64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, cham64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, cham64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - cham64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} - -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); - - /* Generate the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, c + mlen, Y); - return 0; -} - -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char Y[8]; - unsigned char Z[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < COMET_64_TAG_SIZE) - return -1; - *mlen = clen - COMET_64_TAG_SIZE; - - /* Set up the initial state of Y and Z */ - memset(Y, 0, 8); - speck64_128_encrypt(k, Y, Y); - memcpy(Z, npub, 15); - Z[15] = 0; - lw_xor_block(Z, k, 16); - - /* Process the associated data */ - if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); - - /* Check the authentication tag */ - Z[15] ^= 0x80; - comet_adjust_block_key(Z); - speck64_128_encrypt(Z, Y, Y); - return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); -} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.h deleted file mode 100644 index d1b24a6..0000000 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/comet.h +++ /dev/null @@ -1,274 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_COMET_H -#define LWCRYPTO_COMET_H - -#include "aead-common.h" - -/** - * \file comet.h - * \brief COMET authenticated encryption algorithm. - * - * COMET is a family of authenticated encryption algorithms that are - * built around an underlying block cipher. This library implements - * three members of the family: - * - * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, - * and a 128-bit tag, built around the CHAM-128/128 block cipher. - * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the CHAM-64/128 block cipher. - * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the SPECK-64/128 block cipher. - * - * There is also another family member that is built around AES but - * this library does not implement that version. - * - * References: https://www.isical.ac.in/~lightweight/comet/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all COMET family members. - */ -#define COMET_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for the 128-bit versions of COMET. - */ -#define COMET_128_TAG_SIZE 16 - -/** - * \brief Size of the authentication tag for the 64-bit versions of COMET. - */ -#define COMET_64_TAG_SIZE 8 - -/** - * \brief Size of the nonce for the 128-bit versions of COMET. - */ -#define COMET_128_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for the 64-bit versions of COMET. - */ -#define COMET_64_NONCE_SIZE 15 - -/** - * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. - */ -extern aead_cipher_t const comet_128_cham_cipher; - -/** - * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. - */ -extern aead_cipher_t const comet_64_cham_cipher; - -/** - * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. - */ -extern aead_cipher_t const comet_64_speck_cipher; - -/** - * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa comet_128_cham_aead_decrypt() - */ -int comet_128_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa comet_128_cham_aead_encrypt() - */ -int comet_128_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa comet_64_cham_aead_decrypt() - */ -int comet_64_cham_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa comet_64_cham_aead_encrypt() - */ -int comet_64_cham_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa comet_64_speck_aead_decrypt() - */ -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa comet_64_speck_aead_encrypt() - */ -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/encrypt.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/encrypt.c deleted file mode 100644 index dc4f508..0000000 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "comet.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_64_speck_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return comet_64_speck_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.c deleted file mode 100644 index 23351a3..0000000 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-cham.h" -#include "internal-util.h" - -#if !defined(__AVR__) - -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t x0, x1, x2, x3; - uint32_t k[8]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word32(key); - k[1] = le_load_word32(key + 4); - k[2] = le_load_word32(key + 8); - k[3] = le_load_word32(key + 12); - k[4] = k[1] ^ leftRotate1(k[1]) ^ leftRotate11(k[1]); - k[5] = k[0] ^ leftRotate1(k[0]) ^ leftRotate11(k[0]); - k[6] = k[3] ^ leftRotate1(k[3]) ^ leftRotate11(k[3]); - k[7] = k[2] ^ leftRotate1(k[2]) ^ leftRotate11(k[2]); - k[0] ^= leftRotate1(k[0]) ^ leftRotate8(k[0]); - k[1] ^= leftRotate1(k[1]) ^ leftRotate8(k[1]); - k[2] ^= leftRotate1(k[2]) ^ leftRotate8(k[2]); - k[3] ^= leftRotate1(k[3]) ^ leftRotate8(k[3]); - - /* Unpack the input block */ - x0 = le_load_word32(input); - x1 = le_load_word32(input + 4); - x2 = le_load_word32(input + 8); - x3 = le_load_word32(input + 12); - - /* Perform the 80 rounds eight at a time */ - for (round = 0; round < 80; round += 8) { - x0 = leftRotate8((x0 ^ round) + (leftRotate1(x1) ^ k[0])); - x1 = leftRotate1((x1 ^ (round + 1)) + (leftRotate8(x2) ^ k[1])); - x2 = leftRotate8((x2 ^ (round + 2)) + (leftRotate1(x3) ^ k[2])); - x3 = leftRotate1((x3 ^ (round + 3)) + (leftRotate8(x0) ^ k[3])); - x0 = leftRotate8((x0 ^ (round + 4)) + (leftRotate1(x1) ^ k[4])); - x1 = leftRotate1((x1 ^ (round + 5)) + (leftRotate8(x2) ^ k[5])); - x2 = leftRotate8((x2 ^ (round + 6)) + (leftRotate1(x3) ^ k[6])); - x3 = leftRotate1((x3 ^ (round + 7)) + (leftRotate8(x0) ^ k[7])); - } - - /* Pack the state into the output block */ - le_store_word32(output, x0); - le_store_word32(output + 4, x1); - le_store_word32(output + 8, x2); - le_store_word32(output + 12, x3); -} - -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint16_t x0, x1, x2, x3; - uint16_t k[16]; - uint8_t round; - - /* Unpack the key and generate the key schedule */ - k[0] = le_load_word16(key); - k[1] = le_load_word16(key + 2); - k[2] = le_load_word16(key + 4); - k[3] = le_load_word16(key + 6); - k[4] = le_load_word16(key + 8); - k[5] = le_load_word16(key + 10); - k[6] = le_load_word16(key + 12); - k[7] = le_load_word16(key + 14); - k[8] = k[1] ^ leftRotate1_16(k[1]) ^ leftRotate11_16(k[1]); - k[9] = k[0] ^ leftRotate1_16(k[0]) ^ leftRotate11_16(k[0]); - k[10] = k[3] ^ leftRotate1_16(k[3]) ^ leftRotate11_16(k[3]); - k[11] = k[2] ^ leftRotate1_16(k[2]) ^ leftRotate11_16(k[2]); - k[12] = k[5] ^ leftRotate1_16(k[5]) ^ leftRotate11_16(k[5]); - k[13] = k[4] ^ leftRotate1_16(k[4]) ^ leftRotate11_16(k[4]); - k[14] = k[7] ^ leftRotate1_16(k[7]) ^ leftRotate11_16(k[7]); - k[15] = k[6] ^ leftRotate1_16(k[6]) ^ leftRotate11_16(k[6]); - k[0] ^= leftRotate1_16(k[0]) ^ leftRotate8_16(k[0]); - k[1] ^= leftRotate1_16(k[1]) ^ leftRotate8_16(k[1]); - k[2] ^= leftRotate1_16(k[2]) ^ leftRotate8_16(k[2]); - k[3] ^= leftRotate1_16(k[3]) ^ leftRotate8_16(k[3]); - k[4] ^= leftRotate1_16(k[4]) ^ leftRotate8_16(k[4]); - k[5] ^= leftRotate1_16(k[5]) ^ leftRotate8_16(k[5]); - k[6] ^= leftRotate1_16(k[6]) ^ leftRotate8_16(k[6]); - k[7] ^= leftRotate1_16(k[7]) ^ leftRotate8_16(k[7]); - - /* Unpack the input block */ - x0 = le_load_word16(input); - x1 = le_load_word16(input + 2); - x2 = le_load_word16(input + 4); - x3 = le_load_word16(input + 6); - - /* Perform the 80 rounds four at a time */ - for (round = 0; round < 80; round += 4) { - x0 = leftRotate8_16 - ((x0 ^ round) + - (leftRotate1_16(x1) ^ k[round % 16])); - x1 = leftRotate1_16 - ((x1 ^ (round + 1)) + - (leftRotate8_16(x2) ^ k[(round + 1) % 16])); - x2 = leftRotate8_16 - ((x2 ^ (round + 2)) + - (leftRotate1_16(x3) ^ k[(round + 2) % 16])); - x3 = leftRotate1_16 - ((x3 ^ (round + 3)) + - (leftRotate8_16(x0) ^ k[(round + 3) % 16])); - } - - /* Pack the state into the output block */ - le_store_word16(output, x0); - le_store_word16(output + 2, x1); - le_store_word16(output + 4, x2); - le_store_word16(output + 6, x3); -} - -#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c index d068de2..ceb0fd6 100644 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/comet.c @@ -22,6 +22,7 @@ #include "comet.h" #include "internal-cham.h" +#include "internal-speck64.h" #include "internal-util.h" #include @@ -478,58 +479,6 @@ int comet_64_cham_aead_decrypt return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } -/** - * \brief Encrypts a 64-bit block with SPECK-64-128 in COMET byte order. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \note This version differs from standard SPECK-64 in that it uses the - * little-endian byte order from the COMET specification which is different - * from the big-endian byte order from the original SPECK paper. - */ -static void speck64_128_comet_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input) -{ - uint32_t l[4]; - uint32_t x, y, s; - uint8_t round; - uint8_t li_in = 0; - uint8_t li_out = 3; - - /* Unpack the key and the input block */ - s = le_load_word32(key); - l[0] = le_load_word32(key + 4); - l[1] = le_load_word32(key + 8); - l[2] = le_load_word32(key + 12); - y = le_load_word32(input); - x = le_load_word32(input + 4); - - /* Perform all encryption rounds except the last */ - for (round = 0; round < 26; ++round) { - /* Perform the round with the current key schedule word */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - - /* Calculate the next key schedule word */ - l[li_out] = (s + rightRotate8(l[li_in])) ^ round; - s = leftRotate3(s) ^ l[li_out]; - li_in = (li_in + 1) & 0x03; - li_out = (li_out + 1) & 0x03; - } - - /* Perform the last encryption round and write the result to the output */ - x = (rightRotate8(x) + y) ^ s; - y = leftRotate3(y) ^ x; - le_store_word32(output, y); - le_store_word32(output + 4, x); -} - int comet_64_speck_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, @@ -547,23 +496,23 @@ int comet_64_speck_aead_encrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Encrypt the plaintext to produce the ciphertext */ if (mlen > 0) - comet_encrypt_64(Y, Z, speck64_128_comet_encrypt, c, m, mlen); + comet_encrypt_64(Y, Z, speck64_128_encrypt, c, m, mlen); /* Generate the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, c + mlen, Y); + speck64_128_encrypt(Z, c + mlen, Y); return 0; } @@ -586,22 +535,22 @@ int comet_64_speck_aead_decrypt /* Set up the initial state of Y and Z */ memset(Y, 0, 8); - speck64_128_comet_encrypt(k, Y, Y); + speck64_128_encrypt(k, Y, Y); memcpy(Z, npub, 15); Z[15] = 0; lw_xor_block(Z, k, 16); /* Process the associated data */ if (adlen > 0) - comet_process_ad(Y, Z, 8, speck64_128_comet_encrypt, ad, adlen); + comet_process_ad(Y, Z, 8, speck64_128_encrypt, ad, adlen); /* Decrypt the ciphertext to produce the plaintext */ if (clen > COMET_64_TAG_SIZE) - comet_decrypt_64(Y, Z, speck64_128_comet_encrypt, m, c, *mlen); + comet_decrypt_64(Y, Z, speck64_128_encrypt, m, c, *mlen); /* Check the authentication tag */ Z[15] ^= 0x80; comet_adjust_block_key(Z); - speck64_128_comet_encrypt(Z, Y, Y); + speck64_128_encrypt(Z, Y, Y); return aead_check_tag(m, *mlen, Y, c + *mlen, COMET_64_TAG_SIZE); } diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham-avr.S b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham-avr.S rename to comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham-avr.S diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c index e097dbd..23351a3 100644 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-cham.c @@ -23,6 +23,8 @@ #include "internal-cham.h" #include "internal-util.h" +#if !defined(__AVR__) + void cham128_128_encrypt (const unsigned char *key, unsigned char *output, const unsigned char *input) @@ -132,3 +134,5 @@ void cham64_128_encrypt le_store_word16(output + 4, x2); le_store_word16(output + 6, x3); } + +#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64-avr.S b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64-avr.S similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64-avr.S rename to comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64-avr.S diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64.c b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64.c similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64.c rename to comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64.c diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-speck64.h rename to comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-speck64.h diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h +++ b/comet/Implementations/crypto_aead/comet64speckv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/api.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/encrypt.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/encrypt.c deleted file mode 100644 index 663de84..0000000 --- a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "drygascon.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return drygascon128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return drygascon128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge-avr.S b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge-avr.S similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge-avr.S rename to drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge-avr.S diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c index 67f1b27..6dfe48c 100644 --- a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-drysponge.c @@ -23,6 +23,8 @@ #include "internal-drysponge.h" #include +#if !defined(__AVR__) + /* Right rotations in bit-interleaved format */ #define intRightRotateEven(x,bits) \ (__extension__ ({ \ @@ -289,6 +291,8 @@ void drysponge256_g(drysponge256_state_t *state) } } +#endif /* !__AVR__ */ + void drysponge128_g_core(drysponge128_state_t *state) { unsigned round; @@ -304,6 +308,7 @@ void drysponge256_g_core(drysponge256_state_t *state) } /** + * \fn uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) * \brief Selects an element of x in constant time. * * \param x Points to the four elements of x. @@ -311,6 +316,7 @@ void drysponge256_g_core(drysponge256_state_t *state) * * \return The selected element of x. */ +#if !defined(__AVR__) STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) { /* We need to be careful how we select each element of x because @@ -340,6 +346,11 @@ STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); return result ^ (x[3] & mask); } +#else +/* AVR is more or less immune to cache timing issues because it doesn't + * have anything like an L1 or L2 cache. Select the word directly */ +#define drysponge_select_x(x, index) ((x)[(index)]) +#endif /** * \brief Mixes a 32-bit value into the DrySPONGE128 state. diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h index e79158c..e30166d 100644 --- a/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h +++ b/drygascon/Implementations/crypto_aead/drygascon128/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/api.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/api.h deleted file mode 100644 index 75fabd7..0000000 --- a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 32 -#define CRYPTO_NOOVERLAP 1 diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/encrypt.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/encrypt.c deleted file mode 100644 index 9f3c373..0000000 --- a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "drygascon.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return drygascon256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return drygascon256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge-avr.S b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge-avr.S similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge-avr.S rename to drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge-avr.S diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c index 67f1b27..6dfe48c 100644 --- a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-drysponge.c @@ -23,6 +23,8 @@ #include "internal-drysponge.h" #include +#if !defined(__AVR__) + /* Right rotations in bit-interleaved format */ #define intRightRotateEven(x,bits) \ (__extension__ ({ \ @@ -289,6 +291,8 @@ void drysponge256_g(drysponge256_state_t *state) } } +#endif /* !__AVR__ */ + void drysponge128_g_core(drysponge128_state_t *state) { unsigned round; @@ -304,6 +308,7 @@ void drysponge256_g_core(drysponge256_state_t *state) } /** + * \fn uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) * \brief Selects an element of x in constant time. * * \param x Points to the four elements of x. @@ -311,6 +316,7 @@ void drysponge256_g_core(drysponge256_state_t *state) * * \return The selected element of x. */ +#if !defined(__AVR__) STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) { /* We need to be careful how we select each element of x because @@ -340,6 +346,11 @@ STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); return result ^ (x[3] & mask); } +#else +/* AVR is more or less immune to cache timing issues because it doesn't + * have anything like an L1 or L2 cache. Select the word directly */ +#define drysponge_select_x(x, index) ((x)[(index)]) +#endif /** * \brief Mixes a 32-bit value into the DrySPONGE128 state. diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h index e79158c..e30166d 100644 --- a/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h +++ b/drygascon/Implementations/crypto_aead/drygascon256/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.c deleted file mode 100644 index e963903..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.c +++ /dev/null @@ -1,421 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "drygascon.h" -#include "internal-drysponge.h" -#include - -aead_cipher_t const drygascon128_cipher = { - "DryGASCON128", - DRYGASCON128_KEY_SIZE, - DRYGASCON128_NONCE_SIZE, - DRYGASCON128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon128_aead_encrypt, - drygascon128_aead_decrypt -}; - -aead_cipher_t const drygascon256_cipher = { - "DryGASCON256", - DRYGASCON256_KEY_SIZE, - DRYGASCON256_NONCE_SIZE, - DRYGASCON256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon256_aead_encrypt, - drygascon256_aead_decrypt -}; - -aead_hash_algorithm_t const drygascon128_hash_algorithm = { - "DryGASCON128-HASH", - sizeof(int), - DRYGASCON128_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon128_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const drygascon256_hash_algorithm = { - "DryGASCON256-HASH", - sizeof(int), - DRYGASCON256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon256_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Processes associated data for DryGASCON128. - * - * \param state DrySPONGE128 sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must not be zero. - * \param finalize Non-zero to finalize packet processing because - * the message is zero-length. - */ -static void drygascon128_process_ad - (drysponge128_state_t *state, const unsigned char *ad, - unsigned long long adlen, int finalize) -{ - /* Process all blocks except the last one */ - while (adlen > DRYSPONGE128_RATE) { - drysponge128_f_absorb(state, ad, DRYSPONGE128_RATE); - drysponge128_g_core(state); - ad += DRYSPONGE128_RATE; - adlen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state->domain = DRYDOMAIN128_ASSOC_DATA; - if (finalize) - state->domain |= DRYDOMAIN128_FINAL; - if (adlen < DRYSPONGE128_RATE) - state->domain |= DRYDOMAIN128_PADDED; - drysponge128_f_absorb(state, ad, (unsigned)adlen); - drysponge128_g(state); -} - -/** - * \brief Processes associated data for DryGASCON256. - * - * \param state DrySPONGE256 sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must not be zero. - * \param finalize Non-zero to finalize packet processing because - * the message is zero-length. - */ -static void drygascon256_process_ad - (drysponge256_state_t *state, const unsigned char *ad, - unsigned long long adlen, int finalize) -{ - /* Process all blocks except the last one */ - while (adlen > DRYSPONGE256_RATE) { - drysponge256_f_absorb(state, ad, DRYSPONGE256_RATE); - drysponge256_g_core(state); - ad += DRYSPONGE256_RATE; - adlen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state->domain = DRYDOMAIN256_ASSOC_DATA; - if (finalize) - state->domain |= DRYDOMAIN256_FINAL; - if (adlen < DRYSPONGE256_RATE) - state->domain |= DRYDOMAIN256_PADDED; - drysponge256_f_absorb(state, ad, (unsigned)adlen); - drysponge256_g(state); -} - -int drygascon128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge128_state_t state; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DRYGASCON128_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - drysponge128_setup(&state, k, npub, adlen == 0 && mlen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon128_process_ad(&state, ad, adlen, mlen == 0); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - /* Processs all blocks except the last one */ - while (mlen > DRYSPONGE128_RATE) { - drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); - lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE128_RATE); - drysponge128_g(&state); - c += DRYSPONGE128_RATE; - m += DRYSPONGE128_RATE; - mlen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; - if (mlen < DRYSPONGE128_RATE) - state.domain |= DRYDOMAIN128_PADDED; - temp = (unsigned)mlen; - drysponge128_f_absorb(&state, m, temp); - lw_xor_block_2_src(c, m, state.r.B, temp); - drysponge128_g(&state); - c += temp; - } - - /* Generate the authentication tag */ - memcpy(c, state.r.B, DRYGASCON128_TAG_SIZE); - return 0; -} - -int drygascon128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge128_state_t state; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DRYGASCON128_TAG_SIZE) - return -1; - *mlen = clen - DRYGASCON128_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - clen -= DRYGASCON128_TAG_SIZE; - drysponge128_setup(&state, k, npub, adlen == 0 && clen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon128_process_ad(&state, ad, adlen, clen == 0); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - /* Processs all blocks except the last one */ - while (clen > DRYSPONGE128_RATE) { - lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE128_RATE); - drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); - drysponge128_g(&state); - c += DRYSPONGE128_RATE; - m += DRYSPONGE128_RATE; - clen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; - if (clen < DRYSPONGE128_RATE) - state.domain |= DRYDOMAIN128_PADDED; - temp = (unsigned)clen; - lw_xor_block_2_src(m, c, state.r.B, temp); - drysponge128_f_absorb(&state, m, temp); - drysponge128_g(&state); - c += temp; - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state.r.B, c, DRYGASCON128_TAG_SIZE); -} - -int drygascon256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge256_state_t state; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DRYGASCON256_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - drysponge256_setup(&state, k, npub, adlen == 0 && mlen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon256_process_ad(&state, ad, adlen, mlen == 0); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - /* Processs all blocks except the last one */ - while (mlen > DRYSPONGE256_RATE) { - drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); - lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE256_RATE); - drysponge256_g(&state); - c += DRYSPONGE256_RATE; - m += DRYSPONGE256_RATE; - mlen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; - if (mlen < DRYSPONGE256_RATE) - state.domain |= DRYDOMAIN256_PADDED; - temp = (unsigned)mlen; - drysponge256_f_absorb(&state, m, temp); - lw_xor_block_2_src(c, m, state.r.B, temp); - drysponge256_g(&state); - c += temp; - } - - /* Generate the authentication tag */ - memcpy(c, state.r.B, 16); - drysponge256_g(&state); - memcpy(c + 16, state.r.B, 16); - return 0; -} - -int drygascon256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge256_state_t state; - unsigned char *mtemp = m; - unsigned temp; - int result; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DRYGASCON256_TAG_SIZE) - return -1; - *mlen = clen - DRYGASCON256_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - clen -= DRYGASCON256_TAG_SIZE; - drysponge256_setup(&state, k, npub, adlen == 0 && clen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon256_process_ad(&state, ad, adlen, clen == 0); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - /* Processs all blocks except the last one */ - while (clen > DRYSPONGE256_RATE) { - lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE256_RATE); - drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); - drysponge256_g(&state); - c += DRYSPONGE256_RATE; - m += DRYSPONGE256_RATE; - clen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; - if (clen < DRYSPONGE256_RATE) - state.domain |= DRYDOMAIN256_PADDED; - temp = (unsigned)clen; - lw_xor_block_2_src(m, c, state.r.B, temp); - drysponge256_f_absorb(&state, m, temp); - drysponge256_g(&state); - c += temp; - } - - /* Check the authentication tag which is split into two pieces */ - result = aead_check_tag(0, 0, state.r.B, c, 16); - drysponge256_g(&state); - return aead_check_tag_precheck - (mtemp, *mlen, state.r.B, c + 16, 16, ~result); -} - -/** - * \brief Precomputed initialization vector for DryGASCON128-HASH. - * - * This is the CST_H value from the DryGASCON specification after it - * has been processed by the key setup function for DrySPONGE128. - */ -static unsigned char const drygascon128_hash_init[] = { - /* c */ - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - /* x */ - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89 -}; - -int drygascon128_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - drysponge128_state_t state; - memcpy(state.c.B, drygascon128_hash_init, sizeof(state.c.B)); - memcpy(state.x.B, drygascon128_hash_init + sizeof(state.c.B), - sizeof(state.x.B)); - state.domain = 0; - state.rounds = DRYSPONGE128_ROUNDS; - drygascon128_process_ad(&state, in, inlen, 1); - memcpy(out, state.r.B, 16); - drysponge128_g(&state); - memcpy(out + 16, state.r.B, 16); - return 0; -} - -/** - * \brief Precomputed initialization vector for DryGASCON256-HASH. - * - * This is the CST_H value from the DryGASCON specification after it - * has been processed by the key setup function for DrySPONGE256. - */ -static unsigned char const drygascon256_hash_init[] = { - /* c */ - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - /* x */ - 0x45, 0x28, 0x21, 0xe6, 0x38, 0xd0, 0x13, 0x77, - 0xbe, 0x54, 0x66, 0xcf, 0x34, 0xe9, 0x0c, 0x6c -}; - -int drygascon256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - drysponge256_state_t state; - memcpy(state.c.B, drygascon256_hash_init, sizeof(state.c.B)); - memcpy(state.x.B, drygascon256_hash_init + sizeof(state.c.B), - sizeof(state.x.B)); - state.domain = 0; - state.rounds = DRYSPONGE256_ROUNDS; - drygascon256_process_ad(&state, in, inlen, 1); - memcpy(out, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 16, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 32, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 48, state.r.B, 16); - return 0; -} diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.c deleted file mode 100644 index 6dfe48c..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.c +++ /dev/null @@ -1,611 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-drysponge.h" -#include - -#if !defined(__AVR__) - -/* Right rotations in bit-interleaved format */ -#define intRightRotateEven(x,bits) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate(_x0, (bits)); \ - _x1 = rightRotate(_x1, (bits)); \ - _x0 | (((uint64_t)_x1) << 32); \ - })) -#define intRightRotateOdd(x,bits) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate(_x0, ((bits) + 1) % 32); \ - _x1 = rightRotate(_x1, (bits)); \ - _x1 | (((uint64_t)_x0) << 32); \ - })) -#define intRightRotate1_64(x) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate1(_x0); \ - _x1 | (((uint64_t)_x0) << 32); \ - })) -#define intRightRotate2_64(x) (intRightRotateEven((x), 1)) -#define intRightRotate3_64(x) (intRightRotateOdd((x), 1)) -#define intRightRotate4_64(x) (intRightRotateEven((x), 2)) -#define intRightRotate5_64(x) (intRightRotateOdd((x), 2)) -#define intRightRotate6_64(x) (intRightRotateEven((x), 3)) -#define intRightRotate7_64(x) (intRightRotateOdd((x), 3)) -#define intRightRotate8_64(x) (intRightRotateEven((x), 4)) -#define intRightRotate9_64(x) (intRightRotateOdd((x), 4)) -#define intRightRotate10_64(x) (intRightRotateEven((x), 5)) -#define intRightRotate11_64(x) (intRightRotateOdd((x), 5)) -#define intRightRotate12_64(x) (intRightRotateEven((x), 6)) -#define intRightRotate13_64(x) (intRightRotateOdd((x), 6)) -#define intRightRotate14_64(x) (intRightRotateEven((x), 7)) -#define intRightRotate15_64(x) (intRightRotateOdd((x), 7)) -#define intRightRotate16_64(x) (intRightRotateEven((x), 8)) -#define intRightRotate17_64(x) (intRightRotateOdd((x), 8)) -#define intRightRotate18_64(x) (intRightRotateEven((x), 9)) -#define intRightRotate19_64(x) (intRightRotateOdd((x), 9)) -#define intRightRotate20_64(x) (intRightRotateEven((x), 10)) -#define intRightRotate21_64(x) (intRightRotateOdd((x), 10)) -#define intRightRotate22_64(x) (intRightRotateEven((x), 11)) -#define intRightRotate23_64(x) (intRightRotateOdd((x), 11)) -#define intRightRotate24_64(x) (intRightRotateEven((x), 12)) -#define intRightRotate25_64(x) (intRightRotateOdd((x), 12)) -#define intRightRotate26_64(x) (intRightRotateEven((x), 13)) -#define intRightRotate27_64(x) (intRightRotateOdd((x), 13)) -#define intRightRotate28_64(x) (intRightRotateEven((x), 14)) -#define intRightRotate29_64(x) (intRightRotateOdd((x), 14)) -#define intRightRotate30_64(x) (intRightRotateEven((x), 15)) -#define intRightRotate31_64(x) (intRightRotateOdd((x), 15)) -#define intRightRotate32_64(x) (intRightRotateEven((x), 16)) -#define intRightRotate33_64(x) (intRightRotateOdd((x), 16)) -#define intRightRotate34_64(x) (intRightRotateEven((x), 17)) -#define intRightRotate35_64(x) (intRightRotateOdd((x), 17)) -#define intRightRotate36_64(x) (intRightRotateEven((x), 18)) -#define intRightRotate37_64(x) (intRightRotateOdd((x), 18)) -#define intRightRotate38_64(x) (intRightRotateEven((x), 19)) -#define intRightRotate39_64(x) (intRightRotateOdd((x), 19)) -#define intRightRotate40_64(x) (intRightRotateEven((x), 20)) -#define intRightRotate41_64(x) (intRightRotateOdd((x), 20)) -#define intRightRotate42_64(x) (intRightRotateEven((x), 21)) -#define intRightRotate43_64(x) (intRightRotateOdd((x), 21)) -#define intRightRotate44_64(x) (intRightRotateEven((x), 22)) -#define intRightRotate45_64(x) (intRightRotateOdd((x), 22)) -#define intRightRotate46_64(x) (intRightRotateEven((x), 23)) -#define intRightRotate47_64(x) (intRightRotateOdd((x), 23)) -#define intRightRotate48_64(x) (intRightRotateEven((x), 24)) -#define intRightRotate49_64(x) (intRightRotateOdd((x), 24)) -#define intRightRotate50_64(x) (intRightRotateEven((x), 25)) -#define intRightRotate51_64(x) (intRightRotateOdd((x), 25)) -#define intRightRotate52_64(x) (intRightRotateEven((x), 26)) -#define intRightRotate53_64(x) (intRightRotateOdd((x), 26)) -#define intRightRotate54_64(x) (intRightRotateEven((x), 27)) -#define intRightRotate55_64(x) (intRightRotateOdd((x), 27)) -#define intRightRotate56_64(x) (intRightRotateEven((x), 28)) -#define intRightRotate57_64(x) (intRightRotateOdd((x), 28)) -#define intRightRotate58_64(x) (intRightRotateEven((x), 29)) -#define intRightRotate59_64(x) (intRightRotateOdd((x), 29)) -#define intRightRotate60_64(x) (intRightRotateEven((x), 30)) -#define intRightRotate61_64(x) (intRightRotateOdd((x), 30)) -#define intRightRotate62_64(x) (intRightRotateEven((x), 31)) -#define intRightRotate63_64(x) (intRightRotateOdd((x), 31)) - -void gascon128_core_round(gascon128_state_t *state, uint8_t round) -{ - uint64_t t0, t1, t2, t3, t4; - - /* Load the state into local varaibles */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); -#endif - - /* Add the round constant to the middle of the state */ - x2 ^= ((0x0F - round) << 4) | round; - - /* Substitution layer */ - x0 ^= x4; x2 ^= x1; x4 ^= x3; t0 = (~x0) & x1; t1 = (~x1) & x2; - t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x0; x0 ^= t1; - x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; x1 ^= x0; x3 ^= x2; - x0 ^= x4; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); - x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); - x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); - x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); - x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); - - /* Write the local variables back to the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); -#endif -} - -void gascon256_core_round(gascon256_state_t *state, uint8_t round) -{ - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - - /* Load the state into local varaibles */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; - uint64_t x8 = state->S[8]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); - uint64_t x8 = le_load_word64(state->B + 64); -#endif - - /* Add the round constant to the middle of the state */ - x4 ^= ((0x0F - round) << 4) | round; - - /* Substitution layer */ - x0 ^= x8; x2 ^= x1; x4 ^= x3; x6 ^= x5; x8 ^= x7; t0 = (~x0) & x1; - t1 = (~x1) & x2; t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x5; - t5 = (~x5) & x6; t6 = (~x6) & x7; t7 = (~x7) & x8; t8 = (~x8) & x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t5; x5 ^= t6; x6 ^= t7; - x7 ^= t8; x8 ^= t0; x1 ^= x0; x3 ^= x2; x5 ^= x4; x7 ^= x6; x0 ^= x8; - x4 = ~x4; - - /* Linear diffusion layer */ - x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); - x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); - x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); - x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); - x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); - x5 ^= intRightRotate31_64(x5) ^ intRightRotate26_64(x5); - x6 ^= intRightRotate53_64(x6) ^ intRightRotate58_64(x6); - x7 ^= intRightRotate9_64(x7) ^ intRightRotate46_64(x7); - x8 ^= intRightRotate43_64(x8) ^ intRightRotate50_64(x8); - - /* Write the local variables back to the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; - state->S[8] = x8; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); - le_store_word64(state->B + 64, x8); -#endif -} - -void drysponge128_g(drysponge128_state_t *state) -{ - unsigned round; - - /* Perform the first round. For each round we XOR the 16 bytes of - * the output data with the first 16 bytes of the state. And then - * XOR with the next 16 bytes of the state, rotated by 4 bytes */ - gascon128_core_round(&(state->c), 0); - state->r.W[0] = state->c.W[0] ^ state->c.W[5]; - state->r.W[1] = state->c.W[1] ^ state->c.W[6]; - state->r.W[2] = state->c.W[2] ^ state->c.W[7]; - state->r.W[3] = state->c.W[3] ^ state->c.W[4]; - - /* Perform the rest of the rounds */ - for (round = 1; round < state->rounds; ++round) { - gascon128_core_round(&(state->c), round); - state->r.W[0] ^= state->c.W[0] ^ state->c.W[5]; - state->r.W[1] ^= state->c.W[1] ^ state->c.W[6]; - state->r.W[2] ^= state->c.W[2] ^ state->c.W[7]; - state->r.W[3] ^= state->c.W[3] ^ state->c.W[4]; - } -} - -void drysponge256_g(drysponge256_state_t *state) -{ - unsigned round; - - /* Perform the first round. For each round we XOR the 16 bytes of - * the output data with the first 16 bytes of the state. And then - * XOR with the next 16 bytes of the state, rotated by 4 bytes. - * And so on for a total of 64 bytes XOR'ed into the output data. */ - gascon256_core_round(&(state->c), 0); - state->r.W[0] = state->c.W[0] ^ state->c.W[5] ^ - state->c.W[10] ^ state->c.W[15]; - state->r.W[1] = state->c.W[1] ^ state->c.W[6] ^ - state->c.W[11] ^ state->c.W[12]; - state->r.W[2] = state->c.W[2] ^ state->c.W[7] ^ - state->c.W[8] ^ state->c.W[13]; - state->r.W[3] = state->c.W[3] ^ state->c.W[4] ^ - state->c.W[9] ^ state->c.W[14]; - - /* Perform the rest of the rounds */ - for (round = 1; round < state->rounds; ++round) { - gascon256_core_round(&(state->c), round); - state->r.W[0] ^= state->c.W[0] ^ state->c.W[5] ^ - state->c.W[10] ^ state->c.W[15]; - state->r.W[1] ^= state->c.W[1] ^ state->c.W[6] ^ - state->c.W[11] ^ state->c.W[12]; - state->r.W[2] ^= state->c.W[2] ^ state->c.W[7] ^ - state->c.W[8] ^ state->c.W[13]; - state->r.W[3] ^= state->c.W[3] ^ state->c.W[4] ^ - state->c.W[9] ^ state->c.W[14]; - } -} - -#endif /* !__AVR__ */ - -void drysponge128_g_core(drysponge128_state_t *state) -{ - unsigned round; - for (round = 0; round < state->rounds; ++round) - gascon128_core_round(&(state->c), round); -} - -void drysponge256_g_core(drysponge256_state_t *state) -{ - unsigned round; - for (round = 0; round < state->rounds; ++round) - gascon256_core_round(&(state->c), round); -} - -/** - * \fn uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) - * \brief Selects an element of x in constant time. - * - * \param x Points to the four elements of x. - * \param index Index of which element to extract between 0 and 3. - * - * \return The selected element of x. - */ -#if !defined(__AVR__) -STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) -{ - /* We need to be careful how we select each element of x because - * we are doing a data-dependent fetch here. Do the fetch in a way - * that should avoid cache timing issues by fetching every element - * of x and masking away the ones we don't want. - * - * There is a possible side channel here with respect to power analysis. - * The "mask" value will be all-ones for the selected index and all-zeroes - * for the other indexes. This may show up as different power consumption - * for the "result ^= x[i] & mask" statement when i is the selected index. - * Such a side channel could in theory allow reading the plaintext input - * to the cipher by analysing the CPU's power consumption. - * - * The DryGASCON specification acknowledges the possibility of plaintext - * recovery in section 7.4. For software mitigation the specification - * suggests randomization of the indexes into c and x and randomization - * of the order of processing words. We aren't doing that here yet. - * Patches welcome to fix this. - */ - uint32_t mask = -((uint32_t)((0x04 - index) >> 2)); - uint32_t result = x[0] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x01)) >> 2)); - result ^= x[1] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x02)) >> 2)); - result ^= x[2] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); - return result ^ (x[3] & mask); -} -#else -/* AVR is more or less immune to cache timing issues because it doesn't - * have anything like an L1 or L2 cache. Select the word directly */ -#define drysponge_select_x(x, index) ((x)[(index)]) -#endif - -/** - * \brief Mixes a 32-bit value into the DrySPONGE128 state. - * - * \param state DrySPONGE128 state. - * \param data The data to be mixed in the bottom 10 bits. - */ -static void drysponge128_mix_phase_round - (drysponge128_state_t *state, uint32_t data) -{ - /* Mix in elements from x according to the 2-bit indexes in the data */ - state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); - state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); - state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); - state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); - state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); -} - -/** - * \brief Mixes a 32-bit value into the DrySPONGE256 state. - * - * \param state DrySPONGE256 state. - * \param data The data to be mixed in the bottom 18 bits. - */ -static void drysponge256_mix_phase_round - (drysponge256_state_t *state, uint32_t data) -{ - /* Mix in elements from x according to the 2-bit indexes in the data */ - state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); - state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); - state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); - state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); - state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); - state->c.W[10] ^= drysponge_select_x(state->x.W, (data >> 10) & 0x03); - state->c.W[12] ^= drysponge_select_x(state->x.W, (data >> 12) & 0x03); - state->c.W[14] ^= drysponge_select_x(state->x.W, (data >> 14) & 0x03); - state->c.W[16] ^= drysponge_select_x(state->x.W, (data >> 16) & 0x03); -} - -/** - * \brief Mixes an input block into a DrySPONGE128 state. - * - * \param state The DrySPONGE128 state. - * \param data Full rate block containing the input data. - */ -static void drysponge128_mix_phase - (drysponge128_state_t *state, const unsigned char data[DRYSPONGE128_RATE]) -{ - /* Mix 10-bit groups into the output, with the domain - * separator added to the last two groups */ - drysponge128_mix_phase_round - (state, data[0] | (((uint32_t)(data[1])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[1] >> 2) | (((uint32_t)(data[2])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[2] >> 4) | (((uint32_t)(data[3])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[3] >> 6) | (((uint32_t)(data[4])) << 2)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, data[5] | (((uint32_t)(data[6])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[6] >> 2) | (((uint32_t)(data[7])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[7] >> 4) | (((uint32_t)(data[8])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[8] >> 6) | (((uint32_t)(data[9])) << 2)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, data[10] | (((uint32_t)(data[11])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[12] >> 4) | (((uint32_t)(data[13])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, ((data[13] >> 6) | (((uint32_t)(data[14])) << 2))); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round(state, data[15] ^ state->domain); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round(state, state->domain >> 10); - - /* Revert to the default domain separator for the next block */ - state->domain = 0; -} - -/** - * \brief Mixes an input block into a DrySPONGE256 state. - * - * \param state The DrySPONGE256 state. - * \param data Full rate block containing the input data. - */ -static void drysponge256_mix_phase - (drysponge256_state_t *state, const unsigned char data[DRYSPONGE256_RATE]) -{ - /* Mix 18-bit groups into the output, with the domain in the last group */ - drysponge256_mix_phase_round - (state, data[0] | (((uint32_t)(data[1])) << 8) | - (((uint32_t)(data[2])) << 16)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[2] >> 2) | (((uint32_t)(data[3])) << 6) | - (((uint32_t)(data[4])) << 14)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[4] >> 4) | (((uint32_t)(data[5])) << 4) | - (((uint32_t)(data[6])) << 12)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[6] >> 6) | (((uint32_t)(data[7])) << 2) | - (((uint32_t)(data[8])) << 10)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, data[9] | (((uint32_t)(data[10])) << 8) | - (((uint32_t)(data[11])) << 16)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6) | - (((uint32_t)(data[13])) << 14)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[13] >> 4) | (((uint32_t)(data[14])) << 4) | - (((uint32_t)(data[15])) << 12)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[15] >> 6) ^ state->domain); - - /* Revert to the default domain separator for the next block */ - state->domain = 0; -} - -void drysponge128_f_absorb - (drysponge128_state_t *state, const unsigned char *input, unsigned len) -{ - if (len >= DRYSPONGE128_RATE) { - drysponge128_mix_phase(state, input); - } else { - unsigned char padded[DRYSPONGE128_RATE]; - memcpy(padded, input, len); - padded[len] = 0x01; - memset(padded + len + 1, 0, DRYSPONGE128_RATE - len - 1); - drysponge128_mix_phase(state, padded); - } -} - -void drysponge256_f_absorb - (drysponge256_state_t *state, const unsigned char *input, unsigned len) -{ - if (len >= DRYSPONGE256_RATE) { - drysponge256_mix_phase(state, input); - } else { - unsigned char padded[DRYSPONGE256_RATE]; - memcpy(padded, input, len); - padded[len] = 0x01; - memset(padded + len + 1, 0, DRYSPONGE256_RATE - len - 1); - drysponge256_mix_phase(state, padded); - } -} - -/** - * \brief Determine if some of the words of an "x" value are identical. - * - * \param x Points to the "x" buffer to check. - * - * \return Non-zero if some of the words are the same, zero if they are - * distinct from each other. - * - * We try to perform the check in constant time to avoid giving away - * any information about the value of the key. - */ -static int drysponge_x_words_are_same(const uint32_t x[4]) -{ - unsigned i, j; - int result = 0; - for (i = 0; i < 3; ++i) { - for (j = i + 1; j < 4; ++j) { - uint32_t check = x[i] ^ x[j]; - result |= (int)((0x100000000ULL - check) >> 32); - } - } - return result; -} - -void drysponge128_setup - (drysponge128_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block) -{ - /* Fill the GASCON-128 state with repeated copies of the key */ - memcpy(state->c.B, key, 16); - memcpy(state->c.B + 16, key, 16); - memcpy(state->c.B + 32, key, 8); - - /* Generate the "x" value for the state. All four words of "x" - * must be unique because they will be used in drysponge_select_x() - * as stand-ins for the bit pairs 00, 01, 10, and 11. - * - * Run the core block operation over and over until "x" is unique. - * Technically the runtime here is key-dependent and not constant. - * If the input key is randomized, this should only take 1 round - * on average so it is "almost constant time". - */ - do { - gascon128_core_round(&(state->c), 0); - } while (drysponge_x_words_are_same(state->c.W)); - memcpy(state->x.W, state->c.W, sizeof(state->x)); - - /* Replace the generated "x" value in the state with the key prefix */ - memcpy(state->c.W, key, sizeof(state->x)); - - /* Absorb the nonce into the state with an increased number of rounds */ - state->rounds = DRYSPONGE128_INIT_ROUNDS; - state->domain = DRYDOMAIN128_NONCE; - if (final_block) - state->domain |= DRYDOMAIN128_FINAL; - drysponge128_f_absorb(state, nonce, 16); - drysponge128_g(state); - - /* Set up the normal number of rounds for future operations */ - state->rounds = DRYSPONGE128_ROUNDS; -} - -void drysponge256_setup - (drysponge256_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block) -{ - /* Fill the GASCON-256 state with repeated copies of the key */ - memcpy(state->c.B, key, 32); - memcpy(state->c.B + 32, key, 32); - memcpy(state->c.B + 64, key, 8); - - /* Generate the "x" value for the state */ - do { - gascon256_core_round(&(state->c), 0); - } while (drysponge_x_words_are_same(state->c.W)); - memcpy(state->x.W, state->c.W, sizeof(state->x)); - - /* Replace the generated "x" value in the state with the key prefix */ - memcpy(state->c.W, key, sizeof(state->x)); - - /* Absorb the nonce into the state with an increased number of rounds */ - state->rounds = DRYSPONGE256_INIT_ROUNDS; - state->domain = DRYDOMAIN256_NONCE; - if (final_block) - state->domain |= DRYDOMAIN256_FINAL; - drysponge256_f_absorb(state, nonce, 16); - drysponge256_g(state); - - /* Set up the normal number of rounds for future operations */ - state->rounds = DRYSPONGE256_ROUNDS; -} diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.h deleted file mode 100644 index 05b0c16..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge.h +++ /dev/null @@ -1,345 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_DRYSPONGE_H -#define LW_INTERNAL_DRYSPONGE_H - -#include "internal-util.h" - -/** - * \file internal-drysponge.h - * \brief Internal implementation of DrySPONGE for the DryGASCON cipher. - * - * References: https://github.com/sebastien-riou/DryGASCON - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the GASCON-128 permutation state in bytes. - */ -#define GASCON128_STATE_SIZE 40 - -/** - * \brief Size of the GASCON-256 permutation state in bytes. - */ -#define GASCON256_STATE_SIZE 72 - -/** - * \brief Rate of absorption and squeezing for DrySPONGE128. - */ -#define DRYSPONGE128_RATE 16 - -/** - * \brief Rate of absorption and squeezing for DrySPONGE256. - */ -#define DRYSPONGE256_RATE 16 - -/** - * \brief Size of the "x" value for DrySPONGE128. - */ -#define DRYSPONGE128_XSIZE 16 - -/** - * \brief Size of the "x" value for DrySPONGE256. - */ -#define DRYSPONGE256_XSIZE 16 - -/** - * \brief Normal number of rounds for DrySPONGE128 when absorbing - * and squeezing data. - */ -#define DRYSPONGE128_ROUNDS 7 - -/** - * \brief Number of rounds for DrySPONGE128 during initialization. - */ -#define DRYSPONGE128_INIT_ROUNDS 11 - -/** - * \brief Normal number of rounds for DrySPONGE256 when absorbing - * and squeezing data. - */ -#define DRYSPONGE256_ROUNDS 8 - -/** - * \brief Number of rounds for DrySPONGE256 during initialization. - */ -#define DRYSPONGE256_INIT_ROUNDS 12 - -/** - * \brief DrySPONGE128 domain bit for a padded block. - */ -#define DRYDOMAIN128_PADDED (1 << 8) - -/** - * \brief DrySPONGE128 domain bit for a final block. - */ -#define DRYDOMAIN128_FINAL (1 << 9) - -/** - * \brief DrySPONGE128 domain value for processing the nonce. - */ -#define DRYDOMAIN128_NONCE (1 << 10) - -/** - * \brief DrySPONGE128 domain value for processing the associated data. - */ -#define DRYDOMAIN128_ASSOC_DATA (2 << 10) - -/** - * \brief DrySPONGE128 domain value for processing the message. - */ -#define DRYDOMAIN128_MESSAGE (3 << 10) - -/** - * \brief DrySPONGE256 domain bit for a padded block. - */ -#define DRYDOMAIN256_PADDED (1 << 2) - -/** - * \brief DrySPONGE256 domain bit for a final block. - */ -#define DRYDOMAIN256_FINAL (1 << 3) - -/** - * \brief DrySPONGE256 domain value for processing the nonce. - */ -#define DRYDOMAIN256_NONCE (1 << 4) - -/** - * \brief DrySPONGE256 domain value for processing the associated data. - */ -#define DRYDOMAIN256_ASSOC_DATA (2 << 4) - -/** - * \brief DrySPONGE256 domain value for processing the message. - */ -#define DRYDOMAIN256_MESSAGE (3 << 4) - -/** - * \brief Internal state of the GASCON-128 permutation. - */ -typedef union -{ - uint64_t S[GASCON128_STATE_SIZE / 8]; /**< 64-bit words of the state */ - uint32_t W[GASCON128_STATE_SIZE / 4]; /**< 32-bit words of the state */ - uint8_t B[GASCON128_STATE_SIZE]; /**< Bytes of the state */ - -} gascon128_state_t; - -/** - * \brief Internal state of the GASCON-256 permutation. - */ -typedef union -{ - uint64_t S[GASCON256_STATE_SIZE / 8]; /**< 64-bit words of the state */ - uint32_t W[GASCON256_STATE_SIZE / 4]; /**< 32-bit words of the state */ - uint8_t B[GASCON256_STATE_SIZE]; /**< Bytes of the state */ - -} gascon256_state_t; - -/** - * \brief Structure of a rate block for DrySPONGE128. - */ -typedef union -{ - uint64_t S[DRYSPONGE128_RATE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE128_RATE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE128_RATE]; /**< Bytes of the rate */ - -} drysponge128_rate_t; - -/** - * \brief Structure of a rate block for DrySPONGE256. - */ -typedef union -{ - uint64_t S[DRYSPONGE256_RATE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE256_RATE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE256_RATE]; /**< Bytes of the rate */ - -} drysponge256_rate_t; - -/** - * \brief Structure of the "x" value for DrySPONGE128. - */ -typedef union -{ - uint64_t S[DRYSPONGE128_XSIZE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE128_XSIZE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE128_XSIZE]; /**< Bytes of the rate */ - -} drysponge128_x_t; - -/** - * \brief Structure of the "x" value for DrySPONGE256. - */ -typedef union -{ - uint64_t S[DRYSPONGE256_XSIZE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE256_XSIZE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE256_XSIZE]; /**< Bytes of the rate */ - -} drysponge256_x_t; - -/** - * \brief Structure of the rolling DrySPONGE128 state. - */ -typedef struct -{ - gascon128_state_t c; /**< GASCON-128 state for the capacity */ - drysponge128_rate_t r; /**< Buffer for a rate block of data */ - drysponge128_x_t x; /**< "x" value for the sponge */ - uint32_t domain; /**< Domain value to mix on next F call */ - uint32_t rounds; /**< Number of rounds for next G call */ - -} drysponge128_state_t; - -/** - * \brief Structure of the rolling DrySPONGE256 state. - */ -typedef struct -{ - gascon256_state_t c; /**< GASCON-256 state for the capacity */ - drysponge256_rate_t r; /**< Buffer for a rate block of data */ - drysponge256_x_t x; /**< "x" value for the sponge */ - uint32_t domain; /**< Domain value to mix on next F call */ - uint32_t rounds; /**< Number of rounds for next G call */ - -} drysponge256_state_t; - -/** - * \brief Permutes the GASCON-128 state using one iteration of CoreRound. - * - * \param state The GASCON-128 state to be permuted. - * \param round The round number. - * - * The input and output \a state will be in little-endian byte order. - */ -void gascon128_core_round(gascon128_state_t *state, uint8_t round); - -/** - * \brief Permutes the GASCON-256 state using one iteration of CoreRound. - * - * \param state The GASCON-256 state to be permuted. - * \param round The round number. - * - * The input and output \a state will be in little-endian byte order. - */ -void gascon256_core_round(gascon256_state_t *state, uint8_t round); - -/** - * \brief Performs the DrySPONGE128 G function which runs the core - * rounds and squeezes data out of the GASGON-128 state. - * - * \param state The DrySPONGE128 state. - * - * The data that is squeezed out will be in state->r on exit. - */ -void drysponge128_g(drysponge128_state_t *state); - -/** - * \brief Performs the DrySPONGE256 G function which runs the core - * rounds and squeezes data out of the GASGON-256 state. - * - * \param state The DrySPONGE256 state. - * - * The data that is squeezed out will be in state->r on exit. - */ -void drysponge256_g(drysponge256_state_t *state); - -/** - * \brief Performs the DrySPONGE128 G function which runs the core - * rounds but does not squeeze out any output. - * - * \param state The DrySPONGE128 state. - */ -void drysponge128_g_core(drysponge128_state_t *state); - -/** - * \brief Performs the DrySPONGE256 G function which runs the core - * rounds but does not squeeze out any output. - * - * \param state The DrySPONGE256 state. - */ -void drysponge256_g_core(drysponge256_state_t *state); - -/** - * \brief Performs the absorption phase of the DrySPONGE128 F function. - * - * \param state The DrySPONGE128 state. - * \param input The block of input data to incorporate into the state. - * \param len The length of the input block, which must be less than - * or equal to DRYSPONGE128_RATE. Smaller input blocks will be padded. - * - * This function must be followed by a call to drysponge128_g() or - * drysponge128_g_core() to perform the full F operation. - */ -void drysponge128_f_absorb - (drysponge128_state_t *state, const unsigned char *input, unsigned len); - -/** - * \brief Performs the absorption phase of the DrySPONGE256 F function. - * - * \param state The DrySPONGE256 state. - * \param input The block of input data to incorporate into the state. - * \param len The length of the input block, which must be less than - * or equal to DRYSPONGE256_RATE. Smaller input blocks will be padded. - * - * This function must be followed by a call to drysponge256_g() or - * drysponge256_g_core() to perform the full F operation. - */ -void drysponge256_f_absorb - (drysponge256_state_t *state, const unsigned char *input, unsigned len); - -/** - * \brief Set up a DrySPONGE128 state to begin encryption or decryption. - * - * \param state The DrySPONGE128 state. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the 16 bytes of the nonce. - * \param final_block Non-zero if after key setup there will be no more blocks. - */ -void drysponge128_setup - (drysponge128_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block); - -/** - * \brief Set up a DrySPONGE256 state to begin encryption or decryption. - * - * \param state The DrySPONGE256 state. - * \param key Points to the 32 bytes of the key. - * \param nonce Points to the 16 bytes of the nonce. - * \param final_block Non-zero if after key setup there will be no more blocks. - */ -void drysponge256_setup - (drysponge256_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/aead-common.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys/aead-common.c similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/aead-common.c rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/aead-common.c diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/aead-common.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys/aead-common.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/aead-common.h rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/aead-common.h diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/api.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys/api.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/api.h rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/api.h diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/drygascon.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys/drygascon.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/drygascon.c rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/drygascon.c diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/drygascon.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys/drygascon.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/drygascon.h rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/drygascon.h diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/hash.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys/hash.c similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/hash.c rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/hash.c diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge-avr.S b/drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge-avr.S similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-drysponge-avr.S rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge-avr.S diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge.c b/drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge.c rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge.c diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-drysponge.h rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-drysponge.h diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-util.h b/drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-util.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/internal-util.h rename to drygascon/Implementations/crypto_hash/drygascon128/rhys/internal-util.h diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.c deleted file mode 100644 index e963903..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.c +++ /dev/null @@ -1,421 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "drygascon.h" -#include "internal-drysponge.h" -#include - -aead_cipher_t const drygascon128_cipher = { - "DryGASCON128", - DRYGASCON128_KEY_SIZE, - DRYGASCON128_NONCE_SIZE, - DRYGASCON128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon128_aead_encrypt, - drygascon128_aead_decrypt -}; - -aead_cipher_t const drygascon256_cipher = { - "DryGASCON256", - DRYGASCON256_KEY_SIZE, - DRYGASCON256_NONCE_SIZE, - DRYGASCON256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon256_aead_encrypt, - drygascon256_aead_decrypt -}; - -aead_hash_algorithm_t const drygascon128_hash_algorithm = { - "DryGASCON128-HASH", - sizeof(int), - DRYGASCON128_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon128_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const drygascon256_hash_algorithm = { - "DryGASCON256-HASH", - sizeof(int), - DRYGASCON256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - drygascon256_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Processes associated data for DryGASCON128. - * - * \param state DrySPONGE128 sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must not be zero. - * \param finalize Non-zero to finalize packet processing because - * the message is zero-length. - */ -static void drygascon128_process_ad - (drysponge128_state_t *state, const unsigned char *ad, - unsigned long long adlen, int finalize) -{ - /* Process all blocks except the last one */ - while (adlen > DRYSPONGE128_RATE) { - drysponge128_f_absorb(state, ad, DRYSPONGE128_RATE); - drysponge128_g_core(state); - ad += DRYSPONGE128_RATE; - adlen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state->domain = DRYDOMAIN128_ASSOC_DATA; - if (finalize) - state->domain |= DRYDOMAIN128_FINAL; - if (adlen < DRYSPONGE128_RATE) - state->domain |= DRYDOMAIN128_PADDED; - drysponge128_f_absorb(state, ad, (unsigned)adlen); - drysponge128_g(state); -} - -/** - * \brief Processes associated data for DryGASCON256. - * - * \param state DrySPONGE256 sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must not be zero. - * \param finalize Non-zero to finalize packet processing because - * the message is zero-length. - */ -static void drygascon256_process_ad - (drysponge256_state_t *state, const unsigned char *ad, - unsigned long long adlen, int finalize) -{ - /* Process all blocks except the last one */ - while (adlen > DRYSPONGE256_RATE) { - drysponge256_f_absorb(state, ad, DRYSPONGE256_RATE); - drysponge256_g_core(state); - ad += DRYSPONGE256_RATE; - adlen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state->domain = DRYDOMAIN256_ASSOC_DATA; - if (finalize) - state->domain |= DRYDOMAIN256_FINAL; - if (adlen < DRYSPONGE256_RATE) - state->domain |= DRYDOMAIN256_PADDED; - drysponge256_f_absorb(state, ad, (unsigned)adlen); - drysponge256_g(state); -} - -int drygascon128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge128_state_t state; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DRYGASCON128_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - drysponge128_setup(&state, k, npub, adlen == 0 && mlen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon128_process_ad(&state, ad, adlen, mlen == 0); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - /* Processs all blocks except the last one */ - while (mlen > DRYSPONGE128_RATE) { - drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); - lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE128_RATE); - drysponge128_g(&state); - c += DRYSPONGE128_RATE; - m += DRYSPONGE128_RATE; - mlen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; - if (mlen < DRYSPONGE128_RATE) - state.domain |= DRYDOMAIN128_PADDED; - temp = (unsigned)mlen; - drysponge128_f_absorb(&state, m, temp); - lw_xor_block_2_src(c, m, state.r.B, temp); - drysponge128_g(&state); - c += temp; - } - - /* Generate the authentication tag */ - memcpy(c, state.r.B, DRYGASCON128_TAG_SIZE); - return 0; -} - -int drygascon128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge128_state_t state; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DRYGASCON128_TAG_SIZE) - return -1; - *mlen = clen - DRYGASCON128_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - clen -= DRYGASCON128_TAG_SIZE; - drysponge128_setup(&state, k, npub, adlen == 0 && clen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon128_process_ad(&state, ad, adlen, clen == 0); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - /* Processs all blocks except the last one */ - while (clen > DRYSPONGE128_RATE) { - lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE128_RATE); - drysponge128_f_absorb(&state, m, DRYSPONGE128_RATE); - drysponge128_g(&state); - c += DRYSPONGE128_RATE; - m += DRYSPONGE128_RATE; - clen -= DRYSPONGE128_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN128_MESSAGE | DRYDOMAIN128_FINAL; - if (clen < DRYSPONGE128_RATE) - state.domain |= DRYDOMAIN128_PADDED; - temp = (unsigned)clen; - lw_xor_block_2_src(m, c, state.r.B, temp); - drysponge128_f_absorb(&state, m, temp); - drysponge128_g(&state); - c += temp; - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state.r.B, c, DRYGASCON128_TAG_SIZE); -} - -int drygascon256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge256_state_t state; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DRYGASCON256_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - drysponge256_setup(&state, k, npub, adlen == 0 && mlen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon256_process_ad(&state, ad, adlen, mlen == 0); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - /* Processs all blocks except the last one */ - while (mlen > DRYSPONGE256_RATE) { - drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); - lw_xor_block_2_src(c, m, state.r.B, DRYSPONGE256_RATE); - drysponge256_g(&state); - c += DRYSPONGE256_RATE; - m += DRYSPONGE256_RATE; - mlen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; - if (mlen < DRYSPONGE256_RATE) - state.domain |= DRYDOMAIN256_PADDED; - temp = (unsigned)mlen; - drysponge256_f_absorb(&state, m, temp); - lw_xor_block_2_src(c, m, state.r.B, temp); - drysponge256_g(&state); - c += temp; - } - - /* Generate the authentication tag */ - memcpy(c, state.r.B, 16); - drysponge256_g(&state); - memcpy(c + 16, state.r.B, 16); - return 0; -} - -int drygascon256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - drysponge256_state_t state; - unsigned char *mtemp = m; - unsigned temp; - int result; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DRYGASCON256_TAG_SIZE) - return -1; - *mlen = clen - DRYGASCON256_TAG_SIZE; - - /* Initialize the sponge state with the key and nonce */ - clen -= DRYGASCON256_TAG_SIZE; - drysponge256_setup(&state, k, npub, adlen == 0 && clen == 0); - - /* Process the associated data */ - if (adlen > 0) - drygascon256_process_ad(&state, ad, adlen, clen == 0); - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - /* Processs all blocks except the last one */ - while (clen > DRYSPONGE256_RATE) { - lw_xor_block_2_src(m, c, state.r.B, DRYSPONGE256_RATE); - drysponge256_f_absorb(&state, m, DRYSPONGE256_RATE); - drysponge256_g(&state); - c += DRYSPONGE256_RATE; - m += DRYSPONGE256_RATE; - clen -= DRYSPONGE256_RATE; - } - - /* Process the last block with domain separation and padding */ - state.domain = DRYDOMAIN256_MESSAGE | DRYDOMAIN256_FINAL; - if (clen < DRYSPONGE256_RATE) - state.domain |= DRYDOMAIN256_PADDED; - temp = (unsigned)clen; - lw_xor_block_2_src(m, c, state.r.B, temp); - drysponge256_f_absorb(&state, m, temp); - drysponge256_g(&state); - c += temp; - } - - /* Check the authentication tag which is split into two pieces */ - result = aead_check_tag(0, 0, state.r.B, c, 16); - drysponge256_g(&state); - return aead_check_tag_precheck - (mtemp, *mlen, state.r.B, c + 16, 16, ~result); -} - -/** - * \brief Precomputed initialization vector for DryGASCON128-HASH. - * - * This is the CST_H value from the DryGASCON specification after it - * has been processed by the key setup function for DrySPONGE128. - */ -static unsigned char const drygascon128_hash_init[] = { - /* c */ - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - /* x */ - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89 -}; - -int drygascon128_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - drysponge128_state_t state; - memcpy(state.c.B, drygascon128_hash_init, sizeof(state.c.B)); - memcpy(state.x.B, drygascon128_hash_init + sizeof(state.c.B), - sizeof(state.x.B)); - state.domain = 0; - state.rounds = DRYSPONGE128_ROUNDS; - drygascon128_process_ad(&state, in, inlen, 1); - memcpy(out, state.r.B, 16); - drysponge128_g(&state); - memcpy(out + 16, state.r.B, 16); - return 0; -} - -/** - * \brief Precomputed initialization vector for DryGASCON256-HASH. - * - * This is the CST_H value from the DryGASCON specification after it - * has been processed by the key setup function for DrySPONGE256. - */ -static unsigned char const drygascon256_hash_init[] = { - /* c */ - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - 0x13, 0x19, 0x8a, 0x2e, 0x03, 0x70, 0x73, 0x44, - 0xa4, 0x09, 0x38, 0x22, 0x29, 0x9f, 0x31, 0xd0, - 0x08, 0x2e, 0xfa, 0x98, 0xec, 0x4e, 0x6c, 0x89, - 0x24, 0x3f, 0x6a, 0x88, 0x85, 0xa3, 0x08, 0xd3, - /* x */ - 0x45, 0x28, 0x21, 0xe6, 0x38, 0xd0, 0x13, 0x77, - 0xbe, 0x54, 0x66, 0xcf, 0x34, 0xe9, 0x0c, 0x6c -}; - -int drygascon256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - drysponge256_state_t state; - memcpy(state.c.B, drygascon256_hash_init, sizeof(state.c.B)); - memcpy(state.x.B, drygascon256_hash_init + sizeof(state.c.B), - sizeof(state.x.B)); - state.domain = 0; - state.rounds = DRYSPONGE256_ROUNDS; - drygascon256_process_ad(&state, in, inlen, 1); - memcpy(out, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 16, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 32, state.r.B, 16); - drysponge256_g(&state); - memcpy(out + 48, state.r.B, 16); - return 0; -} diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.c deleted file mode 100644 index 6dfe48c..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.c +++ /dev/null @@ -1,611 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-drysponge.h" -#include - -#if !defined(__AVR__) - -/* Right rotations in bit-interleaved format */ -#define intRightRotateEven(x,bits) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate(_x0, (bits)); \ - _x1 = rightRotate(_x1, (bits)); \ - _x0 | (((uint64_t)_x1) << 32); \ - })) -#define intRightRotateOdd(x,bits) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate(_x0, ((bits) + 1) % 32); \ - _x1 = rightRotate(_x1, (bits)); \ - _x1 | (((uint64_t)_x0) << 32); \ - })) -#define intRightRotate1_64(x) \ - (__extension__ ({ \ - uint32_t _x0 = (uint32_t)(x); \ - uint32_t _x1 = (uint32_t)((x) >> 32); \ - _x0 = rightRotate1(_x0); \ - _x1 | (((uint64_t)_x0) << 32); \ - })) -#define intRightRotate2_64(x) (intRightRotateEven((x), 1)) -#define intRightRotate3_64(x) (intRightRotateOdd((x), 1)) -#define intRightRotate4_64(x) (intRightRotateEven((x), 2)) -#define intRightRotate5_64(x) (intRightRotateOdd((x), 2)) -#define intRightRotate6_64(x) (intRightRotateEven((x), 3)) -#define intRightRotate7_64(x) (intRightRotateOdd((x), 3)) -#define intRightRotate8_64(x) (intRightRotateEven((x), 4)) -#define intRightRotate9_64(x) (intRightRotateOdd((x), 4)) -#define intRightRotate10_64(x) (intRightRotateEven((x), 5)) -#define intRightRotate11_64(x) (intRightRotateOdd((x), 5)) -#define intRightRotate12_64(x) (intRightRotateEven((x), 6)) -#define intRightRotate13_64(x) (intRightRotateOdd((x), 6)) -#define intRightRotate14_64(x) (intRightRotateEven((x), 7)) -#define intRightRotate15_64(x) (intRightRotateOdd((x), 7)) -#define intRightRotate16_64(x) (intRightRotateEven((x), 8)) -#define intRightRotate17_64(x) (intRightRotateOdd((x), 8)) -#define intRightRotate18_64(x) (intRightRotateEven((x), 9)) -#define intRightRotate19_64(x) (intRightRotateOdd((x), 9)) -#define intRightRotate20_64(x) (intRightRotateEven((x), 10)) -#define intRightRotate21_64(x) (intRightRotateOdd((x), 10)) -#define intRightRotate22_64(x) (intRightRotateEven((x), 11)) -#define intRightRotate23_64(x) (intRightRotateOdd((x), 11)) -#define intRightRotate24_64(x) (intRightRotateEven((x), 12)) -#define intRightRotate25_64(x) (intRightRotateOdd((x), 12)) -#define intRightRotate26_64(x) (intRightRotateEven((x), 13)) -#define intRightRotate27_64(x) (intRightRotateOdd((x), 13)) -#define intRightRotate28_64(x) (intRightRotateEven((x), 14)) -#define intRightRotate29_64(x) (intRightRotateOdd((x), 14)) -#define intRightRotate30_64(x) (intRightRotateEven((x), 15)) -#define intRightRotate31_64(x) (intRightRotateOdd((x), 15)) -#define intRightRotate32_64(x) (intRightRotateEven((x), 16)) -#define intRightRotate33_64(x) (intRightRotateOdd((x), 16)) -#define intRightRotate34_64(x) (intRightRotateEven((x), 17)) -#define intRightRotate35_64(x) (intRightRotateOdd((x), 17)) -#define intRightRotate36_64(x) (intRightRotateEven((x), 18)) -#define intRightRotate37_64(x) (intRightRotateOdd((x), 18)) -#define intRightRotate38_64(x) (intRightRotateEven((x), 19)) -#define intRightRotate39_64(x) (intRightRotateOdd((x), 19)) -#define intRightRotate40_64(x) (intRightRotateEven((x), 20)) -#define intRightRotate41_64(x) (intRightRotateOdd((x), 20)) -#define intRightRotate42_64(x) (intRightRotateEven((x), 21)) -#define intRightRotate43_64(x) (intRightRotateOdd((x), 21)) -#define intRightRotate44_64(x) (intRightRotateEven((x), 22)) -#define intRightRotate45_64(x) (intRightRotateOdd((x), 22)) -#define intRightRotate46_64(x) (intRightRotateEven((x), 23)) -#define intRightRotate47_64(x) (intRightRotateOdd((x), 23)) -#define intRightRotate48_64(x) (intRightRotateEven((x), 24)) -#define intRightRotate49_64(x) (intRightRotateOdd((x), 24)) -#define intRightRotate50_64(x) (intRightRotateEven((x), 25)) -#define intRightRotate51_64(x) (intRightRotateOdd((x), 25)) -#define intRightRotate52_64(x) (intRightRotateEven((x), 26)) -#define intRightRotate53_64(x) (intRightRotateOdd((x), 26)) -#define intRightRotate54_64(x) (intRightRotateEven((x), 27)) -#define intRightRotate55_64(x) (intRightRotateOdd((x), 27)) -#define intRightRotate56_64(x) (intRightRotateEven((x), 28)) -#define intRightRotate57_64(x) (intRightRotateOdd((x), 28)) -#define intRightRotate58_64(x) (intRightRotateEven((x), 29)) -#define intRightRotate59_64(x) (intRightRotateOdd((x), 29)) -#define intRightRotate60_64(x) (intRightRotateEven((x), 30)) -#define intRightRotate61_64(x) (intRightRotateOdd((x), 30)) -#define intRightRotate62_64(x) (intRightRotateEven((x), 31)) -#define intRightRotate63_64(x) (intRightRotateOdd((x), 31)) - -void gascon128_core_round(gascon128_state_t *state, uint8_t round) -{ - uint64_t t0, t1, t2, t3, t4; - - /* Load the state into local varaibles */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); -#endif - - /* Add the round constant to the middle of the state */ - x2 ^= ((0x0F - round) << 4) | round; - - /* Substitution layer */ - x0 ^= x4; x2 ^= x1; x4 ^= x3; t0 = (~x0) & x1; t1 = (~x1) & x2; - t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x0; x0 ^= t1; - x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; x1 ^= x0; x3 ^= x2; - x0 ^= x4; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); - x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); - x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); - x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); - x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); - - /* Write the local variables back to the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); -#endif -} - -void gascon256_core_round(gascon256_state_t *state, uint8_t round) -{ - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - - /* Load the state into local varaibles */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; - uint64_t x8 = state->S[8]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); - uint64_t x8 = le_load_word64(state->B + 64); -#endif - - /* Add the round constant to the middle of the state */ - x4 ^= ((0x0F - round) << 4) | round; - - /* Substitution layer */ - x0 ^= x8; x2 ^= x1; x4 ^= x3; x6 ^= x5; x8 ^= x7; t0 = (~x0) & x1; - t1 = (~x1) & x2; t2 = (~x2) & x3; t3 = (~x3) & x4; t4 = (~x4) & x5; - t5 = (~x5) & x6; t6 = (~x6) & x7; t7 = (~x7) & x8; t8 = (~x8) & x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t5; x5 ^= t6; x6 ^= t7; - x7 ^= t8; x8 ^= t0; x1 ^= x0; x3 ^= x2; x5 ^= x4; x7 ^= x6; x0 ^= x8; - x4 = ~x4; - - /* Linear diffusion layer */ - x0 ^= intRightRotate19_64(x0) ^ intRightRotate28_64(x0); - x1 ^= intRightRotate61_64(x1) ^ intRightRotate38_64(x1); - x2 ^= intRightRotate1_64(x2) ^ intRightRotate6_64(x2); - x3 ^= intRightRotate10_64(x3) ^ intRightRotate17_64(x3); - x4 ^= intRightRotate7_64(x4) ^ intRightRotate40_64(x4); - x5 ^= intRightRotate31_64(x5) ^ intRightRotate26_64(x5); - x6 ^= intRightRotate53_64(x6) ^ intRightRotate58_64(x6); - x7 ^= intRightRotate9_64(x7) ^ intRightRotate46_64(x7); - x8 ^= intRightRotate43_64(x8) ^ intRightRotate50_64(x8); - - /* Write the local variables back to the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; - state->S[8] = x8; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); - le_store_word64(state->B + 64, x8); -#endif -} - -void drysponge128_g(drysponge128_state_t *state) -{ - unsigned round; - - /* Perform the first round. For each round we XOR the 16 bytes of - * the output data with the first 16 bytes of the state. And then - * XOR with the next 16 bytes of the state, rotated by 4 bytes */ - gascon128_core_round(&(state->c), 0); - state->r.W[0] = state->c.W[0] ^ state->c.W[5]; - state->r.W[1] = state->c.W[1] ^ state->c.W[6]; - state->r.W[2] = state->c.W[2] ^ state->c.W[7]; - state->r.W[3] = state->c.W[3] ^ state->c.W[4]; - - /* Perform the rest of the rounds */ - for (round = 1; round < state->rounds; ++round) { - gascon128_core_round(&(state->c), round); - state->r.W[0] ^= state->c.W[0] ^ state->c.W[5]; - state->r.W[1] ^= state->c.W[1] ^ state->c.W[6]; - state->r.W[2] ^= state->c.W[2] ^ state->c.W[7]; - state->r.W[3] ^= state->c.W[3] ^ state->c.W[4]; - } -} - -void drysponge256_g(drysponge256_state_t *state) -{ - unsigned round; - - /* Perform the first round. For each round we XOR the 16 bytes of - * the output data with the first 16 bytes of the state. And then - * XOR with the next 16 bytes of the state, rotated by 4 bytes. - * And so on for a total of 64 bytes XOR'ed into the output data. */ - gascon256_core_round(&(state->c), 0); - state->r.W[0] = state->c.W[0] ^ state->c.W[5] ^ - state->c.W[10] ^ state->c.W[15]; - state->r.W[1] = state->c.W[1] ^ state->c.W[6] ^ - state->c.W[11] ^ state->c.W[12]; - state->r.W[2] = state->c.W[2] ^ state->c.W[7] ^ - state->c.W[8] ^ state->c.W[13]; - state->r.W[3] = state->c.W[3] ^ state->c.W[4] ^ - state->c.W[9] ^ state->c.W[14]; - - /* Perform the rest of the rounds */ - for (round = 1; round < state->rounds; ++round) { - gascon256_core_round(&(state->c), round); - state->r.W[0] ^= state->c.W[0] ^ state->c.W[5] ^ - state->c.W[10] ^ state->c.W[15]; - state->r.W[1] ^= state->c.W[1] ^ state->c.W[6] ^ - state->c.W[11] ^ state->c.W[12]; - state->r.W[2] ^= state->c.W[2] ^ state->c.W[7] ^ - state->c.W[8] ^ state->c.W[13]; - state->r.W[3] ^= state->c.W[3] ^ state->c.W[4] ^ - state->c.W[9] ^ state->c.W[14]; - } -} - -#endif /* !__AVR__ */ - -void drysponge128_g_core(drysponge128_state_t *state) -{ - unsigned round; - for (round = 0; round < state->rounds; ++round) - gascon128_core_round(&(state->c), round); -} - -void drysponge256_g_core(drysponge256_state_t *state) -{ - unsigned round; - for (round = 0; round < state->rounds; ++round) - gascon256_core_round(&(state->c), round); -} - -/** - * \fn uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) - * \brief Selects an element of x in constant time. - * - * \param x Points to the four elements of x. - * \param index Index of which element to extract between 0 and 3. - * - * \return The selected element of x. - */ -#if !defined(__AVR__) -STATIC_INLINE uint32_t drysponge_select_x(const uint32_t x[4], uint8_t index) -{ - /* We need to be careful how we select each element of x because - * we are doing a data-dependent fetch here. Do the fetch in a way - * that should avoid cache timing issues by fetching every element - * of x and masking away the ones we don't want. - * - * There is a possible side channel here with respect to power analysis. - * The "mask" value will be all-ones for the selected index and all-zeroes - * for the other indexes. This may show up as different power consumption - * for the "result ^= x[i] & mask" statement when i is the selected index. - * Such a side channel could in theory allow reading the plaintext input - * to the cipher by analysing the CPU's power consumption. - * - * The DryGASCON specification acknowledges the possibility of plaintext - * recovery in section 7.4. For software mitigation the specification - * suggests randomization of the indexes into c and x and randomization - * of the order of processing words. We aren't doing that here yet. - * Patches welcome to fix this. - */ - uint32_t mask = -((uint32_t)((0x04 - index) >> 2)); - uint32_t result = x[0] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x01)) >> 2)); - result ^= x[1] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x02)) >> 2)); - result ^= x[2] & mask; - mask = -((uint32_t)((0x04 - (index ^ 0x03)) >> 2)); - return result ^ (x[3] & mask); -} -#else -/* AVR is more or less immune to cache timing issues because it doesn't - * have anything like an L1 or L2 cache. Select the word directly */ -#define drysponge_select_x(x, index) ((x)[(index)]) -#endif - -/** - * \brief Mixes a 32-bit value into the DrySPONGE128 state. - * - * \param state DrySPONGE128 state. - * \param data The data to be mixed in the bottom 10 bits. - */ -static void drysponge128_mix_phase_round - (drysponge128_state_t *state, uint32_t data) -{ - /* Mix in elements from x according to the 2-bit indexes in the data */ - state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); - state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); - state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); - state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); - state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); -} - -/** - * \brief Mixes a 32-bit value into the DrySPONGE256 state. - * - * \param state DrySPONGE256 state. - * \param data The data to be mixed in the bottom 18 bits. - */ -static void drysponge256_mix_phase_round - (drysponge256_state_t *state, uint32_t data) -{ - /* Mix in elements from x according to the 2-bit indexes in the data */ - state->c.W[0] ^= drysponge_select_x(state->x.W, data & 0x03); - state->c.W[2] ^= drysponge_select_x(state->x.W, (data >> 2) & 0x03); - state->c.W[4] ^= drysponge_select_x(state->x.W, (data >> 4) & 0x03); - state->c.W[6] ^= drysponge_select_x(state->x.W, (data >> 6) & 0x03); - state->c.W[8] ^= drysponge_select_x(state->x.W, (data >> 8) & 0x03); - state->c.W[10] ^= drysponge_select_x(state->x.W, (data >> 10) & 0x03); - state->c.W[12] ^= drysponge_select_x(state->x.W, (data >> 12) & 0x03); - state->c.W[14] ^= drysponge_select_x(state->x.W, (data >> 14) & 0x03); - state->c.W[16] ^= drysponge_select_x(state->x.W, (data >> 16) & 0x03); -} - -/** - * \brief Mixes an input block into a DrySPONGE128 state. - * - * \param state The DrySPONGE128 state. - * \param data Full rate block containing the input data. - */ -static void drysponge128_mix_phase - (drysponge128_state_t *state, const unsigned char data[DRYSPONGE128_RATE]) -{ - /* Mix 10-bit groups into the output, with the domain - * separator added to the last two groups */ - drysponge128_mix_phase_round - (state, data[0] | (((uint32_t)(data[1])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[1] >> 2) | (((uint32_t)(data[2])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[2] >> 4) | (((uint32_t)(data[3])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[3] >> 6) | (((uint32_t)(data[4])) << 2)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, data[5] | (((uint32_t)(data[6])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[6] >> 2) | (((uint32_t)(data[7])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[7] >> 4) | (((uint32_t)(data[8])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[8] >> 6) | (((uint32_t)(data[9])) << 2)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, data[10] | (((uint32_t)(data[11])) << 8)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, (data[12] >> 4) | (((uint32_t)(data[13])) << 4)); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round - (state, ((data[13] >> 6) | (((uint32_t)(data[14])) << 2))); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round(state, data[15] ^ state->domain); - gascon128_core_round(&(state->c), 0); - drysponge128_mix_phase_round(state, state->domain >> 10); - - /* Revert to the default domain separator for the next block */ - state->domain = 0; -} - -/** - * \brief Mixes an input block into a DrySPONGE256 state. - * - * \param state The DrySPONGE256 state. - * \param data Full rate block containing the input data. - */ -static void drysponge256_mix_phase - (drysponge256_state_t *state, const unsigned char data[DRYSPONGE256_RATE]) -{ - /* Mix 18-bit groups into the output, with the domain in the last group */ - drysponge256_mix_phase_round - (state, data[0] | (((uint32_t)(data[1])) << 8) | - (((uint32_t)(data[2])) << 16)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[2] >> 2) | (((uint32_t)(data[3])) << 6) | - (((uint32_t)(data[4])) << 14)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[4] >> 4) | (((uint32_t)(data[5])) << 4) | - (((uint32_t)(data[6])) << 12)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[6] >> 6) | (((uint32_t)(data[7])) << 2) | - (((uint32_t)(data[8])) << 10)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, data[9] | (((uint32_t)(data[10])) << 8) | - (((uint32_t)(data[11])) << 16)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[11] >> 2) | (((uint32_t)(data[12])) << 6) | - (((uint32_t)(data[13])) << 14)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[13] >> 4) | (((uint32_t)(data[14])) << 4) | - (((uint32_t)(data[15])) << 12)); - gascon256_core_round(&(state->c), 0); - drysponge256_mix_phase_round - (state, (data[15] >> 6) ^ state->domain); - - /* Revert to the default domain separator for the next block */ - state->domain = 0; -} - -void drysponge128_f_absorb - (drysponge128_state_t *state, const unsigned char *input, unsigned len) -{ - if (len >= DRYSPONGE128_RATE) { - drysponge128_mix_phase(state, input); - } else { - unsigned char padded[DRYSPONGE128_RATE]; - memcpy(padded, input, len); - padded[len] = 0x01; - memset(padded + len + 1, 0, DRYSPONGE128_RATE - len - 1); - drysponge128_mix_phase(state, padded); - } -} - -void drysponge256_f_absorb - (drysponge256_state_t *state, const unsigned char *input, unsigned len) -{ - if (len >= DRYSPONGE256_RATE) { - drysponge256_mix_phase(state, input); - } else { - unsigned char padded[DRYSPONGE256_RATE]; - memcpy(padded, input, len); - padded[len] = 0x01; - memset(padded + len + 1, 0, DRYSPONGE256_RATE - len - 1); - drysponge256_mix_phase(state, padded); - } -} - -/** - * \brief Determine if some of the words of an "x" value are identical. - * - * \param x Points to the "x" buffer to check. - * - * \return Non-zero if some of the words are the same, zero if they are - * distinct from each other. - * - * We try to perform the check in constant time to avoid giving away - * any information about the value of the key. - */ -static int drysponge_x_words_are_same(const uint32_t x[4]) -{ - unsigned i, j; - int result = 0; - for (i = 0; i < 3; ++i) { - for (j = i + 1; j < 4; ++j) { - uint32_t check = x[i] ^ x[j]; - result |= (int)((0x100000000ULL - check) >> 32); - } - } - return result; -} - -void drysponge128_setup - (drysponge128_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block) -{ - /* Fill the GASCON-128 state with repeated copies of the key */ - memcpy(state->c.B, key, 16); - memcpy(state->c.B + 16, key, 16); - memcpy(state->c.B + 32, key, 8); - - /* Generate the "x" value for the state. All four words of "x" - * must be unique because they will be used in drysponge_select_x() - * as stand-ins for the bit pairs 00, 01, 10, and 11. - * - * Run the core block operation over and over until "x" is unique. - * Technically the runtime here is key-dependent and not constant. - * If the input key is randomized, this should only take 1 round - * on average so it is "almost constant time". - */ - do { - gascon128_core_round(&(state->c), 0); - } while (drysponge_x_words_are_same(state->c.W)); - memcpy(state->x.W, state->c.W, sizeof(state->x)); - - /* Replace the generated "x" value in the state with the key prefix */ - memcpy(state->c.W, key, sizeof(state->x)); - - /* Absorb the nonce into the state with an increased number of rounds */ - state->rounds = DRYSPONGE128_INIT_ROUNDS; - state->domain = DRYDOMAIN128_NONCE; - if (final_block) - state->domain |= DRYDOMAIN128_FINAL; - drysponge128_f_absorb(state, nonce, 16); - drysponge128_g(state); - - /* Set up the normal number of rounds for future operations */ - state->rounds = DRYSPONGE128_ROUNDS; -} - -void drysponge256_setup - (drysponge256_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block) -{ - /* Fill the GASCON-256 state with repeated copies of the key */ - memcpy(state->c.B, key, 32); - memcpy(state->c.B + 32, key, 32); - memcpy(state->c.B + 64, key, 8); - - /* Generate the "x" value for the state */ - do { - gascon256_core_round(&(state->c), 0); - } while (drysponge_x_words_are_same(state->c.W)); - memcpy(state->x.W, state->c.W, sizeof(state->x)); - - /* Replace the generated "x" value in the state with the key prefix */ - memcpy(state->c.W, key, sizeof(state->x)); - - /* Absorb the nonce into the state with an increased number of rounds */ - state->rounds = DRYSPONGE256_INIT_ROUNDS; - state->domain = DRYDOMAIN256_NONCE; - if (final_block) - state->domain |= DRYDOMAIN256_FINAL; - drysponge256_f_absorb(state, nonce, 16); - drysponge256_g(state); - - /* Set up the normal number of rounds for future operations */ - state->rounds = DRYSPONGE256_ROUNDS; -} diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.h deleted file mode 100644 index 05b0c16..0000000 --- a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge.h +++ /dev/null @@ -1,345 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_DRYSPONGE_H -#define LW_INTERNAL_DRYSPONGE_H - -#include "internal-util.h" - -/** - * \file internal-drysponge.h - * \brief Internal implementation of DrySPONGE for the DryGASCON cipher. - * - * References: https://github.com/sebastien-riou/DryGASCON - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the GASCON-128 permutation state in bytes. - */ -#define GASCON128_STATE_SIZE 40 - -/** - * \brief Size of the GASCON-256 permutation state in bytes. - */ -#define GASCON256_STATE_SIZE 72 - -/** - * \brief Rate of absorption and squeezing for DrySPONGE128. - */ -#define DRYSPONGE128_RATE 16 - -/** - * \brief Rate of absorption and squeezing for DrySPONGE256. - */ -#define DRYSPONGE256_RATE 16 - -/** - * \brief Size of the "x" value for DrySPONGE128. - */ -#define DRYSPONGE128_XSIZE 16 - -/** - * \brief Size of the "x" value for DrySPONGE256. - */ -#define DRYSPONGE256_XSIZE 16 - -/** - * \brief Normal number of rounds for DrySPONGE128 when absorbing - * and squeezing data. - */ -#define DRYSPONGE128_ROUNDS 7 - -/** - * \brief Number of rounds for DrySPONGE128 during initialization. - */ -#define DRYSPONGE128_INIT_ROUNDS 11 - -/** - * \brief Normal number of rounds for DrySPONGE256 when absorbing - * and squeezing data. - */ -#define DRYSPONGE256_ROUNDS 8 - -/** - * \brief Number of rounds for DrySPONGE256 during initialization. - */ -#define DRYSPONGE256_INIT_ROUNDS 12 - -/** - * \brief DrySPONGE128 domain bit for a padded block. - */ -#define DRYDOMAIN128_PADDED (1 << 8) - -/** - * \brief DrySPONGE128 domain bit for a final block. - */ -#define DRYDOMAIN128_FINAL (1 << 9) - -/** - * \brief DrySPONGE128 domain value for processing the nonce. - */ -#define DRYDOMAIN128_NONCE (1 << 10) - -/** - * \brief DrySPONGE128 domain value for processing the associated data. - */ -#define DRYDOMAIN128_ASSOC_DATA (2 << 10) - -/** - * \brief DrySPONGE128 domain value for processing the message. - */ -#define DRYDOMAIN128_MESSAGE (3 << 10) - -/** - * \brief DrySPONGE256 domain bit for a padded block. - */ -#define DRYDOMAIN256_PADDED (1 << 2) - -/** - * \brief DrySPONGE256 domain bit for a final block. - */ -#define DRYDOMAIN256_FINAL (1 << 3) - -/** - * \brief DrySPONGE256 domain value for processing the nonce. - */ -#define DRYDOMAIN256_NONCE (1 << 4) - -/** - * \brief DrySPONGE256 domain value for processing the associated data. - */ -#define DRYDOMAIN256_ASSOC_DATA (2 << 4) - -/** - * \brief DrySPONGE256 domain value for processing the message. - */ -#define DRYDOMAIN256_MESSAGE (3 << 4) - -/** - * \brief Internal state of the GASCON-128 permutation. - */ -typedef union -{ - uint64_t S[GASCON128_STATE_SIZE / 8]; /**< 64-bit words of the state */ - uint32_t W[GASCON128_STATE_SIZE / 4]; /**< 32-bit words of the state */ - uint8_t B[GASCON128_STATE_SIZE]; /**< Bytes of the state */ - -} gascon128_state_t; - -/** - * \brief Internal state of the GASCON-256 permutation. - */ -typedef union -{ - uint64_t S[GASCON256_STATE_SIZE / 8]; /**< 64-bit words of the state */ - uint32_t W[GASCON256_STATE_SIZE / 4]; /**< 32-bit words of the state */ - uint8_t B[GASCON256_STATE_SIZE]; /**< Bytes of the state */ - -} gascon256_state_t; - -/** - * \brief Structure of a rate block for DrySPONGE128. - */ -typedef union -{ - uint64_t S[DRYSPONGE128_RATE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE128_RATE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE128_RATE]; /**< Bytes of the rate */ - -} drysponge128_rate_t; - -/** - * \brief Structure of a rate block for DrySPONGE256. - */ -typedef union -{ - uint64_t S[DRYSPONGE256_RATE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE256_RATE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE256_RATE]; /**< Bytes of the rate */ - -} drysponge256_rate_t; - -/** - * \brief Structure of the "x" value for DrySPONGE128. - */ -typedef union -{ - uint64_t S[DRYSPONGE128_XSIZE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE128_XSIZE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE128_XSIZE]; /**< Bytes of the rate */ - -} drysponge128_x_t; - -/** - * \brief Structure of the "x" value for DrySPONGE256. - */ -typedef union -{ - uint64_t S[DRYSPONGE256_XSIZE / 8]; /**< 64-bit words of the rate */ - uint32_t W[DRYSPONGE256_XSIZE / 4]; /**< 32-bit words of the rate */ - uint8_t B[DRYSPONGE256_XSIZE]; /**< Bytes of the rate */ - -} drysponge256_x_t; - -/** - * \brief Structure of the rolling DrySPONGE128 state. - */ -typedef struct -{ - gascon128_state_t c; /**< GASCON-128 state for the capacity */ - drysponge128_rate_t r; /**< Buffer for a rate block of data */ - drysponge128_x_t x; /**< "x" value for the sponge */ - uint32_t domain; /**< Domain value to mix on next F call */ - uint32_t rounds; /**< Number of rounds for next G call */ - -} drysponge128_state_t; - -/** - * \brief Structure of the rolling DrySPONGE256 state. - */ -typedef struct -{ - gascon256_state_t c; /**< GASCON-256 state for the capacity */ - drysponge256_rate_t r; /**< Buffer for a rate block of data */ - drysponge256_x_t x; /**< "x" value for the sponge */ - uint32_t domain; /**< Domain value to mix on next F call */ - uint32_t rounds; /**< Number of rounds for next G call */ - -} drysponge256_state_t; - -/** - * \brief Permutes the GASCON-128 state using one iteration of CoreRound. - * - * \param state The GASCON-128 state to be permuted. - * \param round The round number. - * - * The input and output \a state will be in little-endian byte order. - */ -void gascon128_core_round(gascon128_state_t *state, uint8_t round); - -/** - * \brief Permutes the GASCON-256 state using one iteration of CoreRound. - * - * \param state The GASCON-256 state to be permuted. - * \param round The round number. - * - * The input and output \a state will be in little-endian byte order. - */ -void gascon256_core_round(gascon256_state_t *state, uint8_t round); - -/** - * \brief Performs the DrySPONGE128 G function which runs the core - * rounds and squeezes data out of the GASGON-128 state. - * - * \param state The DrySPONGE128 state. - * - * The data that is squeezed out will be in state->r on exit. - */ -void drysponge128_g(drysponge128_state_t *state); - -/** - * \brief Performs the DrySPONGE256 G function which runs the core - * rounds and squeezes data out of the GASGON-256 state. - * - * \param state The DrySPONGE256 state. - * - * The data that is squeezed out will be in state->r on exit. - */ -void drysponge256_g(drysponge256_state_t *state); - -/** - * \brief Performs the DrySPONGE128 G function which runs the core - * rounds but does not squeeze out any output. - * - * \param state The DrySPONGE128 state. - */ -void drysponge128_g_core(drysponge128_state_t *state); - -/** - * \brief Performs the DrySPONGE256 G function which runs the core - * rounds but does not squeeze out any output. - * - * \param state The DrySPONGE256 state. - */ -void drysponge256_g_core(drysponge256_state_t *state); - -/** - * \brief Performs the absorption phase of the DrySPONGE128 F function. - * - * \param state The DrySPONGE128 state. - * \param input The block of input data to incorporate into the state. - * \param len The length of the input block, which must be less than - * or equal to DRYSPONGE128_RATE. Smaller input blocks will be padded. - * - * This function must be followed by a call to drysponge128_g() or - * drysponge128_g_core() to perform the full F operation. - */ -void drysponge128_f_absorb - (drysponge128_state_t *state, const unsigned char *input, unsigned len); - -/** - * \brief Performs the absorption phase of the DrySPONGE256 F function. - * - * \param state The DrySPONGE256 state. - * \param input The block of input data to incorporate into the state. - * \param len The length of the input block, which must be less than - * or equal to DRYSPONGE256_RATE. Smaller input blocks will be padded. - * - * This function must be followed by a call to drysponge256_g() or - * drysponge256_g_core() to perform the full F operation. - */ -void drysponge256_f_absorb - (drysponge256_state_t *state, const unsigned char *input, unsigned len); - -/** - * \brief Set up a DrySPONGE128 state to begin encryption or decryption. - * - * \param state The DrySPONGE128 state. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the 16 bytes of the nonce. - * \param final_block Non-zero if after key setup there will be no more blocks. - */ -void drysponge128_setup - (drysponge128_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block); - -/** - * \brief Set up a DrySPONGE256 state to begin encryption or decryption. - * - * \param state The DrySPONGE256 state. - * \param key Points to the 32 bytes of the key. - * \param nonce Points to the 16 bytes of the nonce. - * \param final_block Non-zero if after key setup there will be no more blocks. - */ -void drysponge256_setup - (drysponge256_state_t *state, const unsigned char *key, - const unsigned char *nonce, int final_block); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/aead-common.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys/aead-common.c similarity index 100% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/aead-common.c rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/aead-common.c diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/aead-common.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys/aead-common.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/aead-common.h rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/aead-common.h diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/api.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys/api.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/api.h rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/api.h diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/drygascon.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys/drygascon.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/drygascon.c rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/drygascon.c diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/drygascon.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys/drygascon.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/drygascon.h rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/drygascon.h diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/hash.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys/hash.c similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/hash.c rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/hash.c diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge-avr.S b/drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge-avr.S similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-drysponge-avr.S rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge-avr.S diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge.c b/drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge.c rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge.c diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-drysponge.h rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-drysponge.h diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-util.h b/drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-util.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-util.h rename to drygascon/Implementations/crypto_hash/drygascon256/rhys/internal-util.h diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/api.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.c deleted file mode 100644 index 2f7abb3..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.c +++ /dev/null @@ -1,881 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "elephant.h" -#include "internal-keccak.h" -#include "internal-spongent.h" -#include - -aead_cipher_t const dumbo_cipher = { - "Dumbo", - DUMBO_KEY_SIZE, - DUMBO_NONCE_SIZE, - DUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - dumbo_aead_encrypt, - dumbo_aead_decrypt -}; - -aead_cipher_t const jumbo_cipher = { - "Jumbo", - JUMBO_KEY_SIZE, - JUMBO_NONCE_SIZE, - JUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - jumbo_aead_encrypt, - jumbo_aead_decrypt -}; - -aead_cipher_t const delirium_cipher = { - "Delirium", - DELIRIUM_KEY_SIZE, - DELIRIUM_NONCE_SIZE, - DELIRIUM_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - delirium_aead_encrypt, - delirium_aead_decrypt -}; - -/** - * \brief Applies the Dumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void dumbo_lfsr - (unsigned char out[SPONGENT160_STATE_SIZE], - const unsigned char in[SPONGENT160_STATE_SIZE]) -{ - unsigned char temp = - leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); - unsigned index; - for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT160_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Dumbo. - * - * \param state Points to the Spongent-pi[160] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void dumbo_process_ad - (spongent160_state_t *state, - unsigned char mask[SPONGENT160_STATE_SIZE], - unsigned char next[SPONGENT160_STATE_SIZE], - unsigned char tag[DUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - dumbo_lfsr(next, mask); - dumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT160_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); - dumbo_lfsr(mask, mask); - dumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); -} - -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT160_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, SPONGENT160_STATE_SIZE); - - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - mlen -= SPONGENT160_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - dumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - c += temp; - } else if (*clen != DUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DUMBO_TAG_SIZE); - return 0; -} - -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DUMBO_TAG_SIZE) - return -1; - *mlen = clen - DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DUMBO_TAG_SIZE; - while (clen >= SPONGENT160_STATE_SIZE) { - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - clen -= SPONGENT160_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Jumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void jumbo_lfsr - (unsigned char out[SPONGENT176_STATE_SIZE], - const unsigned char in[SPONGENT176_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); - unsigned index; - for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT176_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Jumbo. - * - * \param state Points to the Spongent-pi[170] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void jumbo_process_ad - (spongent176_state_t *state, - unsigned char mask[SPONGENT176_STATE_SIZE], - unsigned char next[SPONGENT176_STATE_SIZE], - unsigned char tag[JUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - jumbo_lfsr(next, mask); - jumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = JUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT176_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); - jumbo_lfsr(mask, mask); - jumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); -} - -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT176_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, SPONGENT176_STATE_SIZE); - - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - mlen -= SPONGENT176_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - jumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - c += temp; - } else if (*clen != JUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, JUMBO_TAG_SIZE); - return 0; -} - -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < JUMBO_TAG_SIZE) - return -1; - *mlen = clen - JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= JUMBO_TAG_SIZE; - while (clen >= SPONGENT176_STATE_SIZE) { - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - clen -= SPONGENT176_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Delirium LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void delirium_lfsr - (unsigned char out[KECCAKP_200_STATE_SIZE], - const unsigned char in[KECCAKP_200_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); - unsigned index; - for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[KECCAKP_200_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Delirium. - * - * \param state Points to the Keccak[200] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void delirium_process_ad - (keccakp_200_state_t *state, - unsigned char mask[KECCAKP_200_STATE_SIZE], - unsigned char next[KECCAKP_200_STATE_SIZE], - unsigned char tag[DELIRIUM_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - delirium_lfsr(next, mask); - delirium_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DELIRIUM_NONCE_SIZE; - while (adlen > 0) { - size = KECCAKP_200_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); - delirium_lfsr(mask, mask); - delirium_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); -} - -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= KECCAKP_200_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, KECCAKP_200_STATE_SIZE); - - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - mlen -= KECCAKP_200_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - delirium_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - c += temp; - } else if (*clen != DELIRIUM_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DELIRIUM_TAG_SIZE); - return 0; -} - -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char *mtemp = m; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DELIRIUM_TAG_SIZE) - return -1; - *mlen = clen - DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DELIRIUM_TAG_SIZE; - while (clen >= KECCAKP_200_STATE_SIZE) { - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - clen -= KECCAKP_200_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); -} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.h deleted file mode 100644 index f775e3d..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/elephant.h +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ELEPHANT_H -#define LWCRYPTO_ELEPHANT_H - -#include "aead-common.h" - -/** - * \file elephant.h - * \brief Elephant authenticated encryption algorithm family. - * - * Elephant is a family of authenticated encryption algorithms based - * around the Spongent-pi and Keccak permutations. - * - * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[160] permutation. This is - * the primary member of the family. - * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[176] permutation. - * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication - * tag. It is based around the Keccak[200] permutation. - * - * References: https://www.esat.kuleuven.be/cosic/elephant/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Dumbo. - */ -#define DUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Dumbo. - */ -#define DUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Dumbo. - */ -#define DUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Jumbo. - */ -#define JUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Jumbo. - */ -#define JUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Jumbo. - */ -#define JUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Delirium. - */ -#define DELIRIUM_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Delirium. - */ -#define DELIRIUM_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Delirium. - */ -#define DELIRIUM_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Dumbo cipher. - */ -extern aead_cipher_t const dumbo_cipher; - -/** - * \brief Meta-information block for the Jumbo cipher. - */ -extern aead_cipher_t const jumbo_cipher; - -/** - * \brief Meta-information block for the Delirium cipher. - */ -extern aead_cipher_t const delirium_cipher; - -/** - * \brief Encrypts and authenticates a packet with Dumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa dumbo_aead_decrypt() - */ -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Dumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa dumbo_aead_encrypt() - */ -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Jumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa jumbo_aead_decrypt() - */ -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Jumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa jumbo_aead_encrypt() - */ -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Delirium. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa delirium_aead_decrypt() - */ -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Delirium. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa delirium_aead_encrypt() - */ -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/encrypt.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/encrypt.c deleted file mode 100644 index df2a4b5..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "elephant.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return dumbo_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return dumbo_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.c deleted file mode 100644 index 8e0d57d..0000000 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.c +++ /dev/null @@ -1,350 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spongent.h" - -#if !defined(__AVR__) - -/** - * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles - * of a 32-bit word. - * - * \param x3 The input values to the parallel S-boxes. - * - * \return The output values from the parallel S-boxes. - * - * Based on the bit-sliced S-box implementation from here: - * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua - * - * Note that spongent.ua numbers bits from highest to lowest, so x0 is the - * high bit of each nibble and x3 is the low bit. - */ -static uint32_t spongent_sbox(uint32_t x3) -{ - uint32_t q0, q1, q2, q3, t0, t1, t2, t3; - uint32_t x2 = (x3 >> 1); - uint32_t x1 = (x2 >> 1); - uint32_t x0 = (x1 >> 1); - q0 = x0 ^ x2; - q1 = x1 ^ x2; - t0 = q0 & q1; - q2 = ~(x0 ^ x1 ^ x3 ^ t0); - t1 = q2 & ~x0; - q3 = x1 ^ t1; - t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); - t3 = (x2 ^ t0) & ~(x1 ^ t0); - q0 = x1 ^ x2 ^ x3 ^ t2; - q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; - q2 = x0 ^ x1 ^ x2 ^ t1; - q3 = x0 ^ x3 ^ t0 ^ t3; - return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | - ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); -} - -void spongent160_permute(spongent160_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[160] */ - 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, - 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, - 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, - 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, - 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, - 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, - 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, - 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, - 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, - 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, - 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, - 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, - 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, - 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, - 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, - 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, - 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, - 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, - 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, - 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4; - uint32_t t0, t1, t2, t3, t4; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); -#endif - - /* Perform the 80 rounds of Spongent-pi[160] */ - for (round = 0; round < 80; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x4 ^= ((uint32_t)(rc[1])) << 24; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - - /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) - #define BUP(x, from, to) \ - (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) - #define BDN(x, from, to) \ - (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ - BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ - BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ - BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ - BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ - BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ - BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ - BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ - BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ - BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ - BDN(t4, 24, 6) ^ BDN(t4, 28, 7); - x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ - BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ - BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ - BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ - BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ - BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ - BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ - BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ - BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ - BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ - BDN(t4, 25, 14) ^ BDN(t4, 29, 15); - x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ - BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ - BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ - BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ - BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ - BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ - BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ - BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ - BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ - BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ - BDN(t4, 26, 22) ^ BDN(t4, 30, 23); - x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ - BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ - BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ - BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ - BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ - BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ - BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ - BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ - BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ - BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ - BUP(t4, 27, 30) ^ BCP(t4, 31); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); -#endif -} - -void spongent176_permute(spongent176_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[176] */ - 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, - 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, - 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, - 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, - 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, - 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, - 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, - 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, - 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, - 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, - 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, - 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, - 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, - 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, - 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, - 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, - 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, - 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, - 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, - 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, - 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, - 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, - 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t t0, t1, t2, t3, t4, t5; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; - x5 = state->W[5]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); - x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ -#endif - - /* Perform the 90 rounds of Spongent-pi[176] */ - for (round = 0; round < 90; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x5 ^= ((uint32_t)(rc[1])) << 8; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - t5 = spongent_sbox(x5); - - /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ - BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ - BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ - BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ - BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ - BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ - BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ - BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ - BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ - BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ - BUP(t5, 8, 10) ^ BDN(t5, 12, 11); - x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ - BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ - BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ - BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ - BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ - BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ - BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ - BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ - BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ - BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ - BUP(t5, 9, 22) ^ BUP(t5, 13, 23); - x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ - BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ - BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ - BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ - BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ - BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ - BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ - BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ - BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ - BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ - BUP(t4, 26, 30) ^ BUP(t4, 30, 31); - x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ - BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ - BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ - BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ - BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ - BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ - BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ - BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ - BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ - BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ - BDN(t5, 10, 2) ^ BDN(t5, 14, 3); - x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ - BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ - BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ - BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ - BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ - BCP(t5, 15); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; - state->W[5] = x5; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); - le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ -#endif -} - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c index 770f568..2f7abb3 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/elephant.c @@ -660,7 +660,7 @@ static void delirium_process_ad if (size <= adlen) { /* Process a complete block */ lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -680,7 +680,7 @@ static void delirium_process_ad /* Pad and absorb the final block */ state->B[posn] ^= 0x01; - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -707,7 +707,7 @@ int delirium_aead_encrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -726,7 +726,7 @@ int delirium_aead_encrypt /* Encrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, KECCAKP_200_STATE_SIZE); @@ -735,7 +735,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -751,7 +751,7 @@ int delirium_aead_encrypt unsigned temp = (unsigned)mlen; memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, temp); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, temp); @@ -762,7 +762,7 @@ int delirium_aead_encrypt memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -772,7 +772,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -807,7 +807,7 @@ int delirium_aead_decrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -828,7 +828,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -836,7 +836,7 @@ int delirium_aead_decrypt /* Decrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); @@ -853,7 +853,7 @@ int delirium_aead_decrypt lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, temp); state.B[temp] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -861,7 +861,7 @@ int delirium_aead_decrypt /* Decrypt the last block using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, temp); lw_xor_block_2_src(m, state.B, c, temp); c += temp; @@ -870,7 +870,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak-avr.S b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak-avr.S rename to elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent-avr.S b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent-avr.S rename to elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c index 69a8ecb..8e0d57d 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-spongent.c @@ -22,6 +22,8 @@ #include "internal-spongent.h" +#if !defined(__AVR__) + /** * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles * of a 32-bit word. @@ -344,3 +346,5 @@ void spongent176_permute(spongent176_state_t *state) le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ #endif } + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h +++ b/elephant/Implementations/crypto_aead/elephant160v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/api.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.c deleted file mode 100644 index 2f7abb3..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.c +++ /dev/null @@ -1,881 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "elephant.h" -#include "internal-keccak.h" -#include "internal-spongent.h" -#include - -aead_cipher_t const dumbo_cipher = { - "Dumbo", - DUMBO_KEY_SIZE, - DUMBO_NONCE_SIZE, - DUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - dumbo_aead_encrypt, - dumbo_aead_decrypt -}; - -aead_cipher_t const jumbo_cipher = { - "Jumbo", - JUMBO_KEY_SIZE, - JUMBO_NONCE_SIZE, - JUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - jumbo_aead_encrypt, - jumbo_aead_decrypt -}; - -aead_cipher_t const delirium_cipher = { - "Delirium", - DELIRIUM_KEY_SIZE, - DELIRIUM_NONCE_SIZE, - DELIRIUM_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - delirium_aead_encrypt, - delirium_aead_decrypt -}; - -/** - * \brief Applies the Dumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void dumbo_lfsr - (unsigned char out[SPONGENT160_STATE_SIZE], - const unsigned char in[SPONGENT160_STATE_SIZE]) -{ - unsigned char temp = - leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); - unsigned index; - for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT160_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Dumbo. - * - * \param state Points to the Spongent-pi[160] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void dumbo_process_ad - (spongent160_state_t *state, - unsigned char mask[SPONGENT160_STATE_SIZE], - unsigned char next[SPONGENT160_STATE_SIZE], - unsigned char tag[DUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - dumbo_lfsr(next, mask); - dumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT160_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); - dumbo_lfsr(mask, mask); - dumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); -} - -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT160_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, SPONGENT160_STATE_SIZE); - - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - mlen -= SPONGENT160_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - dumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - c += temp; - } else if (*clen != DUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DUMBO_TAG_SIZE); - return 0; -} - -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DUMBO_TAG_SIZE) - return -1; - *mlen = clen - DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DUMBO_TAG_SIZE; - while (clen >= SPONGENT160_STATE_SIZE) { - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - clen -= SPONGENT160_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Jumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void jumbo_lfsr - (unsigned char out[SPONGENT176_STATE_SIZE], - const unsigned char in[SPONGENT176_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); - unsigned index; - for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT176_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Jumbo. - * - * \param state Points to the Spongent-pi[170] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void jumbo_process_ad - (spongent176_state_t *state, - unsigned char mask[SPONGENT176_STATE_SIZE], - unsigned char next[SPONGENT176_STATE_SIZE], - unsigned char tag[JUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - jumbo_lfsr(next, mask); - jumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = JUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT176_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); - jumbo_lfsr(mask, mask); - jumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); -} - -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT176_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, SPONGENT176_STATE_SIZE); - - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - mlen -= SPONGENT176_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - jumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - c += temp; - } else if (*clen != JUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, JUMBO_TAG_SIZE); - return 0; -} - -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < JUMBO_TAG_SIZE) - return -1; - *mlen = clen - JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= JUMBO_TAG_SIZE; - while (clen >= SPONGENT176_STATE_SIZE) { - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - clen -= SPONGENT176_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Delirium LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void delirium_lfsr - (unsigned char out[KECCAKP_200_STATE_SIZE], - const unsigned char in[KECCAKP_200_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); - unsigned index; - for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[KECCAKP_200_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Delirium. - * - * \param state Points to the Keccak[200] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void delirium_process_ad - (keccakp_200_state_t *state, - unsigned char mask[KECCAKP_200_STATE_SIZE], - unsigned char next[KECCAKP_200_STATE_SIZE], - unsigned char tag[DELIRIUM_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - delirium_lfsr(next, mask); - delirium_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DELIRIUM_NONCE_SIZE; - while (adlen > 0) { - size = KECCAKP_200_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); - delirium_lfsr(mask, mask); - delirium_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); -} - -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= KECCAKP_200_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, KECCAKP_200_STATE_SIZE); - - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - mlen -= KECCAKP_200_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - delirium_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - c += temp; - } else if (*clen != DELIRIUM_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DELIRIUM_TAG_SIZE); - return 0; -} - -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char *mtemp = m; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DELIRIUM_TAG_SIZE) - return -1; - *mlen = clen - DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DELIRIUM_TAG_SIZE; - while (clen >= KECCAKP_200_STATE_SIZE) { - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - clen -= KECCAKP_200_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); -} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.h deleted file mode 100644 index f775e3d..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/elephant.h +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ELEPHANT_H -#define LWCRYPTO_ELEPHANT_H - -#include "aead-common.h" - -/** - * \file elephant.h - * \brief Elephant authenticated encryption algorithm family. - * - * Elephant is a family of authenticated encryption algorithms based - * around the Spongent-pi and Keccak permutations. - * - * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[160] permutation. This is - * the primary member of the family. - * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[176] permutation. - * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication - * tag. It is based around the Keccak[200] permutation. - * - * References: https://www.esat.kuleuven.be/cosic/elephant/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Dumbo. - */ -#define DUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Dumbo. - */ -#define DUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Dumbo. - */ -#define DUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Jumbo. - */ -#define JUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Jumbo. - */ -#define JUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Jumbo. - */ -#define JUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Delirium. - */ -#define DELIRIUM_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Delirium. - */ -#define DELIRIUM_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Delirium. - */ -#define DELIRIUM_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Dumbo cipher. - */ -extern aead_cipher_t const dumbo_cipher; - -/** - * \brief Meta-information block for the Jumbo cipher. - */ -extern aead_cipher_t const jumbo_cipher; - -/** - * \brief Meta-information block for the Delirium cipher. - */ -extern aead_cipher_t const delirium_cipher; - -/** - * \brief Encrypts and authenticates a packet with Dumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa dumbo_aead_decrypt() - */ -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Dumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa dumbo_aead_encrypt() - */ -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Jumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa jumbo_aead_decrypt() - */ -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Jumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa jumbo_aead_encrypt() - */ -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Delirium. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa delirium_aead_decrypt() - */ -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Delirium. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa delirium_aead_encrypt() - */ -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/encrypt.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/encrypt.c deleted file mode 100644 index 89b60ae..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "elephant.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return jumbo_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return jumbo_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.c deleted file mode 100644 index 8e0d57d..0000000 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.c +++ /dev/null @@ -1,350 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spongent.h" - -#if !defined(__AVR__) - -/** - * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles - * of a 32-bit word. - * - * \param x3 The input values to the parallel S-boxes. - * - * \return The output values from the parallel S-boxes. - * - * Based on the bit-sliced S-box implementation from here: - * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua - * - * Note that spongent.ua numbers bits from highest to lowest, so x0 is the - * high bit of each nibble and x3 is the low bit. - */ -static uint32_t spongent_sbox(uint32_t x3) -{ - uint32_t q0, q1, q2, q3, t0, t1, t2, t3; - uint32_t x2 = (x3 >> 1); - uint32_t x1 = (x2 >> 1); - uint32_t x0 = (x1 >> 1); - q0 = x0 ^ x2; - q1 = x1 ^ x2; - t0 = q0 & q1; - q2 = ~(x0 ^ x1 ^ x3 ^ t0); - t1 = q2 & ~x0; - q3 = x1 ^ t1; - t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); - t3 = (x2 ^ t0) & ~(x1 ^ t0); - q0 = x1 ^ x2 ^ x3 ^ t2; - q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; - q2 = x0 ^ x1 ^ x2 ^ t1; - q3 = x0 ^ x3 ^ t0 ^ t3; - return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | - ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); -} - -void spongent160_permute(spongent160_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[160] */ - 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, - 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, - 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, - 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, - 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, - 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, - 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, - 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, - 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, - 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, - 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, - 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, - 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, - 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, - 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, - 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, - 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, - 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, - 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, - 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4; - uint32_t t0, t1, t2, t3, t4; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); -#endif - - /* Perform the 80 rounds of Spongent-pi[160] */ - for (round = 0; round < 80; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x4 ^= ((uint32_t)(rc[1])) << 24; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - - /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) - #define BUP(x, from, to) \ - (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) - #define BDN(x, from, to) \ - (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ - BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ - BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ - BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ - BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ - BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ - BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ - BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ - BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ - BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ - BDN(t4, 24, 6) ^ BDN(t4, 28, 7); - x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ - BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ - BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ - BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ - BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ - BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ - BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ - BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ - BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ - BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ - BDN(t4, 25, 14) ^ BDN(t4, 29, 15); - x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ - BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ - BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ - BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ - BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ - BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ - BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ - BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ - BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ - BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ - BDN(t4, 26, 22) ^ BDN(t4, 30, 23); - x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ - BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ - BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ - BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ - BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ - BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ - BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ - BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ - BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ - BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ - BUP(t4, 27, 30) ^ BCP(t4, 31); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); -#endif -} - -void spongent176_permute(spongent176_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[176] */ - 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, - 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, - 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, - 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, - 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, - 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, - 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, - 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, - 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, - 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, - 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, - 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, - 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, - 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, - 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, - 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, - 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, - 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, - 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, - 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, - 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, - 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, - 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t t0, t1, t2, t3, t4, t5; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; - x5 = state->W[5]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); - x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ -#endif - - /* Perform the 90 rounds of Spongent-pi[176] */ - for (round = 0; round < 90; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x5 ^= ((uint32_t)(rc[1])) << 8; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - t5 = spongent_sbox(x5); - - /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ - BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ - BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ - BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ - BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ - BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ - BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ - BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ - BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ - BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ - BUP(t5, 8, 10) ^ BDN(t5, 12, 11); - x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ - BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ - BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ - BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ - BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ - BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ - BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ - BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ - BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ - BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ - BUP(t5, 9, 22) ^ BUP(t5, 13, 23); - x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ - BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ - BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ - BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ - BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ - BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ - BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ - BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ - BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ - BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ - BUP(t4, 26, 30) ^ BUP(t4, 30, 31); - x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ - BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ - BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ - BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ - BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ - BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ - BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ - BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ - BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ - BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ - BDN(t5, 10, 2) ^ BDN(t5, 14, 3); - x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ - BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ - BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ - BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ - BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ - BCP(t5, 15); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; - state->W[5] = x5; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); - le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ -#endif -} - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c index 770f568..2f7abb3 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/elephant.c @@ -660,7 +660,7 @@ static void delirium_process_ad if (size <= adlen) { /* Process a complete block */ lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -680,7 +680,7 @@ static void delirium_process_ad /* Pad and absorb the final block */ state->B[posn] ^= 0x01; - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -707,7 +707,7 @@ int delirium_aead_encrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -726,7 +726,7 @@ int delirium_aead_encrypt /* Encrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, KECCAKP_200_STATE_SIZE); @@ -735,7 +735,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -751,7 +751,7 @@ int delirium_aead_encrypt unsigned temp = (unsigned)mlen; memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, temp); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, temp); @@ -762,7 +762,7 @@ int delirium_aead_encrypt memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -772,7 +772,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -807,7 +807,7 @@ int delirium_aead_decrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -828,7 +828,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -836,7 +836,7 @@ int delirium_aead_decrypt /* Decrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); @@ -853,7 +853,7 @@ int delirium_aead_decrypt lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, temp); state.B[temp] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -861,7 +861,7 @@ int delirium_aead_decrypt /* Decrypt the last block using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, temp); lw_xor_block_2_src(m, state.B, c, temp); c += temp; @@ -870,7 +870,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak-avr.S b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak-avr.S rename to elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent-avr.S b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent-avr.S rename to elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c index 69a8ecb..8e0d57d 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-spongent.c @@ -22,6 +22,8 @@ #include "internal-spongent.h" +#if !defined(__AVR__) + /** * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles * of a 32-bit word. @@ -344,3 +346,5 @@ void spongent176_permute(spongent176_state_t *state) le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ #endif } + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h +++ b/elephant/Implementations/crypto_aead/elephant176v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/api.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.c deleted file mode 100644 index 2f7abb3..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.c +++ /dev/null @@ -1,881 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "elephant.h" -#include "internal-keccak.h" -#include "internal-spongent.h" -#include - -aead_cipher_t const dumbo_cipher = { - "Dumbo", - DUMBO_KEY_SIZE, - DUMBO_NONCE_SIZE, - DUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - dumbo_aead_encrypt, - dumbo_aead_decrypt -}; - -aead_cipher_t const jumbo_cipher = { - "Jumbo", - JUMBO_KEY_SIZE, - JUMBO_NONCE_SIZE, - JUMBO_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - jumbo_aead_encrypt, - jumbo_aead_decrypt -}; - -aead_cipher_t const delirium_cipher = { - "Delirium", - DELIRIUM_KEY_SIZE, - DELIRIUM_NONCE_SIZE, - DELIRIUM_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - delirium_aead_encrypt, - delirium_aead_decrypt -}; - -/** - * \brief Applies the Dumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void dumbo_lfsr - (unsigned char out[SPONGENT160_STATE_SIZE], - const unsigned char in[SPONGENT160_STATE_SIZE]) -{ - unsigned char temp = - leftRotate3_8(in[0]) ^ (in[3] << 7) ^ (in[13] >> 7); - unsigned index; - for (index = 0; index < SPONGENT160_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT160_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Dumbo. - * - * \param state Points to the Spongent-pi[160] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void dumbo_process_ad - (spongent160_state_t *state, - unsigned char mask[SPONGENT160_STATE_SIZE], - unsigned char next[SPONGENT160_STATE_SIZE], - unsigned char tag[DUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - dumbo_lfsr(next, mask); - dumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state->B, npub, DUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT160_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); - dumbo_lfsr(mask, mask); - dumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT160_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent160_permute(state); - lw_xor_block(state->B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state->B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, DUMBO_TAG_SIZE); -} - -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT160_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, SPONGENT160_STATE_SIZE); - - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - mlen -= SPONGENT160_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - dumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT160_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - c += temp; - } else if (*clen != DUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DUMBO_TAG_SIZE); - return 0; -} - -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent160_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT160_STATE_SIZE]; - unsigned char mask[SPONGENT160_STATE_SIZE]; - unsigned char next[SPONGENT160_STATE_SIZE]; - unsigned char tag[DUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DUMBO_TAG_SIZE) - return -1; - *mlen = clen - DUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DUMBO_KEY_SIZE); - memset(state.B + DUMBO_KEY_SIZE, 0, sizeof(state.B) - DUMBO_KEY_SIZE); - spongent160_permute(&state); - memcpy(mask, state.B, DUMBO_KEY_SIZE); - memset(mask + DUMBO_KEY_SIZE, 0, sizeof(mask) - DUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - dumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DUMBO_TAG_SIZE; - while (clen >= SPONGENT160_STATE_SIZE) { - /* Authenticate using the next mask */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT160_STATE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT160_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT160_STATE_SIZE); - c += SPONGENT160_STATE_SIZE; - m += SPONGENT160_STATE_SIZE; - clen -= SPONGENT160_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT160_STATE_SIZE); - lw_xor_block(state.B, npub, DUMBO_NONCE_SIZE); - spongent160_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - dumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT160_STATE_SIZE); - state.B[0] ^= 0x01; - spongent160_permute(&state); - lw_xor_block(state.B, mask, DUMBO_TAG_SIZE); - lw_xor_block(state.B, next, DUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, DUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Jumbo LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void jumbo_lfsr - (unsigned char out[SPONGENT176_STATE_SIZE], - const unsigned char in[SPONGENT176_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ (in[3] << 7) ^ (in[19] >> 7); - unsigned index; - for (index = 0; index < SPONGENT176_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[SPONGENT176_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Jumbo. - * - * \param state Points to the Spongent-pi[170] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void jumbo_process_ad - (spongent176_state_t *state, - unsigned char mask[SPONGENT176_STATE_SIZE], - unsigned char next[SPONGENT176_STATE_SIZE], - unsigned char tag[JUMBO_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - jumbo_lfsr(next, mask); - jumbo_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state->B, npub, JUMBO_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = JUMBO_NONCE_SIZE; - while (adlen > 0) { - size = SPONGENT176_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); - jumbo_lfsr(mask, mask); - jumbo_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, SPONGENT176_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - spongent176_permute(state); - lw_xor_block(state->B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state->B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state->B, JUMBO_TAG_SIZE); -} - -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= SPONGENT176_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, SPONGENT176_STATE_SIZE); - - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - mlen -= SPONGENT176_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - jumbo_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, SPONGENT176_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, next, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - c += temp; - } else if (*clen != JUMBO_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, JUMBO_TAG_SIZE); - return 0; -} - -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - spongent176_state_t state; - unsigned char *mtemp = m; - unsigned char start[SPONGENT176_STATE_SIZE]; - unsigned char mask[SPONGENT176_STATE_SIZE]; - unsigned char next[SPONGENT176_STATE_SIZE]; - unsigned char tag[JUMBO_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < JUMBO_TAG_SIZE) - return -1; - *mlen = clen - JUMBO_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, JUMBO_KEY_SIZE); - memset(state.B + JUMBO_KEY_SIZE, 0, sizeof(state.B) - JUMBO_KEY_SIZE); - spongent176_permute(&state); - memcpy(mask, state.B, JUMBO_KEY_SIZE); - memset(mask + JUMBO_KEY_SIZE, 0, sizeof(mask) - JUMBO_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - jumbo_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= JUMBO_TAG_SIZE; - while (clen >= SPONGENT176_STATE_SIZE) { - /* Authenticate using the next mask */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, SPONGENT176_STATE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, SPONGENT176_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, SPONGENT176_STATE_SIZE); - c += SPONGENT176_STATE_SIZE; - m += SPONGENT176_STATE_SIZE; - clen -= SPONGENT176_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, SPONGENT176_STATE_SIZE); - lw_xor_block(state.B, npub, JUMBO_NONCE_SIZE); - spongent176_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - jumbo_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, SPONGENT176_STATE_SIZE); - state.B[0] ^= 0x01; - spongent176_permute(&state); - lw_xor_block(state.B, mask, JUMBO_TAG_SIZE); - lw_xor_block(state.B, next, JUMBO_TAG_SIZE); - lw_xor_block(tag, state.B, JUMBO_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, JUMBO_TAG_SIZE); -} - -/** - * \brief Applies the Delirium LFSR to the mask. - * - * \param out The output mask. - * \param in The input mask. - */ -static void delirium_lfsr - (unsigned char out[KECCAKP_200_STATE_SIZE], - const unsigned char in[KECCAKP_200_STATE_SIZE]) -{ - unsigned char temp = - leftRotate1_8(in[0]) ^ leftRotate1_8(in[2]) ^ (in[13] << 1); - unsigned index; - for (index = 0; index < KECCAKP_200_STATE_SIZE - 1; ++index) - out[index] = in[index + 1]; - out[KECCAKP_200_STATE_SIZE - 1] = temp; -} - -/** - * \brief Processes the nonce and associated data for Delirium. - * - * \param state Points to the Keccak[200] state. - * \param mask Points to the initial mask value. - * \param next Points to the next mask value. - * \param tag Points to the ongoing tag that is being computed. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void delirium_process_ad - (keccakp_200_state_t *state, - unsigned char mask[KECCAKP_200_STATE_SIZE], - unsigned char next[KECCAKP_200_STATE_SIZE], - unsigned char tag[DELIRIUM_TAG_SIZE], - const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned posn, size; - - /* We need the "previous" and "next" masks in each step. - * Compare the first such values */ - delirium_lfsr(next, mask); - delirium_lfsr(next, next); - - /* Absorb the nonce into the state */ - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state->B, npub, DELIRIUM_NONCE_SIZE); - - /* Absorb the rest of the associated data */ - posn = DELIRIUM_NONCE_SIZE; - while (adlen > 0) { - size = KECCAKP_200_STATE_SIZE - posn; - if (size <= adlen) { - /* Process a complete block */ - lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); - delirium_lfsr(mask, mask); - delirium_lfsr(next, next); - lw_xor_block_2_src(state->B, mask, next, KECCAKP_200_STATE_SIZE); - posn = 0; - } else { - /* Process the partial block at the end of the associated data */ - size = (unsigned)adlen; - lw_xor_block(state->B + posn, ad, size); - posn += size; - } - ad += size; - adlen -= size; - } - - /* Pad and absorb the final block */ - state->B[posn] ^= 0x01; - keccakp_200_permute(state); - lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); -} - -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Encrypt and authenticate the payload */ - while (mlen >= KECCAKP_200_STATE_SIZE) { - /* Encrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, KECCAKP_200_STATE_SIZE); - - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - mlen -= KECCAKP_200_STATE_SIZE; - } - if (mlen > 0) { - /* Encrypt the last block using the current mask */ - unsigned temp = (unsigned)mlen; - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, m, temp); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - memcpy(c, state.B, temp); - - /* Authenticate the last block using the next mask */ - delirium_lfsr(next, mask); - state.B[temp] = 0x01; - memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - c += temp; - } else if (*clen != DELIRIUM_TAG_SIZE) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Generate the authentication tag */ - memcpy(c, tag, DELIRIUM_TAG_SIZE); - return 0; -} - -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - keccakp_200_state_t state; - unsigned char *mtemp = m; - unsigned char start[KECCAKP_200_STATE_SIZE]; - unsigned char mask[KECCAKP_200_STATE_SIZE]; - unsigned char next[KECCAKP_200_STATE_SIZE]; - unsigned char tag[DELIRIUM_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < DELIRIUM_TAG_SIZE) - return -1; - *mlen = clen - DELIRIUM_TAG_SIZE; - - /* Hash the key and generate the initial mask */ - memcpy(state.B, k, DELIRIUM_KEY_SIZE); - memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state); - memcpy(mask, state.B, DELIRIUM_KEY_SIZE); - memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); - memcpy(start, mask, sizeof(mask)); - - /* Tag starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Authenticate the nonce and the associated data */ - delirium_process_ad(&state, mask, next, tag, npub, ad, adlen); - - /* Reset back to the starting mask for the encryption phase */ - memcpy(mask, start, sizeof(mask)); - - /* Decrypt and authenticate the payload */ - clen -= DELIRIUM_TAG_SIZE; - while (clen >= KECCAKP_200_STATE_SIZE) { - /* Authenticate using the next mask */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); - - /* Advance to the next block */ - memcpy(mask, next, KECCAKP_200_STATE_SIZE); - c += KECCAKP_200_STATE_SIZE; - m += KECCAKP_200_STATE_SIZE; - clen -= KECCAKP_200_STATE_SIZE; - } - if (clen > 0) { - /* Authenticate the last block using the next mask */ - unsigned temp = (unsigned)clen; - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, c, temp); - state.B[temp] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - - /* Decrypt the last block using the current mask */ - memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); - lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, temp); - lw_xor_block_2_src(m, state.B, c, temp); - c += temp; - } else if (*mlen != 0) { - /* Pad and authenticate when the last block is aligned */ - delirium_lfsr(next, mask); - lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); - state.B[0] ^= 0x01; - keccakp_200_permute(&state); - lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); - lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); - lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); - } - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, tag, c, DELIRIUM_TAG_SIZE); -} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.h deleted file mode 100644 index f775e3d..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/elephant.h +++ /dev/null @@ -1,291 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ELEPHANT_H -#define LWCRYPTO_ELEPHANT_H - -#include "aead-common.h" - -/** - * \file elephant.h - * \brief Elephant authenticated encryption algorithm family. - * - * Elephant is a family of authenticated encryption algorithms based - * around the Spongent-pi and Keccak permutations. - * - * \li Dumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[160] permutation. This is - * the primary member of the family. - * \li Jumbo has a 128-bit key, a 96-bit nonce, and a 64-bit authentication - * tag. It is based around the Spongent-pi[176] permutation. - * \li Delirium has a 128-bit key, a 96-bit nonce, and a 128-bit authentication - * tag. It is based around the Keccak[200] permutation. - * - * References: https://www.esat.kuleuven.be/cosic/elephant/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Dumbo. - */ -#define DUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Dumbo. - */ -#define DUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Dumbo. - */ -#define DUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Jumbo. - */ -#define JUMBO_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Jumbo. - */ -#define JUMBO_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Jumbo. - */ -#define JUMBO_NONCE_SIZE 12 - -/** - * \brief Size of the key for Delirium. - */ -#define DELIRIUM_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Delirium. - */ -#define DELIRIUM_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Delirium. - */ -#define DELIRIUM_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Dumbo cipher. - */ -extern aead_cipher_t const dumbo_cipher; - -/** - * \brief Meta-information block for the Jumbo cipher. - */ -extern aead_cipher_t const jumbo_cipher; - -/** - * \brief Meta-information block for the Delirium cipher. - */ -extern aead_cipher_t const delirium_cipher; - -/** - * \brief Encrypts and authenticates a packet with Dumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa dumbo_aead_decrypt() - */ -int dumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Dumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa dumbo_aead_encrypt() - */ -int dumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Jumbo. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa jumbo_aead_decrypt() - */ -int jumbo_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Jumbo. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa jumbo_aead_encrypt() - */ -int jumbo_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Delirium. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa delirium_aead_decrypt() - */ -int delirium_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Delirium. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa delirium_aead_encrypt() - */ -int delirium_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/encrypt.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/encrypt.c deleted file mode 100644 index bf6840c..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "elephant.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return delirium_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return delirium_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.c deleted file mode 100644 index 8e0d57d..0000000 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.c +++ /dev/null @@ -1,350 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spongent.h" - -#if !defined(__AVR__) - -/** - * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles - * of a 32-bit word. - * - * \param x3 The input values to the parallel S-boxes. - * - * \return The output values from the parallel S-boxes. - * - * Based on the bit-sliced S-box implementation from here: - * https://github.com/DadaIsCrazy/usuba/blob/master/data/sboxes/spongent.ua - * - * Note that spongent.ua numbers bits from highest to lowest, so x0 is the - * high bit of each nibble and x3 is the low bit. - */ -static uint32_t spongent_sbox(uint32_t x3) -{ - uint32_t q0, q1, q2, q3, t0, t1, t2, t3; - uint32_t x2 = (x3 >> 1); - uint32_t x1 = (x2 >> 1); - uint32_t x0 = (x1 >> 1); - q0 = x0 ^ x2; - q1 = x1 ^ x2; - t0 = q0 & q1; - q2 = ~(x0 ^ x1 ^ x3 ^ t0); - t1 = q2 & ~x0; - q3 = x1 ^ t1; - t2 = q3 & (q3 ^ x2 ^ x3 ^ t0); - t3 = (x2 ^ t0) & ~(x1 ^ t0); - q0 = x1 ^ x2 ^ x3 ^ t2; - q1 = x0 ^ x2 ^ x3 ^ t0 ^ t1; - q2 = x0 ^ x1 ^ x2 ^ t1; - q3 = x0 ^ x3 ^ t0 ^ t3; - return ((q0 << 3) & 0x88888888U) | ((q1 << 2) & 0x44444444U) | - ((q2 << 1) & 0x22222222U) | (q3 & 0x11111111U); -} - -void spongent160_permute(spongent160_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[160] */ - 0x75, 0xae, 0x6a, 0x56, 0x54, 0x2a, 0x29, 0x94, - 0x53, 0xca, 0x27, 0xe4, 0x4f, 0xf2, 0x1f, 0xf8, - 0x3e, 0x7c, 0x7d, 0xbe, 0x7a, 0x5e, 0x74, 0x2e, - 0x68, 0x16, 0x50, 0x0a, 0x21, 0x84, 0x43, 0xc2, - 0x07, 0xe0, 0x0e, 0x70, 0x1c, 0x38, 0x38, 0x1c, - 0x71, 0x8e, 0x62, 0x46, 0x44, 0x22, 0x09, 0x90, - 0x12, 0x48, 0x24, 0x24, 0x49, 0x92, 0x13, 0xc8, - 0x26, 0x64, 0x4d, 0xb2, 0x1b, 0xd8, 0x36, 0x6c, - 0x6d, 0xb6, 0x5a, 0x5a, 0x35, 0xac, 0x6b, 0xd6, - 0x56, 0x6a, 0x2d, 0xb4, 0x5b, 0xda, 0x37, 0xec, - 0x6f, 0xf6, 0x5e, 0x7a, 0x3d, 0xbc, 0x7b, 0xde, - 0x76, 0x6e, 0x6c, 0x36, 0x58, 0x1a, 0x31, 0x8c, - 0x63, 0xc6, 0x46, 0x62, 0x0d, 0xb0, 0x1a, 0x58, - 0x34, 0x2c, 0x69, 0x96, 0x52, 0x4a, 0x25, 0xa4, - 0x4b, 0xd2, 0x17, 0xe8, 0x2e, 0x74, 0x5d, 0xba, - 0x3b, 0xdc, 0x77, 0xee, 0x6e, 0x76, 0x5c, 0x3a, - 0x39, 0x9c, 0x73, 0xce, 0x66, 0x66, 0x4c, 0x32, - 0x19, 0x98, 0x32, 0x4c, 0x65, 0xa6, 0x4a, 0x52, - 0x15, 0xa8, 0x2a, 0x54, 0x55, 0xaa, 0x2b, 0xd4, - 0x57, 0xea, 0x2f, 0xf4, 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4; - uint32_t t0, t1, t2, t3, t4; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); -#endif - - /* Perform the 80 rounds of Spongent-pi[160] */ - for (round = 0; round < 80; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x4 ^= ((uint32_t)(rc[1])) << 24; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - - /* Permute the bits of the state. Bit i is moved to (40 * i) % 159 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) - #define BUP(x, from, to) \ - (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) - #define BDN(x, from, to) \ - (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 8) ^ BUP(t0, 5, 9) ^ BUP(t0, 9, 10) ^ - BDN(t0, 13, 11) ^ BDN(t0, 17, 12) ^ BDN(t0, 21, 13) ^ - BDN(t0, 25, 14) ^ BDN(t0, 29, 15) ^ BUP(t1, 1, 16) ^ - BUP(t1, 5, 17) ^ BUP(t1, 9, 18) ^ BUP(t1, 13, 19) ^ - BUP(t1, 17, 20) ^ BCP(t1, 21) ^ BDN(t1, 25, 22) ^ - BDN(t1, 29, 23) ^ BUP(t2, 1, 24) ^ BUP(t2, 5, 25) ^ - BUP(t2, 9, 26) ^ BUP(t2, 13, 27) ^ BUP(t2, 17, 28) ^ - BUP(t2, 21, 29) ^ BUP(t2, 25, 30) ^ BUP(t2, 29, 31) ^ - BCP(t4, 0) ^ BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ - BDN(t4, 12, 3) ^ BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ - BDN(t4, 24, 6) ^ BDN(t4, 28, 7); - x2 = BUP(t0, 2, 16) ^ BUP(t0, 6, 17) ^ BUP(t0, 10, 18) ^ - BUP(t0, 14, 19) ^ BUP(t0, 18, 20) ^ BDN(t0, 22, 21) ^ - BDN(t0, 26, 22) ^ BDN(t0, 30, 23) ^ BUP(t1, 2, 24) ^ - BUP(t1, 6, 25) ^ BUP(t1, 10, 26) ^ BUP(t1, 14, 27) ^ - BUP(t1, 18, 28) ^ BUP(t1, 22, 29) ^ BUP(t1, 26, 30) ^ - BUP(t1, 30, 31) ^ BDN(t3, 1, 0) ^ BDN(t3, 5, 1) ^ - BDN(t3, 9, 2) ^ BDN(t3, 13, 3) ^ BDN(t3, 17, 4) ^ - BDN(t3, 21, 5) ^ BDN(t3, 25, 6) ^ BDN(t3, 29, 7) ^ - BUP(t4, 1, 8) ^ BUP(t4, 5, 9) ^ BUP(t4, 9, 10) ^ - BDN(t4, 13, 11) ^ BDN(t4, 17, 12) ^ BDN(t4, 21, 13) ^ - BDN(t4, 25, 14) ^ BDN(t4, 29, 15); - x3 = BUP(t0, 3, 24) ^ BUP(t0, 7, 25) ^ BUP(t0, 11, 26) ^ - BUP(t0, 15, 27) ^ BUP(t0, 19, 28) ^ BUP(t0, 23, 29) ^ - BUP(t0, 27, 30) ^ BCP(t0, 31) ^ BDN(t2, 2, 0) ^ - BDN(t2, 6, 1) ^ BDN(t2, 10, 2) ^ BDN(t2, 14, 3) ^ - BDN(t2, 18, 4) ^ BDN(t2, 22, 5) ^ BDN(t2, 26, 6) ^ - BDN(t2, 30, 7) ^ BUP(t3, 2, 8) ^ BUP(t3, 6, 9) ^ - BCP(t3, 10) ^ BDN(t3, 14, 11) ^ BDN(t3, 18, 12) ^ - BDN(t3, 22, 13) ^ BDN(t3, 26, 14) ^ BDN(t3, 30, 15) ^ - BUP(t4, 2, 16) ^ BUP(t4, 6, 17) ^ BUP(t4, 10, 18) ^ - BUP(t4, 14, 19) ^ BUP(t4, 18, 20) ^ BDN(t4, 22, 21) ^ - BDN(t4, 26, 22) ^ BDN(t4, 30, 23); - x4 = BDN(t1, 3, 0) ^ BDN(t1, 7, 1) ^ BDN(t1, 11, 2) ^ - BDN(t1, 15, 3) ^ BDN(t1, 19, 4) ^ BDN(t1, 23, 5) ^ - BDN(t1, 27, 6) ^ BDN(t1, 31, 7) ^ BUP(t2, 3, 8) ^ - BUP(t2, 7, 9) ^ BDN(t2, 11, 10) ^ BDN(t2, 15, 11) ^ - BDN(t2, 19, 12) ^ BDN(t2, 23, 13) ^ BDN(t2, 27, 14) ^ - BDN(t2, 31, 15) ^ BUP(t3, 3, 16) ^ BUP(t3, 7, 17) ^ - BUP(t3, 11, 18) ^ BUP(t3, 15, 19) ^ BUP(t3, 19, 20) ^ - BDN(t3, 23, 21) ^ BDN(t3, 27, 22) ^ BDN(t3, 31, 23) ^ - BUP(t4, 3, 24) ^ BUP(t4, 7, 25) ^ BUP(t4, 11, 26) ^ - BUP(t4, 15, 27) ^ BUP(t4, 19, 28) ^ BUP(t4, 23, 29) ^ - BUP(t4, 27, 30) ^ BCP(t4, 31); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); -#endif -} - -void spongent176_permute(spongent176_state_t *state) -{ - static uint8_t const RC[] = { - /* Round constants for Spongent-pi[176] */ - 0x45, 0xa2, 0x0b, 0xd0, 0x16, 0x68, 0x2c, 0x34, - 0x59, 0x9a, 0x33, 0xcc, 0x67, 0xe6, 0x4e, 0x72, - 0x1d, 0xb8, 0x3a, 0x5c, 0x75, 0xae, 0x6a, 0x56, - 0x54, 0x2a, 0x29, 0x94, 0x53, 0xca, 0x27, 0xe4, - 0x4f, 0xf2, 0x1f, 0xf8, 0x3e, 0x7c, 0x7d, 0xbe, - 0x7a, 0x5e, 0x74, 0x2e, 0x68, 0x16, 0x50, 0x0a, - 0x21, 0x84, 0x43, 0xc2, 0x07, 0xe0, 0x0e, 0x70, - 0x1c, 0x38, 0x38, 0x1c, 0x71, 0x8e, 0x62, 0x46, - 0x44, 0x22, 0x09, 0x90, 0x12, 0x48, 0x24, 0x24, - 0x49, 0x92, 0x13, 0xc8, 0x26, 0x64, 0x4d, 0xb2, - 0x1b, 0xd8, 0x36, 0x6c, 0x6d, 0xb6, 0x5a, 0x5a, - 0x35, 0xac, 0x6b, 0xd6, 0x56, 0x6a, 0x2d, 0xb4, - 0x5b, 0xda, 0x37, 0xec, 0x6f, 0xf6, 0x5e, 0x7a, - 0x3d, 0xbc, 0x7b, 0xde, 0x76, 0x6e, 0x6c, 0x36, - 0x58, 0x1a, 0x31, 0x8c, 0x63, 0xc6, 0x46, 0x62, - 0x0d, 0xb0, 0x1a, 0x58, 0x34, 0x2c, 0x69, 0x96, - 0x52, 0x4a, 0x25, 0xa4, 0x4b, 0xd2, 0x17, 0xe8, - 0x2e, 0x74, 0x5d, 0xba, 0x3b, 0xdc, 0x77, 0xee, - 0x6e, 0x76, 0x5c, 0x3a, 0x39, 0x9c, 0x73, 0xce, - 0x66, 0x66, 0x4c, 0x32, 0x19, 0x98, 0x32, 0x4c, - 0x65, 0xa6, 0x4a, 0x52, 0x15, 0xa8, 0x2a, 0x54, - 0x55, 0xaa, 0x2b, 0xd4, 0x57, 0xea, 0x2f, 0xf4, - 0x5f, 0xfa, 0x3f, 0xfc - }; - const uint8_t *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t t0, t1, t2, t3, t4, t5; - uint8_t round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = state->W[0]; - x1 = state->W[1]; - x2 = state->W[2]; - x3 = state->W[3]; - x4 = state->W[4]; - x5 = state->W[5]; -#else - x0 = le_load_word32(state->B); - x1 = le_load_word32(state->B + 4); - x2 = le_load_word32(state->B + 8); - x3 = le_load_word32(state->B + 12); - x4 = le_load_word32(state->B + 16); - x5 = le_load_word16(state->B + 20); /* Last word is only 16 bits */ -#endif - - /* Perform the 90 rounds of Spongent-pi[176] */ - for (round = 0; round < 90; ++round, rc += 2) { - /* Add the round constant to front and back of the state */ - x0 ^= rc[0]; - x5 ^= ((uint32_t)(rc[1])) << 8; - - /* Apply the S-box to all 4-bit groups in the state */ - t0 = spongent_sbox(x0); - t1 = spongent_sbox(x1); - t2 = spongent_sbox(x2); - t3 = spongent_sbox(x3); - t4 = spongent_sbox(x4); - t5 = spongent_sbox(x5); - - /* Permute the bits of the state. Bit i is moved to (44 * i) % 175 - * for all bits except the last which is left where it is. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - x0 = BCP(t0, 0) ^ BDN(t0, 4, 1) ^ BDN(t0, 8, 2) ^ - BDN(t0, 12, 3) ^ BDN(t0, 16, 4) ^ BDN(t0, 20, 5) ^ - BDN(t0, 24, 6) ^ BDN(t0, 28, 7) ^ BUP(t1, 0, 8) ^ - BUP(t1, 4, 9) ^ BUP(t1, 8, 10) ^ BDN(t1, 12, 11) ^ - BDN(t1, 16, 12) ^ BDN(t1, 20, 13) ^ BDN(t1, 24, 14) ^ - BDN(t1, 28, 15) ^ BUP(t2, 0, 16) ^ BUP(t2, 4, 17) ^ - BUP(t2, 8, 18) ^ BUP(t2, 12, 19) ^ BUP(t2, 16, 20) ^ - BUP(t2, 20, 21) ^ BDN(t2, 24, 22) ^ BDN(t2, 28, 23) ^ - BUP(t3, 0, 24) ^ BUP(t3, 4, 25) ^ BUP(t3, 8, 26) ^ - BUP(t3, 12, 27) ^ BUP(t3, 16, 28) ^ BUP(t3, 20, 29) ^ - BUP(t3, 24, 30) ^ BUP(t3, 28, 31); - x1 = BUP(t0, 1, 12) ^ BUP(t0, 5, 13) ^ BUP(t0, 9, 14) ^ - BUP(t0, 13, 15) ^ BDN(t0, 17, 16) ^ BDN(t0, 21, 17) ^ - BDN(t0, 25, 18) ^ BDN(t0, 29, 19) ^ BUP(t1, 1, 20) ^ - BUP(t1, 5, 21) ^ BUP(t1, 9, 22) ^ BUP(t1, 13, 23) ^ - BUP(t1, 17, 24) ^ BUP(t1, 21, 25) ^ BUP(t1, 25, 26) ^ - BDN(t1, 29, 27) ^ BUP(t2, 1, 28) ^ BUP(t2, 5, 29) ^ - BUP(t2, 9, 30) ^ BUP(t2, 13, 31) ^ BCP(t4, 0) ^ - BDN(t4, 4, 1) ^ BDN(t4, 8, 2) ^ BDN(t4, 12, 3) ^ - BDN(t4, 16, 4) ^ BDN(t4, 20, 5) ^ BDN(t4, 24, 6) ^ - BDN(t4, 28, 7) ^ BUP(t5, 0, 8) ^ BUP(t5, 4, 9) ^ - BUP(t5, 8, 10) ^ BDN(t5, 12, 11); - x2 = BUP(t0, 2, 24) ^ BUP(t0, 6, 25) ^ BUP(t0, 10, 26) ^ - BUP(t0, 14, 27) ^ BUP(t0, 18, 28) ^ BUP(t0, 22, 29) ^ - BUP(t0, 26, 30) ^ BUP(t0, 30, 31) ^ BDN(t2, 17, 0) ^ - BDN(t2, 21, 1) ^ BDN(t2, 25, 2) ^ BDN(t2, 29, 3) ^ - BUP(t3, 1, 4) ^ BCP(t3, 5) ^ BDN(t3, 9, 6) ^ - BDN(t3, 13, 7) ^ BDN(t3, 17, 8) ^ BDN(t3, 21, 9) ^ - BDN(t3, 25, 10) ^ BDN(t3, 29, 11) ^ BUP(t4, 1, 12) ^ - BUP(t4, 5, 13) ^ BUP(t4, 9, 14) ^ BUP(t4, 13, 15) ^ - BDN(t4, 17, 16) ^ BDN(t4, 21, 17) ^ BDN(t4, 25, 18) ^ - BDN(t4, 29, 19) ^ BUP(t5, 1, 20) ^ BUP(t5, 5, 21) ^ - BUP(t5, 9, 22) ^ BUP(t5, 13, 23); - x3 = BDN(t1, 2, 0) ^ BDN(t1, 6, 1) ^ BDN(t1, 10, 2) ^ - BDN(t1, 14, 3) ^ BDN(t1, 18, 4) ^ BDN(t1, 22, 5) ^ - BDN(t1, 26, 6) ^ BDN(t1, 30, 7) ^ BUP(t2, 2, 8) ^ - BUP(t2, 6, 9) ^ BCP(t2, 10) ^ BDN(t2, 14, 11) ^ - BDN(t2, 18, 12) ^ BDN(t2, 22, 13) ^ BDN(t2, 26, 14) ^ - BDN(t2, 30, 15) ^ BUP(t3, 2, 16) ^ BUP(t3, 6, 17) ^ - BUP(t3, 10, 18) ^ BUP(t3, 14, 19) ^ BUP(t3, 18, 20) ^ - BDN(t3, 22, 21) ^ BDN(t3, 26, 22) ^ BDN(t3, 30, 23) ^ - BUP(t4, 2, 24) ^ BUP(t4, 6, 25) ^ BUP(t4, 10, 26) ^ - BUP(t4, 14, 27) ^ BUP(t4, 18, 28) ^ BUP(t4, 22, 29) ^ - BUP(t4, 26, 30) ^ BUP(t4, 30, 31); - x4 = BUP(t0, 3, 4) ^ BDN(t0, 7, 5) ^ BDN(t0, 11, 6) ^ - BDN(t0, 15, 7) ^ BDN(t0, 19, 8) ^ BDN(t0, 23, 9) ^ - BDN(t0, 27, 10) ^ BDN(t0, 31, 11) ^ BUP(t1, 3, 12) ^ - BUP(t1, 7, 13) ^ BUP(t1, 11, 14) ^ BCP(t1, 15) ^ - BDN(t1, 19, 16) ^ BDN(t1, 23, 17) ^ BDN(t1, 27, 18) ^ - BDN(t1, 31, 19) ^ BUP(t2, 3, 20) ^ BUP(t2, 7, 21) ^ - BUP(t2, 11, 22) ^ BUP(t2, 15, 23) ^ BUP(t2, 19, 24) ^ - BUP(t2, 23, 25) ^ BDN(t2, 27, 26) ^ BDN(t2, 31, 27) ^ - BUP(t3, 3, 28) ^ BUP(t3, 7, 29) ^ BUP(t3, 11, 30) ^ - BUP(t3, 15, 31) ^ BDN(t5, 2, 0) ^ BDN(t5, 6, 1) ^ - BDN(t5, 10, 2) ^ BDN(t5, 14, 3); - x5 = BDN(t3, 19, 0) ^ BDN(t3, 23, 1) ^ BDN(t3, 27, 2) ^ - BDN(t3, 31, 3) ^ BUP(t4, 3, 4) ^ BDN(t4, 7, 5) ^ - BDN(t4, 11, 6) ^ BDN(t4, 15, 7) ^ BDN(t4, 19, 8) ^ - BDN(t4, 23, 9) ^ BDN(t4, 27, 10) ^ BDN(t4, 31, 11) ^ - BUP(t5, 3, 12) ^ BUP(t5, 7, 13) ^ BUP(t5, 11, 14) ^ - BCP(t5, 15); - } - - /* Store the local variables back to the state in little-endian order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = x0; - state->W[1] = x1; - state->W[2] = x2; - state->W[3] = x3; - state->W[4] = x4; - state->W[5] = x5; -#else - le_store_word32(state->B, x0); - le_store_word32(state->B + 4, x1); - le_store_word32(state->B + 8, x2); - le_store_word32(state->B + 12, x3); - le_store_word32(state->B + 16, x4); - le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ -#endif -} - -#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c index 770f568..2f7abb3 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/elephant.c @@ -660,7 +660,7 @@ static void delirium_process_ad if (size <= adlen) { /* Process a complete block */ lw_xor_block(state->B + posn, ad, size); - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -680,7 +680,7 @@ static void delirium_process_ad /* Pad and absorb the final block */ state->B[posn] ^= 0x01; - keccakp_200_permute(state, 18); + keccakp_200_permute(state); lw_xor_block(state->B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state->B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state->B, DELIRIUM_TAG_SIZE); @@ -707,7 +707,7 @@ int delirium_aead_encrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -726,7 +726,7 @@ int delirium_aead_encrypt /* Encrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, KECCAKP_200_STATE_SIZE); @@ -735,7 +735,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -751,7 +751,7 @@ int delirium_aead_encrypt unsigned temp = (unsigned)mlen; memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, m, temp); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); memcpy(c, state.B, temp); @@ -762,7 +762,7 @@ int delirium_aead_encrypt memset(state.B + temp + 1, 0, KECCAKP_200_STATE_SIZE - temp - 1); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, next, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -772,7 +772,7 @@ int delirium_aead_encrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -807,7 +807,7 @@ int delirium_aead_decrypt /* Hash the key and generate the initial mask */ memcpy(state.B, k, DELIRIUM_KEY_SIZE); memset(state.B + DELIRIUM_KEY_SIZE, 0, sizeof(state.B) - DELIRIUM_KEY_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); memcpy(mask, state.B, DELIRIUM_KEY_SIZE); memset(mask + DELIRIUM_KEY_SIZE, 0, sizeof(mask) - DELIRIUM_KEY_SIZE); memcpy(start, mask, sizeof(mask)); @@ -828,7 +828,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, KECCAKP_200_STATE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -836,7 +836,7 @@ int delirium_aead_decrypt /* Decrypt using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block_2_src(m, state.B, c, KECCAKP_200_STATE_SIZE); @@ -853,7 +853,7 @@ int delirium_aead_decrypt lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, c, temp); state.B[temp] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); @@ -861,7 +861,7 @@ int delirium_aead_decrypt /* Decrypt the last block using the current mask */ memcpy(state.B, mask, KECCAKP_200_STATE_SIZE); lw_xor_block(state.B, npub, DELIRIUM_NONCE_SIZE); - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, temp); lw_xor_block_2_src(m, state.B, c, temp); c += temp; @@ -870,7 +870,7 @@ int delirium_aead_decrypt delirium_lfsr(next, mask); lw_xor_block_2_src(state.B, mask, next, KECCAKP_200_STATE_SIZE); state.B[0] ^= 0x01; - keccakp_200_permute(&state, 18); + keccakp_200_permute(&state); lw_xor_block(state.B, mask, DELIRIUM_TAG_SIZE); lw_xor_block(state.B, next, DELIRIUM_TAG_SIZE); lw_xor_block(tag, state.B, DELIRIUM_TAG_SIZE); diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak-avr.S b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak-avr.S rename to elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent-avr.S b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent-avr.S similarity index 100% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent-avr.S rename to elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent-avr.S diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c index 69a8ecb..8e0d57d 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-spongent.c @@ -22,6 +22,8 @@ #include "internal-spongent.h" +#if !defined(__AVR__) + /** * \brief Applies the Spongent-pi S-box in parallel to the 8 nibbles * of a 32-bit word. @@ -344,3 +346,5 @@ void spongent176_permute(spongent176_state_t *state) le_store_word16(state->B + 20, x5); /* Last word is only 16 bits */ #endif } + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h +++ b/elephant/Implementations/crypto_aead/elephant200v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/api.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/encrypt.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/encrypt.c deleted file mode 100644 index daa5139..0000000 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "estate.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return estate_twegift_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return estate_twegift_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.c deleted file mode 100644 index a570791..0000000 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "estate.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const estate_twegift_cipher = { - "ESTATE_TweGIFT-128", - ESTATE_TWEGIFT_KEY_SIZE, - ESTATE_TWEGIFT_NONCE_SIZE, - ESTATE_TWEGIFT_TAG_SIZE, - AEAD_FLAG_NONE, - estate_twegift_aead_encrypt, - estate_twegift_aead_decrypt -}; - -/** - * \brief Generates the FCBC MAC for a packet using ESTATE_TweGIFT-128. - * - * \param ks The key schedule for TweGIFT-128. - * \param tag Rolling state of the authentication tag. - * \param m Message to be authenticated. - * \param mlen Length of the message to be authenticated; must be >= 1. - * \param tweak1 Tweak value to use when the last block is full. - * \param tweak2 Tweak value to use when the last block is partial. - */ -static void estate_twegift_fcbc - (const gift128n_key_schedule_t *ks, unsigned char tag[16], - const unsigned char *m, unsigned long long mlen, - uint32_t tweak1, uint32_t tweak2) -{ - while (mlen > 16) { - lw_xor_block(tag, m, 16); - gift128n_encrypt(ks, tag, tag); - m += 16; - mlen -= 16; - } - if (mlen == 16) { - lw_xor_block(tag, m, 16); - gift128t_encrypt(ks, tag, tag, tweak1); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block(tag, m, temp); - tag[temp] ^= 0x01; - gift128t_encrypt(ks, tag, tag, tweak2); - } -} - -/** - * \brief Generates the MAC for a packet using ESTATE_TweGIFT-128. - * - * \param ks The key schedule for TweGIFT-128. - * \param tag Rolling state of the authentication tag. - * \param m Message to be authenticated. - * \param mlen Length of the message to be authenticated. - * \param ad Associated data to be authenticated. - * \param adlen Length of the associated data to be authenticated. - */ -static void estate_twegift_authenticate - (const gift128n_key_schedule_t *ks, unsigned char tag[16], - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen) -{ - /* Handle the case where both the message and associated data are empty */ - if (mlen == 0 && adlen == 0) { - gift128t_encrypt(ks, tag, tag, GIFT128T_TWEAK_8); - return; - } - - /* Encrypt the nonce */ - gift128t_encrypt(ks, tag, tag, GIFT128T_TWEAK_1); - - /* Compute the FCBC MAC over the associated data */ - if (adlen != 0) { - if (mlen != 0) { - estate_twegift_fcbc - (ks, tag, ad, adlen, GIFT128T_TWEAK_2, GIFT128T_TWEAK_3); - } else { - estate_twegift_fcbc - (ks, tag, ad, adlen, GIFT128T_TWEAK_6, GIFT128T_TWEAK_7); - } - } - - /* Compute the FCBC MAC over the message data */ - if (mlen != 0) { - estate_twegift_fcbc - (ks, tag, m, mlen, GIFT128T_TWEAK_4, GIFT128T_TWEAK_5); - } -} - -/** - * \brief Encrypts (or decrypts) a payload using ESTATE_TweGIFT-128. - * - * \param ks The key schedule for TweGIFT-128. - * \param tag Pre-computed authentication tag for the packet. - * \param c Ciphertext after encryption. - * \param m Plaintext to be encrypted. - * \param mlen Length of the plaintext to be encrypted. - */ -static void estate_twegift_encrypt - (const gift128n_key_schedule_t *ks, const unsigned char tag[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[16]; - memcpy(block, tag, 16); - while (mlen >= 16) { - gift128n_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, 16); - c += 16; - m += 16; - mlen -= 16; - } - if (mlen > 0) { - gift128n_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, (unsigned)mlen); - } -} - -int estate_twegift_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift128n_key_schedule_t ks; - unsigned char tag[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ESTATE_TWEGIFT_TAG_SIZE; - - /* Set up the key schedule and copy the nonce into the tag */ - gift128n_init(&ks, k); - memcpy(tag, npub, 16); - - /* Authenticate the associated data and plaintext */ - estate_twegift_authenticate(&ks, tag, m, mlen, ad, adlen); - - /* Encrypt the plaintext to generate the ciphertext */ - estate_twegift_encrypt(&ks, tag, c, m, mlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, tag, 16); - return 0; -} - -int estate_twegift_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift128n_key_schedule_t ks; - unsigned char tag[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ESTATE_TWEGIFT_TAG_SIZE) - return -1; - *mlen = clen - ESTATE_TWEGIFT_TAG_SIZE; - - /* Set up the key schedule and copy the nonce into the tag */ - gift128n_init(&ks, k); - memcpy(tag, npub, 16); - - /* Decrypt the ciphertext to generate the plaintext */ - estate_twegift_encrypt(&ks, c + *mlen, m, c, *mlen); - - /* Authenticate the associated data and plaintext */ - estate_twegift_authenticate(&ks, tag, m, *mlen, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, tag, c + *mlen, 16); -} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-avr.S b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-avr.S deleted file mode 100644 index 2aae304..0000000 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-avr.S +++ /dev/null @@ -1,4712 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128n_init - .type gift128n_init, @function -gift128n_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ret - .size gift128n_init, .-gift128n_init - - .text -.global gift128n_encrypt - .type gift128n_encrypt, @function -gift128n_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r22,0 - bst r18,1 - bld r4,0 - bst r18,2 - bld r8,0 - bst r18,3 - bld r12,0 - bst r18,4 - bld r22,1 - bst r18,5 - bld r4,1 - bst r18,6 - bld r8,1 - bst r18,7 - bld r12,1 - bst r19,0 - bld r22,2 - bst r19,1 - bld r4,2 - bst r19,2 - bld r8,2 - bst r19,3 - bld r12,2 - bst r19,4 - bld r22,3 - bst r19,5 - bld r4,3 - bst r19,6 - bld r8,3 - bst r19,7 - bld r12,3 - bst r20,0 - bld r22,4 - bst r20,1 - bld r4,4 - bst r20,2 - bld r8,4 - bst r20,3 - bld r12,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r4,5 - bst r20,6 - bld r8,5 - bst r20,7 - bld r12,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r4,6 - bst r21,2 - bld r8,6 - bst r21,3 - bld r12,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r4,7 - bst r21,6 - bld r8,7 - bst r21,7 - bld r12,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r23,0 - bst r18,1 - bld r5,0 - bst r18,2 - bld r9,0 - bst r18,3 - bld r13,0 - bst r18,4 - bld r23,1 - bst r18,5 - bld r5,1 - bst r18,6 - bld r9,1 - bst r18,7 - bld r13,1 - bst r19,0 - bld r23,2 - bst r19,1 - bld r5,2 - bst r19,2 - bld r9,2 - bst r19,3 - bld r13,2 - bst r19,4 - bld r23,3 - bst r19,5 - bld r5,3 - bst r19,6 - bld r9,3 - bst r19,7 - bld r13,3 - bst r20,0 - bld r23,4 - bst r20,1 - bld r5,4 - bst r20,2 - bld r9,4 - bst r20,3 - bld r13,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r5,5 - bst r20,6 - bld r9,5 - bst r20,7 - bld r13,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r5,6 - bst r21,2 - bld r9,6 - bst r21,3 - bld r13,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r5,7 - bst r21,6 - bld r9,7 - bst r21,7 - bld r13,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r2,0 - bst r18,1 - bld r6,0 - bst r18,2 - bld r10,0 - bst r18,3 - bld r14,0 - bst r18,4 - bld r2,1 - bst r18,5 - bld r6,1 - bst r18,6 - bld r10,1 - bst r18,7 - bld r14,1 - bst r19,0 - bld r2,2 - bst r19,1 - bld r6,2 - bst r19,2 - bld r10,2 - bst r19,3 - bld r14,2 - bst r19,4 - bld r2,3 - bst r19,5 - bld r6,3 - bst r19,6 - bld r10,3 - bst r19,7 - bld r14,3 - bst r20,0 - bld r2,4 - bst r20,1 - bld r6,4 - bst r20,2 - bld r10,4 - bst r20,3 - bld r14,4 - bst r20,4 - bld r2,5 - bst r20,5 - bld r6,5 - bst r20,6 - bld r10,5 - bst r20,7 - bld r14,5 - bst r21,0 - bld r2,6 - bst r21,1 - bld r6,6 - bst r21,2 - bld r10,6 - bst r21,3 - bld r14,6 - bst r21,4 - bld r2,7 - bst r21,5 - bld r6,7 - bst r21,6 - bld r10,7 - bst r21,7 - bld r14,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r3,0 - bst r18,1 - bld r7,0 - bst r18,2 - bld r11,0 - bst r18,3 - bld r15,0 - bst r18,4 - bld r3,1 - bst r18,5 - bld r7,1 - bst r18,6 - bld r11,1 - bst r18,7 - bld r15,1 - bst r19,0 - bld r3,2 - bst r19,1 - bld r7,2 - bst r19,2 - bld r11,2 - bst r19,3 - bld r15,2 - bst r19,4 - bld r3,3 - bst r19,5 - bld r7,3 - bst r19,6 - bld r11,3 - bst r19,7 - bld r15,3 - bst r20,0 - bld r3,4 - bst r20,1 - bld r7,4 - bst r20,2 - bld r11,4 - bst r20,3 - bld r15,4 - bst r20,4 - bld r3,5 - bst r20,5 - bld r7,5 - bst r20,6 - bld r11,5 - bst r20,7 - bld r15,5 - bst r21,0 - bld r3,6 - bst r21,1 - bld r7,6 - bst r21,2 - bld r11,6 - bst r21,3 - bld r15,6 - bst r21,4 - bld r3,7 - bst r21,5 - bld r7,7 - bst r21,6 - bld r11,7 - bst r21,7 - bld r15,7 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -302: - rcall 455f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 455f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 455f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 455f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 302b - rjmp 804f -455: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -804: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r18,0 - bst r4,0 - bld r18,1 - bst r8,0 - bld r18,2 - bst r12,0 - bld r18,3 - bst r22,1 - bld r18,4 - bst r4,1 - bld r18,5 - bst r8,1 - bld r18,6 - bst r12,1 - bld r18,7 - bst r22,2 - bld r19,0 - bst r4,2 - bld r19,1 - bst r8,2 - bld r19,2 - bst r12,2 - bld r19,3 - bst r22,3 - bld r19,4 - bst r4,3 - bld r19,5 - bst r8,3 - bld r19,6 - bst r12,3 - bld r19,7 - bst r22,4 - bld r20,0 - bst r4,4 - bld r20,1 - bst r8,4 - bld r20,2 - bst r12,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r4,5 - bld r20,5 - bst r8,5 - bld r20,6 - bst r12,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r4,6 - bld r21,1 - bst r8,6 - bld r21,2 - bst r12,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r4,7 - bld r21,5 - bst r8,7 - bld r21,6 - bst r12,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r23,0 - bld r18,0 - bst r5,0 - bld r18,1 - bst r9,0 - bld r18,2 - bst r13,0 - bld r18,3 - bst r23,1 - bld r18,4 - bst r5,1 - bld r18,5 - bst r9,1 - bld r18,6 - bst r13,1 - bld r18,7 - bst r23,2 - bld r19,0 - bst r5,2 - bld r19,1 - bst r9,2 - bld r19,2 - bst r13,2 - bld r19,3 - bst r23,3 - bld r19,4 - bst r5,3 - bld r19,5 - bst r9,3 - bld r19,6 - bst r13,3 - bld r19,7 - bst r23,4 - bld r20,0 - bst r5,4 - bld r20,1 - bst r9,4 - bld r20,2 - bst r13,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r5,5 - bld r20,5 - bst r9,5 - bld r20,6 - bst r13,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r5,6 - bld r21,1 - bst r9,6 - bld r21,2 - bst r13,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r5,7 - bld r21,5 - bst r9,7 - bld r21,6 - bst r13,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r2,0 - bld r18,0 - bst r6,0 - bld r18,1 - bst r10,0 - bld r18,2 - bst r14,0 - bld r18,3 - bst r2,1 - bld r18,4 - bst r6,1 - bld r18,5 - bst r10,1 - bld r18,6 - bst r14,1 - bld r18,7 - bst r2,2 - bld r19,0 - bst r6,2 - bld r19,1 - bst r10,2 - bld r19,2 - bst r14,2 - bld r19,3 - bst r2,3 - bld r19,4 - bst r6,3 - bld r19,5 - bst r10,3 - bld r19,6 - bst r14,3 - bld r19,7 - bst r2,4 - bld r20,0 - bst r6,4 - bld r20,1 - bst r10,4 - bld r20,2 - bst r14,4 - bld r20,3 - bst r2,5 - bld r20,4 - bst r6,5 - bld r20,5 - bst r10,5 - bld r20,6 - bst r14,5 - bld r20,7 - bst r2,6 - bld r21,0 - bst r6,6 - bld r21,1 - bst r10,6 - bld r21,2 - bst r14,6 - bld r21,3 - bst r2,7 - bld r21,4 - bst r6,7 - bld r21,5 - bst r10,7 - bld r21,6 - bst r14,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r3,0 - bld r18,0 - bst r7,0 - bld r18,1 - bst r11,0 - bld r18,2 - bst r15,0 - bld r18,3 - bst r3,1 - bld r18,4 - bst r7,1 - bld r18,5 - bst r11,1 - bld r18,6 - bst r15,1 - bld r18,7 - bst r3,2 - bld r19,0 - bst r7,2 - bld r19,1 - bst r11,2 - bld r19,2 - bst r15,2 - bld r19,3 - bst r3,3 - bld r19,4 - bst r7,3 - bld r19,5 - bst r11,3 - bld r19,6 - bst r15,3 - bld r19,7 - bst r3,4 - bld r20,0 - bst r7,4 - bld r20,1 - bst r11,4 - bld r20,2 - bst r15,4 - bld r20,3 - bst r3,5 - bld r20,4 - bst r7,5 - bld r20,5 - bst r11,5 - bld r20,6 - bst r15,5 - bld r20,7 - bst r3,6 - bld r21,0 - bst r7,6 - bld r21,1 - bst r11,6 - bld r21,2 - bst r15,6 - bld r21,3 - bst r3,7 - bld r21,4 - bst r7,7 - bld r21,5 - bst r11,7 - bld r21,6 - bst r15,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128n_encrypt, .-gift128n_encrypt - - .text -.global gift128n_decrypt - .type gift128n_decrypt, @function -gift128n_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r22,0 - bst r18,1 - bld r4,0 - bst r18,2 - bld r8,0 - bst r18,3 - bld r12,0 - bst r18,4 - bld r22,1 - bst r18,5 - bld r4,1 - bst r18,6 - bld r8,1 - bst r18,7 - bld r12,1 - bst r19,0 - bld r22,2 - bst r19,1 - bld r4,2 - bst r19,2 - bld r8,2 - bst r19,3 - bld r12,2 - bst r19,4 - bld r22,3 - bst r19,5 - bld r4,3 - bst r19,6 - bld r8,3 - bst r19,7 - bld r12,3 - bst r20,0 - bld r22,4 - bst r20,1 - bld r4,4 - bst r20,2 - bld r8,4 - bst r20,3 - bld r12,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r4,5 - bst r20,6 - bld r8,5 - bst r20,7 - bld r12,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r4,6 - bst r21,2 - bld r8,6 - bst r21,3 - bld r12,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r4,7 - bst r21,6 - bld r8,7 - bst r21,7 - bld r12,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r23,0 - bst r18,1 - bld r5,0 - bst r18,2 - bld r9,0 - bst r18,3 - bld r13,0 - bst r18,4 - bld r23,1 - bst r18,5 - bld r5,1 - bst r18,6 - bld r9,1 - bst r18,7 - bld r13,1 - bst r19,0 - bld r23,2 - bst r19,1 - bld r5,2 - bst r19,2 - bld r9,2 - bst r19,3 - bld r13,2 - bst r19,4 - bld r23,3 - bst r19,5 - bld r5,3 - bst r19,6 - bld r9,3 - bst r19,7 - bld r13,3 - bst r20,0 - bld r23,4 - bst r20,1 - bld r5,4 - bst r20,2 - bld r9,4 - bst r20,3 - bld r13,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r5,5 - bst r20,6 - bld r9,5 - bst r20,7 - bld r13,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r5,6 - bst r21,2 - bld r9,6 - bst r21,3 - bld r13,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r5,7 - bst r21,6 - bld r9,7 - bst r21,7 - bld r13,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r2,0 - bst r18,1 - bld r6,0 - bst r18,2 - bld r10,0 - bst r18,3 - bld r14,0 - bst r18,4 - bld r2,1 - bst r18,5 - bld r6,1 - bst r18,6 - bld r10,1 - bst r18,7 - bld r14,1 - bst r19,0 - bld r2,2 - bst r19,1 - bld r6,2 - bst r19,2 - bld r10,2 - bst r19,3 - bld r14,2 - bst r19,4 - bld r2,3 - bst r19,5 - bld r6,3 - bst r19,6 - bld r10,3 - bst r19,7 - bld r14,3 - bst r20,0 - bld r2,4 - bst r20,1 - bld r6,4 - bst r20,2 - bld r10,4 - bst r20,3 - bld r14,4 - bst r20,4 - bld r2,5 - bst r20,5 - bld r6,5 - bst r20,6 - bld r10,5 - bst r20,7 - bld r14,5 - bst r21,0 - bld r2,6 - bst r21,1 - bld r6,6 - bst r21,2 - bld r10,6 - bst r21,3 - bld r14,6 - bst r21,4 - bld r2,7 - bst r21,5 - bld r6,7 - bst r21,6 - bld r10,7 - bst r21,7 - bld r14,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r3,0 - bst r18,1 - bld r7,0 - bst r18,2 - bld r11,0 - bst r18,3 - bld r15,0 - bst r18,4 - bld r3,1 - bst r18,5 - bld r7,1 - bst r18,6 - bld r11,1 - bst r18,7 - bld r15,1 - bst r19,0 - bld r3,2 - bst r19,1 - bld r7,2 - bst r19,2 - bld r11,2 - bst r19,3 - bld r15,2 - bst r19,4 - bld r3,3 - bst r19,5 - bld r7,3 - bst r19,6 - bld r11,3 - bst r19,7 - bld r15,3 - bst r20,0 - bld r3,4 - bst r20,1 - bld r7,4 - bst r20,2 - bld r11,4 - bst r20,3 - bld r15,4 - bst r20,4 - bld r3,5 - bst r20,5 - bld r7,5 - bst r20,6 - bld r11,5 - bst r20,7 - bld r15,5 - bst r21,0 - bld r3,6 - bst r21,1 - bld r7,6 - bst r21,2 - bld r11,6 - bst r21,3 - bld r15,6 - bst r21,4 - bld r3,7 - bst r21,5 - bld r7,7 - bst r21,6 - bld r11,7 - bst r21,7 - bld r15,7 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -370: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - cpse r16,r1 - rjmp 370b - rjmp 867f -522: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -867: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r18,0 - bst r4,0 - bld r18,1 - bst r8,0 - bld r18,2 - bst r12,0 - bld r18,3 - bst r22,1 - bld r18,4 - bst r4,1 - bld r18,5 - bst r8,1 - bld r18,6 - bst r12,1 - bld r18,7 - bst r22,2 - bld r19,0 - bst r4,2 - bld r19,1 - bst r8,2 - bld r19,2 - bst r12,2 - bld r19,3 - bst r22,3 - bld r19,4 - bst r4,3 - bld r19,5 - bst r8,3 - bld r19,6 - bst r12,3 - bld r19,7 - bst r22,4 - bld r20,0 - bst r4,4 - bld r20,1 - bst r8,4 - bld r20,2 - bst r12,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r4,5 - bld r20,5 - bst r8,5 - bld r20,6 - bst r12,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r4,6 - bld r21,1 - bst r8,6 - bld r21,2 - bst r12,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r4,7 - bld r21,5 - bst r8,7 - bld r21,6 - bst r12,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r23,0 - bld r18,0 - bst r5,0 - bld r18,1 - bst r9,0 - bld r18,2 - bst r13,0 - bld r18,3 - bst r23,1 - bld r18,4 - bst r5,1 - bld r18,5 - bst r9,1 - bld r18,6 - bst r13,1 - bld r18,7 - bst r23,2 - bld r19,0 - bst r5,2 - bld r19,1 - bst r9,2 - bld r19,2 - bst r13,2 - bld r19,3 - bst r23,3 - bld r19,4 - bst r5,3 - bld r19,5 - bst r9,3 - bld r19,6 - bst r13,3 - bld r19,7 - bst r23,4 - bld r20,0 - bst r5,4 - bld r20,1 - bst r9,4 - bld r20,2 - bst r13,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r5,5 - bld r20,5 - bst r9,5 - bld r20,6 - bst r13,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r5,6 - bld r21,1 - bst r9,6 - bld r21,2 - bst r13,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r5,7 - bld r21,5 - bst r9,7 - bld r21,6 - bst r13,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r2,0 - bld r18,0 - bst r6,0 - bld r18,1 - bst r10,0 - bld r18,2 - bst r14,0 - bld r18,3 - bst r2,1 - bld r18,4 - bst r6,1 - bld r18,5 - bst r10,1 - bld r18,6 - bst r14,1 - bld r18,7 - bst r2,2 - bld r19,0 - bst r6,2 - bld r19,1 - bst r10,2 - bld r19,2 - bst r14,2 - bld r19,3 - bst r2,3 - bld r19,4 - bst r6,3 - bld r19,5 - bst r10,3 - bld r19,6 - bst r14,3 - bld r19,7 - bst r2,4 - bld r20,0 - bst r6,4 - bld r20,1 - bst r10,4 - bld r20,2 - bst r14,4 - bld r20,3 - bst r2,5 - bld r20,4 - bst r6,5 - bld r20,5 - bst r10,5 - bld r20,6 - bst r14,5 - bld r20,7 - bst r2,6 - bld r21,0 - bst r6,6 - bld r21,1 - bst r10,6 - bld r21,2 - bst r14,6 - bld r21,3 - bst r2,7 - bld r21,4 - bst r6,7 - bld r21,5 - bst r10,7 - bld r21,6 - bst r14,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r3,0 - bld r18,0 - bst r7,0 - bld r18,1 - bst r11,0 - bld r18,2 - bst r15,0 - bld r18,3 - bst r3,1 - bld r18,4 - bst r7,1 - bld r18,5 - bst r11,1 - bld r18,6 - bst r15,1 - bld r18,7 - bst r3,2 - bld r19,0 - bst r7,2 - bld r19,1 - bst r11,2 - bld r19,2 - bst r15,2 - bld r19,3 - bst r3,3 - bld r19,4 - bst r7,3 - bld r19,5 - bst r11,3 - bld r19,6 - bst r15,3 - bld r19,7 - bst r3,4 - bld r20,0 - bst r7,4 - bld r20,1 - bst r11,4 - bld r20,2 - bst r15,4 - bld r20,3 - bst r3,5 - bld r20,4 - bst r7,5 - bld r20,5 - bst r11,5 - bld r20,6 - bst r15,5 - bld r20,7 - bst r3,6 - bld r21,0 - bst r7,6 - bld r21,1 - bst r11,6 - bld r21,2 - bst r15,6 - bld r21,3 - bst r3,7 - bld r21,4 - bst r7,7 - bld r21,5 - bst r11,7 - bld r21,6 - bst r15,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128n_decrypt, .-gift128n_decrypt - - .text -.global gift128t_encrypt - .type gift128t_encrypt, @function -gift128t_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r2,0 - bst r20,1 - bld r6,0 - bst r20,2 - bld r10,0 - bst r20,3 - bld r14,0 - bst r20,4 - bld r2,1 - bst r20,5 - bld r6,1 - bst r20,6 - bld r10,1 - bst r20,7 - bld r14,1 - bst r21,0 - bld r2,2 - bst r21,1 - bld r6,2 - bst r21,2 - bld r10,2 - bst r21,3 - bld r14,2 - bst r21,4 - bld r2,3 - bst r21,5 - bld r6,3 - bst r21,6 - bld r10,3 - bst r21,7 - bld r14,3 - bst r22,0 - bld r2,4 - bst r22,1 - bld r6,4 - bst r22,2 - bld r10,4 - bst r22,3 - bld r14,4 - bst r22,4 - bld r2,5 - bst r22,5 - bld r6,5 - bst r22,6 - bld r10,5 - bst r22,7 - bld r14,5 - bst r23,0 - bld r2,6 - bst r23,1 - bld r6,6 - bst r23,2 - bld r10,6 - bst r23,3 - bld r14,6 - bst r23,4 - bld r2,7 - bst r23,5 - bld r6,7 - bst r23,6 - bld r10,7 - bst r23,7 - bld r14,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r3,0 - bst r20,1 - bld r7,0 - bst r20,2 - bld r11,0 - bst r20,3 - bld r15,0 - bst r20,4 - bld r3,1 - bst r20,5 - bld r7,1 - bst r20,6 - bld r11,1 - bst r20,7 - bld r15,1 - bst r21,0 - bld r3,2 - bst r21,1 - bld r7,2 - bst r21,2 - bld r11,2 - bst r21,3 - bld r15,2 - bst r21,4 - bld r3,3 - bst r21,5 - bld r7,3 - bst r21,6 - bld r11,3 - bst r21,7 - bld r15,3 - bst r22,0 - bld r3,4 - bst r22,1 - bld r7,4 - bst r22,2 - bld r11,4 - bst r22,3 - bld r15,4 - bst r22,4 - bld r3,5 - bst r22,5 - bld r7,5 - bst r22,6 - bld r11,5 - bst r22,7 - bld r15,5 - bst r23,0 - bld r3,6 - bst r23,1 - bld r7,6 - bst r23,2 - bld r11,6 - bst r23,3 - bld r15,6 - bst r23,4 - bld r3,7 - bst r23,5 - bld r7,7 - bst r23,6 - bld r11,7 - bst r23,7 - bld r15,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r4,0 - bst r20,1 - bld r8,0 - bst r20,2 - bld r12,0 - bst r20,3 - bld r24,0 - bst r20,4 - bld r4,1 - bst r20,5 - bld r8,1 - bst r20,6 - bld r12,1 - bst r20,7 - bld r24,1 - bst r21,0 - bld r4,2 - bst r21,1 - bld r8,2 - bst r21,2 - bld r12,2 - bst r21,3 - bld r24,2 - bst r21,4 - bld r4,3 - bst r21,5 - bld r8,3 - bst r21,6 - bld r12,3 - bst r21,7 - bld r24,3 - bst r22,0 - bld r4,4 - bst r22,1 - bld r8,4 - bst r22,2 - bld r12,4 - bst r22,3 - bld r24,4 - bst r22,4 - bld r4,5 - bst r22,5 - bld r8,5 - bst r22,6 - bld r12,5 - bst r22,7 - bld r24,5 - bst r23,0 - bld r4,6 - bst r23,1 - bld r8,6 - bst r23,2 - bld r12,6 - bst r23,3 - bld r24,6 - bst r23,4 - bld r4,7 - bst r23,5 - bld r8,7 - bst r23,6 - bld r12,7 - bst r23,7 - bld r24,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r5,0 - bst r20,1 - bld r9,0 - bst r20,2 - bld r13,0 - bst r20,3 - bld r25,0 - bst r20,4 - bld r5,1 - bst r20,5 - bld r9,1 - bst r20,6 - bld r13,1 - bst r20,7 - bld r25,1 - bst r21,0 - bld r5,2 - bst r21,1 - bld r9,2 - bst r21,2 - bld r13,2 - bst r21,3 - bld r25,2 - bst r21,4 - bld r5,3 - bst r21,5 - bld r9,3 - bst r21,6 - bld r13,3 - bst r21,7 - bld r25,3 - bst r22,0 - bld r5,4 - bst r22,1 - bld r9,4 - bst r22,2 - bld r13,4 - bst r22,3 - bld r25,4 - bst r22,4 - bld r5,5 - bst r22,5 - bld r9,5 - bst r22,6 - bld r13,5 - bst r22,7 - bld r25,5 - bst r23,0 - bld r5,6 - bst r23,1 - bld r9,6 - bst r23,2 - bld r13,6 - bst r23,3 - bld r25,6 - bst r23,4 - bld r5,7 - bst r23,5 - bld r9,7 - bst r23,6 - bld r13,7 - bst r23,7 - bld r25,7 - ld r26,Z - ldd r27,Z+1 - ldd r16,Z+2 - ldd r17,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r16 - std Y+4,r17 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r16,Z+6 - ldd r17,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r16 - std Y+8,r17 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r16,Z+10 - ldd r17,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r16 - std Y+12,r17 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r16,Z+14 - ldd r17,Z+15 - std Y+13,r26 - std Y+14,r27 - std Y+15,r16 - std Y+16,r17 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r19,r1 - mov r26,r1 -307: - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r8,r0 - mov r0,r5 - and r0,r13 - eor r9,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r8 - and r0,r24 - eor r4,r0 - mov r0,r9 - and r0,r25 - eor r5,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - or r0,r8 - eor r12,r0 - mov r0,r5 - or r0,r9 - eor r13,r0 - eor r14,r10 - eor r15,r11 - eor r24,r12 - eor r25,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - com r14 - com r15 - com r24 - com r25 - movw r20,r2 - movw r22,r4 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - mov r0,r8 - and r0,r22 - eor r12,r0 - mov r0,r9 - and r0,r23 - eor r13,r0 - movw r2,r14 - movw r4,r24 - movw r14,r20 - movw r24,r22 - bst r2,1 - bld r0,0 - bst r2,4 - bld r2,1 - bst r4,0 - bld r2,4 - bst r2,2 - bld r4,0 - bst r3,0 - bld r2,2 - bst r2,3 - bld r3,0 - bst r3,4 - bld r2,3 - bst r4,3 - bld r3,4 - bst r3,6 - bld r4,3 - bst r5,3 - bld r3,6 - bst r3,5 - bld r5,3 - bst r4,7 - bld r3,5 - bst r5,6 - bld r4,7 - bst r5,1 - bld r5,6 - bst r2,5 - bld r5,1 - bst r4,4 - bld r2,5 - bst r4,2 - bld r4,4 - bst r3,2 - bld r4,2 - bst r3,3 - bld r3,2 - bst r3,7 - bld r3,3 - bst r5,7 - bld r3,7 - bst r5,5 - bld r5,7 - bst r4,5 - bld r5,5 - bst r4,6 - bld r4,5 - bst r5,2 - bld r4,6 - bst r3,1 - bld r5,2 - bst r2,7 - bld r3,1 - bst r5,4 - bld r2,7 - bst r4,1 - bld r5,4 - bst r2,6 - bld r4,1 - bst r5,0 - bld r2,6 - bst r0,0 - bld r5,0 - bst r6,0 - bld r0,0 - bst r6,1 - bld r6,0 - bst r6,5 - bld r6,1 - bst r8,5 - bld r6,5 - bst r8,7 - bld r8,5 - bst r9,7 - bld r8,7 - bst r9,6 - bld r9,7 - bst r9,2 - bld r9,6 - bst r7,2 - bld r9,2 - bst r7,0 - bld r7,2 - bst r0,0 - bld r7,0 - bst r6,2 - bld r0,0 - bst r7,1 - bld r6,2 - bst r6,4 - bld r7,1 - bst r8,1 - bld r6,4 - bst r6,7 - bld r8,1 - bst r9,5 - bld r6,7 - bst r8,6 - bld r9,5 - bst r9,3 - bld r8,6 - bst r7,6 - bld r9,3 - bst r9,0 - bld r7,6 - bst r0,0 - bld r9,0 - bst r6,3 - bld r0,0 - bst r7,5 - bld r6,3 - bst r8,4 - bld r7,5 - bst r8,3 - bld r8,4 - bst r7,7 - bld r8,3 - bst r9,4 - bld r7,7 - bst r8,2 - bld r9,4 - bst r7,3 - bld r8,2 - bst r7,4 - bld r7,3 - bst r8,0 - bld r7,4 - bst r0,0 - bld r8,0 - bst r6,6 - bld r0,0 - bst r9,1 - bld r6,6 - bst r0,0 - bld r9,1 - bst r10,0 - bld r0,0 - bst r10,2 - bld r10,0 - bst r11,2 - bld r10,2 - bst r11,1 - bld r11,2 - bst r10,5 - bld r11,1 - bst r12,6 - bld r10,5 - bst r13,0 - bld r12,6 - bst r10,3 - bld r13,0 - bst r11,6 - bld r10,3 - bst r13,1 - bld r11,6 - bst r10,7 - bld r13,1 - bst r13,6 - bld r10,7 - bst r13,3 - bld r13,6 - bst r11,7 - bld r13,3 - bst r13,5 - bld r11,7 - bst r12,7 - bld r13,5 - bst r13,4 - bld r12,7 - bst r12,3 - bld r13,4 - bst r11,4 - bld r12,3 - bst r12,1 - bld r11,4 - bst r10,4 - bld r12,1 - bst r12,2 - bld r10,4 - bst r11,0 - bld r12,2 - bst r10,1 - bld r11,0 - bst r10,6 - bld r10,1 - bst r13,2 - bld r10,6 - bst r11,3 - bld r13,2 - bst r11,5 - bld r11,3 - bst r12,5 - bld r11,5 - bst r12,4 - bld r12,5 - bst r12,0 - bld r12,4 - bst r0,0 - bld r12,0 - bst r14,0 - bld r0,0 - bst r14,3 - bld r14,0 - bst r15,7 - bld r14,3 - bst r25,6 - bld r15,7 - bst r25,0 - bld r25,6 - bst r0,0 - bld r25,0 - bst r14,1 - bld r0,0 - bst r14,7 - bld r14,1 - bst r25,7 - bld r14,7 - bst r25,4 - bld r25,7 - bst r24,0 - bld r25,4 - bst r0,0 - bld r24,0 - bst r14,2 - bld r0,0 - bst r15,3 - bld r14,2 - bst r15,6 - bld r15,3 - bst r25,2 - bld r15,6 - bst r15,0 - bld r25,2 - bst r0,0 - bld r15,0 - bst r14,4 - bld r0,0 - bst r24,3 - bld r14,4 - bst r15,5 - bld r24,3 - bst r24,6 - bld r15,5 - bst r25,1 - bld r24,6 - bst r0,0 - bld r25,1 - bst r14,5 - bld r0,0 - bst r24,7 - bld r14,5 - bst r25,5 - bld r24,7 - bst r24,4 - bld r25,5 - bst r24,1 - bld r24,4 - bst r0,0 - bld r24,1 - bst r14,6 - bld r0,0 - bst r25,3 - bld r14,6 - bst r15,4 - bld r25,3 - bst r24,2 - bld r15,4 - bst r15,1 - bld r24,2 - bst r0,0 - bld r15,1 - ldd r0,Y+5 - eor r10,r0 - ldd r0,Y+6 - eor r11,r0 - ldd r0,Y+7 - eor r12,r0 - ldd r0,Y+8 - eor r13,r0 - ldd r20,Y+13 - ldd r21,Y+14 - ldd r22,Y+15 - ldd r23,Y+16 - eor r6,r20 - eor r7,r21 - eor r8,r22 - eor r9,r23 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - ldd r0,Y+1 - std Y+1,r20 - ldd r20,Y+5 - std Y+5,r0 - ldd r0,Y+9 - std Y+9,r20 - std Y+13,r0 - ldd r0,Y+2 - std Y+2,r21 - ldd r21,Y+6 - std Y+6,r0 - ldd r0,Y+10 - std Y+10,r21 - std Y+14,r0 - ldd r0,Y+3 - std Y+3,r22 - ldd r22,Y+7 - std Y+7,r0 - ldd r0,Y+11 - std Y+11,r22 - std Y+15,r0 - ldd r0,Y+4 - std Y+4,r23 - ldd r23,Y+8 - std Y+8,r0 - ldd r0,Y+12 - std Y+12,r23 - std Y+16,r0 - ldi r20,128 - eor r25,r20 - mov r30,r19 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - eor r14,r20 - inc r19 - cpi r19,40 - breq 727f - inc r26 - ldi r27,5 - cpse r26,r27 - rjmp 307b - mov r26,r1 - eor r2,r18 - eor r3,r18 - eor r4,r18 - eor r5,r18 - rjmp 307b -727: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r2,0 - bld r20,0 - bst r6,0 - bld r20,1 - bst r10,0 - bld r20,2 - bst r14,0 - bld r20,3 - bst r2,1 - bld r20,4 - bst r6,1 - bld r20,5 - bst r10,1 - bld r20,6 - bst r14,1 - bld r20,7 - bst r2,2 - bld r21,0 - bst r6,2 - bld r21,1 - bst r10,2 - bld r21,2 - bst r14,2 - bld r21,3 - bst r2,3 - bld r21,4 - bst r6,3 - bld r21,5 - bst r10,3 - bld r21,6 - bst r14,3 - bld r21,7 - bst r2,4 - bld r22,0 - bst r6,4 - bld r22,1 - bst r10,4 - bld r22,2 - bst r14,4 - bld r22,3 - bst r2,5 - bld r22,4 - bst r6,5 - bld r22,5 - bst r10,5 - bld r22,6 - bst r14,5 - bld r22,7 - bst r2,6 - bld r23,0 - bst r6,6 - bld r23,1 - bst r10,6 - bld r23,2 - bst r14,6 - bld r23,3 - bst r2,7 - bld r23,4 - bst r6,7 - bld r23,5 - bst r10,7 - bld r23,6 - bst r14,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r3,0 - bld r20,0 - bst r7,0 - bld r20,1 - bst r11,0 - bld r20,2 - bst r15,0 - bld r20,3 - bst r3,1 - bld r20,4 - bst r7,1 - bld r20,5 - bst r11,1 - bld r20,6 - bst r15,1 - bld r20,7 - bst r3,2 - bld r21,0 - bst r7,2 - bld r21,1 - bst r11,2 - bld r21,2 - bst r15,2 - bld r21,3 - bst r3,3 - bld r21,4 - bst r7,3 - bld r21,5 - bst r11,3 - bld r21,6 - bst r15,3 - bld r21,7 - bst r3,4 - bld r22,0 - bst r7,4 - bld r22,1 - bst r11,4 - bld r22,2 - bst r15,4 - bld r22,3 - bst r3,5 - bld r22,4 - bst r7,5 - bld r22,5 - bst r11,5 - bld r22,6 - bst r15,5 - bld r22,7 - bst r3,6 - bld r23,0 - bst r7,6 - bld r23,1 - bst r11,6 - bld r23,2 - bst r15,6 - bld r23,3 - bst r3,7 - bld r23,4 - bst r7,7 - bld r23,5 - bst r11,7 - bld r23,6 - bst r15,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r4,0 - bld r20,0 - bst r8,0 - bld r20,1 - bst r12,0 - bld r20,2 - bst r24,0 - bld r20,3 - bst r4,1 - bld r20,4 - bst r8,1 - bld r20,5 - bst r12,1 - bld r20,6 - bst r24,1 - bld r20,7 - bst r4,2 - bld r21,0 - bst r8,2 - bld r21,1 - bst r12,2 - bld r21,2 - bst r24,2 - bld r21,3 - bst r4,3 - bld r21,4 - bst r8,3 - bld r21,5 - bst r12,3 - bld r21,6 - bst r24,3 - bld r21,7 - bst r4,4 - bld r22,0 - bst r8,4 - bld r22,1 - bst r12,4 - bld r22,2 - bst r24,4 - bld r22,3 - bst r4,5 - bld r22,4 - bst r8,5 - bld r22,5 - bst r12,5 - bld r22,6 - bst r24,5 - bld r22,7 - bst r4,6 - bld r23,0 - bst r8,6 - bld r23,1 - bst r12,6 - bld r23,2 - bst r24,6 - bld r23,3 - bst r4,7 - bld r23,4 - bst r8,7 - bld r23,5 - bst r12,7 - bld r23,6 - bst r24,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r5,0 - bld r20,0 - bst r9,0 - bld r20,1 - bst r13,0 - bld r20,2 - bst r25,0 - bld r20,3 - bst r5,1 - bld r20,4 - bst r9,1 - bld r20,5 - bst r13,1 - bld r20,6 - bst r25,1 - bld r20,7 - bst r5,2 - bld r21,0 - bst r9,2 - bld r21,1 - bst r13,2 - bld r21,2 - bst r25,2 - bld r21,3 - bst r5,3 - bld r21,4 - bst r9,3 - bld r21,5 - bst r13,3 - bld r21,6 - bst r25,3 - bld r21,7 - bst r5,4 - bld r22,0 - bst r9,4 - bld r22,1 - bst r13,4 - bld r22,2 - bst r25,4 - bld r22,3 - bst r5,5 - bld r22,4 - bst r9,5 - bld r22,5 - bst r13,5 - bld r22,6 - bst r25,5 - bld r22,7 - bst r5,6 - bld r23,0 - bst r9,6 - bld r23,1 - bst r13,6 - bld r23,2 - bst r25,6 - bld r23,3 - bst r5,7 - bld r23,4 - bst r9,7 - bld r23,5 - bst r13,7 - bld r23,6 - bst r25,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128t_encrypt, .-gift128t_encrypt - - .text -.global gift128t_decrypt - .type gift128t_decrypt, @function -gift128t_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r2,0 - bst r20,1 - bld r6,0 - bst r20,2 - bld r10,0 - bst r20,3 - bld r14,0 - bst r20,4 - bld r2,1 - bst r20,5 - bld r6,1 - bst r20,6 - bld r10,1 - bst r20,7 - bld r14,1 - bst r21,0 - bld r2,2 - bst r21,1 - bld r6,2 - bst r21,2 - bld r10,2 - bst r21,3 - bld r14,2 - bst r21,4 - bld r2,3 - bst r21,5 - bld r6,3 - bst r21,6 - bld r10,3 - bst r21,7 - bld r14,3 - bst r22,0 - bld r2,4 - bst r22,1 - bld r6,4 - bst r22,2 - bld r10,4 - bst r22,3 - bld r14,4 - bst r22,4 - bld r2,5 - bst r22,5 - bld r6,5 - bst r22,6 - bld r10,5 - bst r22,7 - bld r14,5 - bst r23,0 - bld r2,6 - bst r23,1 - bld r6,6 - bst r23,2 - bld r10,6 - bst r23,3 - bld r14,6 - bst r23,4 - bld r2,7 - bst r23,5 - bld r6,7 - bst r23,6 - bld r10,7 - bst r23,7 - bld r14,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r3,0 - bst r20,1 - bld r7,0 - bst r20,2 - bld r11,0 - bst r20,3 - bld r15,0 - bst r20,4 - bld r3,1 - bst r20,5 - bld r7,1 - bst r20,6 - bld r11,1 - bst r20,7 - bld r15,1 - bst r21,0 - bld r3,2 - bst r21,1 - bld r7,2 - bst r21,2 - bld r11,2 - bst r21,3 - bld r15,2 - bst r21,4 - bld r3,3 - bst r21,5 - bld r7,3 - bst r21,6 - bld r11,3 - bst r21,7 - bld r15,3 - bst r22,0 - bld r3,4 - bst r22,1 - bld r7,4 - bst r22,2 - bld r11,4 - bst r22,3 - bld r15,4 - bst r22,4 - bld r3,5 - bst r22,5 - bld r7,5 - bst r22,6 - bld r11,5 - bst r22,7 - bld r15,5 - bst r23,0 - bld r3,6 - bst r23,1 - bld r7,6 - bst r23,2 - bld r11,6 - bst r23,3 - bld r15,6 - bst r23,4 - bld r3,7 - bst r23,5 - bld r7,7 - bst r23,6 - bld r11,7 - bst r23,7 - bld r15,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r4,0 - bst r20,1 - bld r8,0 - bst r20,2 - bld r12,0 - bst r20,3 - bld r24,0 - bst r20,4 - bld r4,1 - bst r20,5 - bld r8,1 - bst r20,6 - bld r12,1 - bst r20,7 - bld r24,1 - bst r21,0 - bld r4,2 - bst r21,1 - bld r8,2 - bst r21,2 - bld r12,2 - bst r21,3 - bld r24,2 - bst r21,4 - bld r4,3 - bst r21,5 - bld r8,3 - bst r21,6 - bld r12,3 - bst r21,7 - bld r24,3 - bst r22,0 - bld r4,4 - bst r22,1 - bld r8,4 - bst r22,2 - bld r12,4 - bst r22,3 - bld r24,4 - bst r22,4 - bld r4,5 - bst r22,5 - bld r8,5 - bst r22,6 - bld r12,5 - bst r22,7 - bld r24,5 - bst r23,0 - bld r4,6 - bst r23,1 - bld r8,6 - bst r23,2 - bld r12,6 - bst r23,3 - bld r24,6 - bst r23,4 - bld r4,7 - bst r23,5 - bld r8,7 - bst r23,6 - bld r12,7 - bst r23,7 - bld r24,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r5,0 - bst r20,1 - bld r9,0 - bst r20,2 - bld r13,0 - bst r20,3 - bld r25,0 - bst r20,4 - bld r5,1 - bst r20,5 - bld r9,1 - bst r20,6 - bld r13,1 - bst r20,7 - bld r25,1 - bst r21,0 - bld r5,2 - bst r21,1 - bld r9,2 - bst r21,2 - bld r13,2 - bst r21,3 - bld r25,2 - bst r21,4 - bld r5,3 - bst r21,5 - bld r9,3 - bst r21,6 - bld r13,3 - bst r21,7 - bld r25,3 - bst r22,0 - bld r5,4 - bst r22,1 - bld r9,4 - bst r22,2 - bld r13,4 - bst r22,3 - bld r25,4 - bst r22,4 - bld r5,5 - bst r22,5 - bld r9,5 - bst r22,6 - bld r13,5 - bst r22,7 - bld r25,5 - bst r23,0 - bld r5,6 - bst r23,1 - bld r9,6 - bst r23,2 - bld r13,6 - bst r23,3 - bld r25,6 - bst r23,4 - bld r5,7 - bst r23,5 - bld r9,7 - bst r23,6 - bld r13,7 - bst r23,7 - bld r25,7 - ld r26,Z - ldd r27,Z+1 - ldd r16,Z+2 - ldd r17,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r16 - std Y+4,r17 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r16,Z+6 - ldd r17,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r16 - std Y+8,r17 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r16,Z+10 - ldd r17,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r16 - std Y+12,r17 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r16,Z+14 - ldd r17,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r16 - std Y+16,r17 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r19,40 - mov r26,r1 -375: - ldd r0,Y+13 - ldd r20,Y+9 - std Y+9,r0 - ldd r0,Y+5 - std Y+5,r20 - ldd r20,Y+1 - std Y+1,r0 - ldd r0,Y+14 - ldd r21,Y+10 - std Y+10,r0 - ldd r0,Y+6 - std Y+6,r21 - ldd r21,Y+2 - std Y+2,r0 - ldd r0,Y+15 - ldd r22,Y+11 - std Y+11,r0 - ldd r0,Y+7 - std Y+7,r22 - ldd r22,Y+3 - std Y+3,r0 - ldd r0,Y+16 - ldd r23,Y+12 - std Y+12,r0 - ldd r0,Y+8 - std Y+8,r23 - ldd r23,Y+4 - std Y+4,r0 - mov r0,r1 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - or r21,r0 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - std Y+13,r20 - std Y+14,r21 - std Y+15,r22 - std Y+16,r23 - eor r6,r20 - eor r7,r21 - eor r8,r22 - eor r9,r23 - ldd r0,Y+5 - eor r10,r0 - ldd r0,Y+6 - eor r11,r0 - ldd r0,Y+7 - eor r12,r0 - ldd r0,Y+8 - eor r13,r0 - ldi r20,128 - eor r25,r20 - dec r19 - mov r30,r19 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - eor r14,r20 - bst r2,1 - bld r0,0 - bst r5,0 - bld r2,1 - bst r2,6 - bld r5,0 - bst r4,1 - bld r2,6 - bst r5,4 - bld r4,1 - bst r2,7 - bld r5,4 - bst r3,1 - bld r2,7 - bst r5,2 - bld r3,1 - bst r4,6 - bld r5,2 - bst r4,5 - bld r4,6 - bst r5,5 - bld r4,5 - bst r5,7 - bld r5,5 - bst r3,7 - bld r5,7 - bst r3,3 - bld r3,7 - bst r3,2 - bld r3,3 - bst r4,2 - bld r3,2 - bst r4,4 - bld r4,2 - bst r2,5 - bld r4,4 - bst r5,1 - bld r2,5 - bst r5,6 - bld r5,1 - bst r4,7 - bld r5,6 - bst r3,5 - bld r4,7 - bst r5,3 - bld r3,5 - bst r3,6 - bld r5,3 - bst r4,3 - bld r3,6 - bst r3,4 - bld r4,3 - bst r2,3 - bld r3,4 - bst r3,0 - bld r2,3 - bst r2,2 - bld r3,0 - bst r4,0 - bld r2,2 - bst r2,4 - bld r4,0 - bst r0,0 - bld r2,4 - bst r6,0 - bld r0,0 - bst r7,0 - bld r6,0 - bst r7,2 - bld r7,0 - bst r9,2 - bld r7,2 - bst r9,6 - bld r9,2 - bst r9,7 - bld r9,6 - bst r8,7 - bld r9,7 - bst r8,5 - bld r8,7 - bst r6,5 - bld r8,5 - bst r6,1 - bld r6,5 - bst r0,0 - bld r6,1 - bst r6,2 - bld r0,0 - bst r9,0 - bld r6,2 - bst r7,6 - bld r9,0 - bst r9,3 - bld r7,6 - bst r8,6 - bld r9,3 - bst r9,5 - bld r8,6 - bst r6,7 - bld r9,5 - bst r8,1 - bld r6,7 - bst r6,4 - bld r8,1 - bst r7,1 - bld r6,4 - bst r0,0 - bld r7,1 - bst r6,3 - bld r0,0 - bst r8,0 - bld r6,3 - bst r7,4 - bld r8,0 - bst r7,3 - bld r7,4 - bst r8,2 - bld r7,3 - bst r9,4 - bld r8,2 - bst r7,7 - bld r9,4 - bst r8,3 - bld r7,7 - bst r8,4 - bld r8,3 - bst r7,5 - bld r8,4 - bst r0,0 - bld r7,5 - bst r6,6 - bld r0,0 - bst r9,1 - bld r6,6 - bst r0,0 - bld r9,1 - bst r10,0 - bld r0,0 - bst r12,0 - bld r10,0 - bst r12,4 - bld r12,0 - bst r12,5 - bld r12,4 - bst r11,5 - bld r12,5 - bst r11,3 - bld r11,5 - bst r13,2 - bld r11,3 - bst r10,6 - bld r13,2 - bst r10,1 - bld r10,6 - bst r11,0 - bld r10,1 - bst r12,2 - bld r11,0 - bst r10,4 - bld r12,2 - bst r12,1 - bld r10,4 - bst r11,4 - bld r12,1 - bst r12,3 - bld r11,4 - bst r13,4 - bld r12,3 - bst r12,7 - bld r13,4 - bst r13,5 - bld r12,7 - bst r11,7 - bld r13,5 - bst r13,3 - bld r11,7 - bst r13,6 - bld r13,3 - bst r10,7 - bld r13,6 - bst r13,1 - bld r10,7 - bst r11,6 - bld r13,1 - bst r10,3 - bld r11,6 - bst r13,0 - bld r10,3 - bst r12,6 - bld r13,0 - bst r10,5 - bld r12,6 - bst r11,1 - bld r10,5 - bst r11,2 - bld r11,1 - bst r10,2 - bld r11,2 - bst r0,0 - bld r10,2 - bst r14,0 - bld r0,0 - bst r25,0 - bld r14,0 - bst r25,6 - bld r25,0 - bst r15,7 - bld r25,6 - bst r14,3 - bld r15,7 - bst r0,0 - bld r14,3 - bst r14,1 - bld r0,0 - bst r24,0 - bld r14,1 - bst r25,4 - bld r24,0 - bst r25,7 - bld r25,4 - bst r14,7 - bld r25,7 - bst r0,0 - bld r14,7 - bst r14,2 - bld r0,0 - bst r15,0 - bld r14,2 - bst r25,2 - bld r15,0 - bst r15,6 - bld r25,2 - bst r15,3 - bld r15,6 - bst r0,0 - bld r15,3 - bst r14,4 - bld r0,0 - bst r25,1 - bld r14,4 - bst r24,6 - bld r25,1 - bst r15,5 - bld r24,6 - bst r24,3 - bld r15,5 - bst r0,0 - bld r24,3 - bst r14,5 - bld r0,0 - bst r24,1 - bld r14,5 - bst r24,4 - bld r24,1 - bst r25,5 - bld r24,4 - bst r24,7 - bld r25,5 - bst r0,0 - bld r24,7 - bst r14,6 - bld r0,0 - bst r15,1 - bld r14,6 - bst r24,2 - bld r15,1 - bst r15,4 - bld r24,2 - bst r25,3 - bld r15,4 - bst r0,0 - bld r25,3 - movw r20,r14 - movw r22,r24 - movw r14,r2 - movw r24,r4 - movw r2,r20 - movw r4,r22 - and r20,r6 - and r21,r7 - and r22,r8 - and r23,r9 - eor r10,r20 - eor r11,r21 - eor r12,r22 - eor r13,r23 - com r14 - com r15 - com r24 - com r25 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r14,r10 - eor r15,r11 - eor r24,r12 - eor r25,r13 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - or r0,r8 - eor r12,r0 - mov r0,r5 - or r0,r9 - eor r13,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r8 - and r0,r24 - eor r4,r0 - mov r0,r9 - and r0,r25 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r8,r0 - mov r0,r5 - and r0,r13 - eor r9,r0 - cp r19,r1 - breq 791f - inc r26 - ldi r27,5 - cpse r26,r27 - rjmp 375b - mov r26,r1 - eor r2,r18 - eor r3,r18 - eor r4,r18 - eor r5,r18 - rjmp 375b -791: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r2,0 - bld r20,0 - bst r6,0 - bld r20,1 - bst r10,0 - bld r20,2 - bst r14,0 - bld r20,3 - bst r2,1 - bld r20,4 - bst r6,1 - bld r20,5 - bst r10,1 - bld r20,6 - bst r14,1 - bld r20,7 - bst r2,2 - bld r21,0 - bst r6,2 - bld r21,1 - bst r10,2 - bld r21,2 - bst r14,2 - bld r21,3 - bst r2,3 - bld r21,4 - bst r6,3 - bld r21,5 - bst r10,3 - bld r21,6 - bst r14,3 - bld r21,7 - bst r2,4 - bld r22,0 - bst r6,4 - bld r22,1 - bst r10,4 - bld r22,2 - bst r14,4 - bld r22,3 - bst r2,5 - bld r22,4 - bst r6,5 - bld r22,5 - bst r10,5 - bld r22,6 - bst r14,5 - bld r22,7 - bst r2,6 - bld r23,0 - bst r6,6 - bld r23,1 - bst r10,6 - bld r23,2 - bst r14,6 - bld r23,3 - bst r2,7 - bld r23,4 - bst r6,7 - bld r23,5 - bst r10,7 - bld r23,6 - bst r14,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r3,0 - bld r20,0 - bst r7,0 - bld r20,1 - bst r11,0 - bld r20,2 - bst r15,0 - bld r20,3 - bst r3,1 - bld r20,4 - bst r7,1 - bld r20,5 - bst r11,1 - bld r20,6 - bst r15,1 - bld r20,7 - bst r3,2 - bld r21,0 - bst r7,2 - bld r21,1 - bst r11,2 - bld r21,2 - bst r15,2 - bld r21,3 - bst r3,3 - bld r21,4 - bst r7,3 - bld r21,5 - bst r11,3 - bld r21,6 - bst r15,3 - bld r21,7 - bst r3,4 - bld r22,0 - bst r7,4 - bld r22,1 - bst r11,4 - bld r22,2 - bst r15,4 - bld r22,3 - bst r3,5 - bld r22,4 - bst r7,5 - bld r22,5 - bst r11,5 - bld r22,6 - bst r15,5 - bld r22,7 - bst r3,6 - bld r23,0 - bst r7,6 - bld r23,1 - bst r11,6 - bld r23,2 - bst r15,6 - bld r23,3 - bst r3,7 - bld r23,4 - bst r7,7 - bld r23,5 - bst r11,7 - bld r23,6 - bst r15,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r4,0 - bld r20,0 - bst r8,0 - bld r20,1 - bst r12,0 - bld r20,2 - bst r24,0 - bld r20,3 - bst r4,1 - bld r20,4 - bst r8,1 - bld r20,5 - bst r12,1 - bld r20,6 - bst r24,1 - bld r20,7 - bst r4,2 - bld r21,0 - bst r8,2 - bld r21,1 - bst r12,2 - bld r21,2 - bst r24,2 - bld r21,3 - bst r4,3 - bld r21,4 - bst r8,3 - bld r21,5 - bst r12,3 - bld r21,6 - bst r24,3 - bld r21,7 - bst r4,4 - bld r22,0 - bst r8,4 - bld r22,1 - bst r12,4 - bld r22,2 - bst r24,4 - bld r22,3 - bst r4,5 - bld r22,4 - bst r8,5 - bld r22,5 - bst r12,5 - bld r22,6 - bst r24,5 - bld r22,7 - bst r4,6 - bld r23,0 - bst r8,6 - bld r23,1 - bst r12,6 - bld r23,2 - bst r24,6 - bld r23,3 - bst r4,7 - bld r23,4 - bst r8,7 - bld r23,5 - bst r12,7 - bld r23,6 - bst r24,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r5,0 - bld r20,0 - bst r9,0 - bld r20,1 - bst r13,0 - bld r20,2 - bst r25,0 - bld r20,3 - bst r5,1 - bld r20,4 - bst r9,1 - bld r20,5 - bst r13,1 - bld r20,6 - bst r25,1 - bld r20,7 - bst r5,2 - bld r21,0 - bst r9,2 - bld r21,1 - bst r13,2 - bld r21,2 - bst r25,2 - bld r21,3 - bst r5,3 - bld r21,4 - bst r9,3 - bld r21,5 - bst r13,3 - bld r21,6 - bst r25,3 - bld r21,7 - bst r5,4 - bld r22,0 - bst r9,4 - bld r22,1 - bst r13,4 - bld r22,2 - bst r25,4 - bld r22,3 - bst r5,5 - bld r22,4 - bst r9,5 - bld r22,5 - bst r13,5 - bld r22,6 - bst r25,5 - bld r22,7 - bst r5,6 - bld r23,0 - bst r9,6 - bld r23,1 - bst r13,6 - bld r23,2 - bst r25,6 - bld r23,3 - bst r5,7 - bld r23,4 - bst r9,7 - bld r23,5 - bst r13,7 - bld r23,6 - bst r25,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128t_decrypt, .-gift128t_decrypt - -#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c index 355aa92..a570791 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/estate.c @@ -48,7 +48,7 @@ aead_cipher_t const estate_twegift_cipher = { static void estate_twegift_fcbc (const gift128n_key_schedule_t *ks, unsigned char tag[16], const unsigned char *m, unsigned long long mlen, - unsigned char tweak1, unsigned char tweak2) + uint32_t tweak1, uint32_t tweak2) { while (mlen > 16) { lw_xor_block(tag, m, 16); @@ -84,24 +84,29 @@ static void estate_twegift_authenticate { /* Handle the case where both the message and associated data are empty */ if (mlen == 0 && adlen == 0) { - gift128t_encrypt(ks, tag, tag, /*tweak=*/8); + gift128t_encrypt(ks, tag, tag, GIFT128T_TWEAK_8); return; } /* Encrypt the nonce */ - gift128t_encrypt(ks, tag, tag, /*tweak=*/1); + gift128t_encrypt(ks, tag, tag, GIFT128T_TWEAK_1); /* Compute the FCBC MAC over the associated data */ if (adlen != 0) { - if (mlen != 0) - estate_twegift_fcbc(ks, tag, ad, adlen, /*tweak1=*/2, /*tweak2=*/3); - else - estate_twegift_fcbc(ks, tag, ad, adlen, /*tweak1=*/6, /*tweak2=*/7); + if (mlen != 0) { + estate_twegift_fcbc + (ks, tag, ad, adlen, GIFT128T_TWEAK_2, GIFT128T_TWEAK_3); + } else { + estate_twegift_fcbc + (ks, tag, ad, adlen, GIFT128T_TWEAK_6, GIFT128T_TWEAK_7); + } } /* Compute the FCBC MAC over the message data */ - if (mlen != 0) - estate_twegift_fcbc(ks, tag, m, mlen, /*tweak1=*/4, /*tweak2=*/5); + if (mlen != 0) { + estate_twegift_fcbc + (ks, tag, m, mlen, GIFT128T_TWEAK_4, GIFT128T_TWEAK_5); + } } /** @@ -148,8 +153,7 @@ int estate_twegift_aead_encrypt *clen = mlen + ESTATE_TWEGIFT_TAG_SIZE; /* Set up the key schedule and copy the nonce into the tag */ - if (!gift128n_init(&ks, k, ESTATE_TWEGIFT_KEY_SIZE)) - return -1; + gift128n_init(&ks, k); memcpy(tag, npub, 16); /* Authenticate the associated data and plaintext */ @@ -181,8 +185,7 @@ int estate_twegift_aead_decrypt *mlen = clen - ESTATE_TWEGIFT_TAG_SIZE; /* Set up the key schedule and copy the nonce into the tag */ - if (!gift128n_init(&ks, k, ESTATE_TWEGIFT_KEY_SIZE)) - return -1; + gift128n_init(&ks, k); memcpy(tag, npub, 16); /* Decrypt the ciphertext to generate the plaintext */ diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128-config.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128-config.h similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128-config.h rename to estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128-config.h diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-full-avr.S b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-full-avr.S similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-full-avr.S rename to estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-full-avr.S diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-small-avr.S b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-small-avr.S similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-small-avr.S rename to estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-small-avr.S diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-tiny-avr.S b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-tiny-avr.S similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128n-tiny-avr.S rename to estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-gift128n-tiny-avr.S diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h +++ b/estate/Implementations/crypto_aead/estatetwegift128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/api.h deleted file mode 100644 index 3818b25..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 6 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/encrypt.c deleted file mode 100644 index 3741901..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/api.h deleted file mode 100644 index 6c701b5..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 14 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/encrypt.c deleted file mode 100644 index be76f9b..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/api.h deleted file mode 100644 index 500c2c7..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 13 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/encrypt.c deleted file mode 100644 index b23be7f..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_288_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_128_288_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/api.h deleted file mode 100644 index f04cc58..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 6 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/encrypt.c deleted file mode 100644 index 275b77e..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_64_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_paef_64_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/api.h deleted file mode 100644 index 40ffe7c..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 7 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/encrypt.c deleted file mode 100644 index 5cbb412..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_saef_128_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_saef_128_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.h deleted file mode 100644 index 3e27b50..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/forkae.h +++ /dev/null @@ -1,551 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H - -#include "aead-common.h" - -/** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. - */ -extern aead_cipher_t const forkae_paef_64_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_paef_128_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_paef_128_256_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. - */ -extern aead_cipher_t const forkae_paef_128_288_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_saef_128_192_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_saef_128_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_64_192_aead_decrypt() - */ -int forkae_paef_64_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_64_192_aead_encrypt() - */ -int forkae_paef_64_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_192_aead_decrypt() - */ -int forkae_paef_128_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_192_aead_encrypt() - */ -int forkae_paef_128_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_256_aead_decrypt() - */ -int forkae_paef_128_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_256_aead_encrypt() - */ -int forkae_paef_128_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_288_aead_decrypt() - */ -int forkae_paef_128_288_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_288_aead_encrypt() - */ -int forkae_paef_128_288_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_saef_128_192_aead_decrypt() - */ -int forkae_saef_128_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_saef_128_192_aead_encrypt() - */ -int forkae_saef_128_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_saef_128_256_aead_decrypt() - */ -int forkae_saef_128_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_saef_128_256_aead_encrypt() - */ -int forkae_saef_128_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t192n56v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/api.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/api.h deleted file mode 100644 index 86e276c..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 15 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/encrypt.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/encrypt.c deleted file mode 100644 index 7d59b31..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "forkae.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_saef_128_256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return forkae_saef_128_256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.c deleted file mode 100644 index 4a9671a..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "forkae.h" -#include "internal-forkskinny.h" -#include "internal-util.h" -#include - -aead_cipher_t const forkae_paef_64_192_cipher = { - "PAEF-ForkSkinny-64-192", - FORKAE_PAEF_64_192_KEY_SIZE, - FORKAE_PAEF_64_192_NONCE_SIZE, - FORKAE_PAEF_64_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_64_192_aead_encrypt, - forkae_paef_64_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_192_cipher = { - "PAEF-ForkSkinny-128-192", - FORKAE_PAEF_128_192_KEY_SIZE, - FORKAE_PAEF_128_192_NONCE_SIZE, - FORKAE_PAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_192_aead_encrypt, - forkae_paef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_256_cipher = { - "PAEF-ForkSkinny-128-256", - FORKAE_PAEF_128_256_KEY_SIZE, - FORKAE_PAEF_128_256_NONCE_SIZE, - FORKAE_PAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_256_aead_encrypt, - forkae_paef_128_256_aead_decrypt -}; - -aead_cipher_t const forkae_paef_128_288_cipher = { - "PAEF-ForkSkinny-128-288", - FORKAE_PAEF_128_288_KEY_SIZE, - FORKAE_PAEF_128_288_NONCE_SIZE, - FORKAE_PAEF_128_288_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_paef_128_288_aead_encrypt, - forkae_paef_128_288_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_192_cipher = { - "SAEF-ForkSkinny-128-192", - FORKAE_SAEF_128_192_KEY_SIZE, - FORKAE_SAEF_128_192_NONCE_SIZE, - FORKAE_SAEF_128_192_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_192_aead_encrypt, - forkae_saef_128_192_aead_decrypt -}; - -aead_cipher_t const forkae_saef_128_256_cipher = { - "SAEF-ForkSkinny-128-256", - FORKAE_SAEF_128_256_KEY_SIZE, - FORKAE_SAEF_128_256_NONCE_SIZE, - FORKAE_SAEF_128_256_TAG_SIZE, - AEAD_FLAG_NONE, - forkae_saef_128_256_aead_encrypt, - forkae_saef_128_256_aead_decrypt -}; - -/* PAEF-ForkSkinny-64-192 */ -#define FORKAE_ALG_NAME forkae_paef_64_192 -#define FORKAE_BLOCK_SIZE 8 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_64_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_64_192 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_paef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_192_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_paef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_256_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 2 -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-paef.h" - -/* PAEF-ForkSkinny-128-288 */ -#define FORKAE_ALG_NAME forkae_paef_128_288 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_PAEF_128_288_NONCE_SIZE -#define FORKAE_COUNTER_SIZE 7 -#define FORKAE_TWEAKEY_SIZE 48 -#define FORKAE_BLOCK_FUNC forkskinny_128_384 -#include "internal-forkae-paef.h" - -/* SAEF-ForkSkinny-128-192 */ -#define FORKAE_ALG_NAME forkae_saef_128_192 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_192_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 24 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" - -/* SAEF-ForkSkinny-128-256 */ -#define FORKAE_ALG_NAME forkae_saef_128_256 -#define FORKAE_BLOCK_SIZE 16 -#define FORKAE_NONCE_SIZE FORKAE_SAEF_128_256_NONCE_SIZE -#define FORKAE_TWEAKEY_SIZE 32 -#define FORKAE_TWEAKEY_REDUCED_SIZE 32 -#define FORKAE_BLOCK_FUNC forkskinny_128_256 -#include "internal-forkae-saef.h" diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.h deleted file mode 100644 index 3e27b50..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/forkae.h +++ /dev/null @@ -1,551 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H - -#include "aead-common.h" - -/** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. - */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. - */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. - */ -extern aead_cipher_t const forkae_paef_64_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_paef_128_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_paef_128_256_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. - */ -extern aead_cipher_t const forkae_paef_128_288_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_saef_128_192_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_saef_128_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_64_192_aead_decrypt() - */ -int forkae_paef_64_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_64_192_aead_encrypt() - */ -int forkae_paef_64_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_192_aead_decrypt() - */ -int forkae_paef_128_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_192_aead_encrypt() - */ -int forkae_paef_128_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_256_aead_decrypt() - */ -int forkae_paef_128_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_256_aead_encrypt() - */ -int forkae_paef_128_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_paef_128_288_aead_decrypt() - */ -int forkae_paef_128_288_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_paef_128_288_aead_encrypt() - */ -int forkae_paef_128_288_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_saef_128_192_aead_decrypt() - */ -int forkae_saef_128_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_saef_128_192_aead_encrypt() - */ -int forkae_saef_128_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa forkae_saef_128_256_aead_decrypt() - */ -int forkae_saef_128_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa forkae_saef_128_256_aead_encrypt() - */ -int forkae_saef_128_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-paef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-paef.h deleted file mode 100644 index 6f57b2b..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-paef.h +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE PAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_paef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_COUNTER_SIZE Size of the counter value for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Limit on the amount of data we can process based on the counter size */ -#define FORKAE_PAEF_DATA_LIMIT \ - ((unsigned long long)((1ULL << (FORKAE_COUNTER_SIZE * 8)) * \ - (FORKAE_BLOCK_SIZE / 8)) - FORKAE_BLOCK_SIZE) - -/* Processes the associated data in PAEF mode */ -STATIC_INLINE void FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter) - (unsigned char tweakey[FORKAE_TWEAKEY_SIZE], - unsigned long long counter, unsigned char domain) -{ - unsigned posn; - counter |= (((unsigned long long)domain) << (FORKAE_COUNTER_SIZE * 8 - 3)); - for (posn = 0; posn < FORKAE_COUNTER_SIZE; ++posn) { - tweakey[16 + FORKAE_NONCE_SIZE + FORKAE_COUNTER_SIZE - 1 - posn] = - (unsigned char)counter; - counter >>= 8; - } -} - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned long long counter; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || mlen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - counter = 1; - while (mlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, m); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned long long counter; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Validate the size of the associated data and plaintext as there - * is a limit on the size of the PAEF counter field */ - if (adlen > FORKAE_PAEF_DATA_LIMIT || clen > FORKAE_PAEF_DATA_LIMIT) - return -2; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - - /* Tag value starts at zero. We will XOR this with all of the - * intermediate tag values that are calculated for each block */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - counter = 1; - while (adlen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 0); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - ++counter; - } - if (adlen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 1); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, ad); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, sizeof(block) - temp - 1); - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 3); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, block, block); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - counter = 1; - while (clen > FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 4); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, c); - lw_xor_block(tag, block, FORKAE_BLOCK_SIZE); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - ++counter; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 5); - lw_xor_block_2_src(m, c, tag, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, m); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, sizeof(tag)); - } else { - unsigned temp = (unsigned)clen; - unsigned char block2[FORKAE_BLOCK_SIZE]; - int check; - FORKAE_CONCAT(FORKAE_ALG_NAME,_set_counter)(tweakey, counter, 7); - lw_xor_block_2_src(block2, tag, c, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, block2, block, block2); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (block2 + temp, FORKAE_BLOCK_SIZE - temp); - memcpy(m, block2, temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE PAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT -#undef FORKAE_PAEF_DATA_LIMIT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-saef.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-saef.h deleted file mode 100644 index 768bba4..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkae-saef.h +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ForkAE SAEF variant. - * - * FORKAE_ALG_NAME Name of the FORKAE algorithm; e.g. forkae_saef_128_256 - * FORKAE_BLOCK_SIZE Size of the block for the cipher (8 or 16 bytes). - * FORKAE_NONCE_SIZE Size of the nonce for the cipher in bytes. - * FORKAE_TWEAKEY_SIZE Size of the tweakey for the underlying forked cipher. - * FORKAE_REDUCED_TWEAKEY_SIZE Size of the reduced tweakey without padding. - * FORKAE_BLOCK_FUNC Name of the block function; e.g. forkskinny_128_256 - */ -#if defined(FORKAE_ALG_NAME) - -#define FORKAE_CONCAT_INNER(name,suffix) name##suffix -#define FORKAE_CONCAT(name,suffix) FORKAE_CONCAT_INNER(name,suffix) - -/* Check that the last block is padded correctly; -1 if ok, 0 if not */ -STATIC_INLINE int FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (const unsigned char *block, unsigned len) -{ - int check = block[0] ^ 0x80; - while (len > 1) { - --len; - check |= block[len]; - } - return (check - 1) >> 8; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + FORKAE_BLOCK_SIZE; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || mlen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (mlen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || mlen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then generate the tag and we are done */ - if (!mlen) { - memcpy(c, tag, sizeof(tag)); - return 0; - } - - /* Encrypt all plaintext blocks except the last */ - while (mlen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - mlen -= FORKAE_BLOCK_SIZE; - } - - /* Encrypt the last block and generate the final authentication tag */ - if (mlen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, m, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)mlen; - memcpy(block, tag, FORKAE_BLOCK_SIZE); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, c, block, block); - lw_xor_block(c, tag, FORKAE_BLOCK_SIZE); - memcpy(c + FORKAE_BLOCK_SIZE, block, temp); - } - return 0; -} - -int FORKAE_CONCAT(FORKAE_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char tweakey[FORKAE_TWEAKEY_SIZE]; - unsigned char tag[FORKAE_BLOCK_SIZE]; - unsigned char block[FORKAE_BLOCK_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < FORKAE_BLOCK_SIZE) - return -1; - clen -= FORKAE_BLOCK_SIZE; - *mlen = clen; - - /* Format the initial tweakey with the key and nonce */ - memcpy(tweakey, k, 16); - memcpy(tweakey + 16, npub, FORKAE_NONCE_SIZE); - memset(tweakey + 16 + FORKAE_NONCE_SIZE, 0, - FORKAE_TWEAKEY_SIZE - 16 - FORKAE_NONCE_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] = 0x08; - - /* Tag value starts at zero */ - memset(tag, 0, sizeof(tag)); - - /* Process the associated data */ - if (adlen > 0 || clen == 0) { - while (adlen > FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - ad += FORKAE_BLOCK_SIZE; - adlen -= FORKAE_BLOCK_SIZE; - } - if (clen == 0) - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x02; - if (adlen == FORKAE_BLOCK_SIZE) { - lw_xor_block(tag, ad, FORKAE_BLOCK_SIZE); - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } else if (adlen != 0 || clen == 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(tag, ad, temp); - tag[temp] ^= 0x80; - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_encrypt)(tweakey, 0, tag, tag); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - } - } - - /* If there is no message payload, then check the tag and we are done */ - if (!clen) - return aead_check_tag(m, clen, tag, c, sizeof(tag)); - - /* Decrypt all ciphertext blocks except the last */ - while (clen > FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x01; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - memcpy(tag, block, FORKAE_BLOCK_SIZE); - memset(tweakey + 16, 0, FORKAE_TWEAKEY_SIZE - 16); - c += FORKAE_BLOCK_SIZE; - m += FORKAE_BLOCK_SIZE; - clen -= FORKAE_BLOCK_SIZE; - } - - /* Decrypt the last block and check the final authentication tag */ - if (clen == FORKAE_BLOCK_SIZE) { - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x04; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt)(tweakey, m, block, block); - lw_xor_block(m, tag, FORKAE_BLOCK_SIZE); - return aead_check_tag - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, FORKAE_BLOCK_SIZE); - } else { - unsigned temp = (unsigned)clen; - unsigned char mblock[FORKAE_BLOCK_SIZE]; - int check; - lw_xor_block_2_src(block, c, tag, FORKAE_BLOCK_SIZE); - tweakey[FORKAE_TWEAKEY_REDUCED_SIZE - 1] ^= 0x05; - FORKAE_CONCAT(FORKAE_BLOCK_FUNC,_decrypt) - (tweakey, mblock, block, block); - lw_xor_block(mblock, tag, FORKAE_BLOCK_SIZE); - memcpy(m, mblock, temp); - check = FORKAE_CONCAT(FORKAE_ALG_NAME,_is_padding) - (mblock + temp, FORKAE_BLOCK_SIZE - temp); - return aead_check_tag_precheck - (mtemp, *mlen, block, c + FORKAE_BLOCK_SIZE, temp, check); - } -} - -#endif /* FORKAE_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ForkAE SAEF algorithm */ -#undef FORKAE_ALG_NAME -#undef FORKAE_BLOCK_SIZE -#undef FORKAE_NONCE_SIZE -#undef FORKAE_COUNTER_SIZE -#undef FORKAE_TWEAKEY_SIZE -#undef FORKAE_TWEAKEY_REDUCED_SIZE -#undef FORKAE_BLOCK_FUNC -#undef FORKAE_CONCAT_INNER -#undef FORKAE_CONCAT diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.c b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.c deleted file mode 100644 index b050ff1..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.c +++ /dev/null @@ -1,988 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-forkskinny.h" -#include "internal-skinnyutil.h" - -/** - * \brief 7-bit round constants for all ForkSkinny block ciphers. - */ -static unsigned char const RC[87] = { - 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7e, 0x7d, - 0x7b, 0x77, 0x6f, 0x5f, 0x3e, 0x7c, 0x79, 0x73, - 0x67, 0x4f, 0x1e, 0x3d, 0x7a, 0x75, 0x6b, 0x57, - 0x2e, 0x5c, 0x38, 0x70, 0x61, 0x43, 0x06, 0x0d, - 0x1b, 0x37, 0x6e, 0x5d, 0x3a, 0x74, 0x69, 0x53, - 0x26, 0x4c, 0x18, 0x31, 0x62, 0x45, 0x0a, 0x15, - 0x2b, 0x56, 0x2c, 0x58, 0x30, 0x60, 0x41, 0x02, - 0x05, 0x0b, 0x17, 0x2f, 0x5e, 0x3c, 0x78, 0x71, - 0x63, 0x47, 0x0e, 0x1d, 0x3b, 0x76, 0x6d, 0x5b, - 0x36, 0x6c, 0x59, 0x32, 0x64, 0x49, 0x12, 0x25, - 0x4a, 0x14, 0x29, 0x52, 0x24, 0x48, 0x10 -}; - -/** - * \brief Number of rounds of ForkSkinny-128-256 before forking. - */ -#define FORKSKINNY_128_256_ROUNDS_BEFORE 21 - -/** - * \brief Number of rounds of ForkSkinny-128-256 after forking. - */ -#define FORKSKINNY_128_256_ROUNDS_AFTER 27 - -/** - * \brief State information for ForkSkinny-128-256. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_256_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-256. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); -} - -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_BEFORE; ++round) { - forkskinny_128_256_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-256 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_256_inv_round - (forkskinny_128_256_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_256_state_t state; - forkskinny_128_256_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_256_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_256_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_256_ROUNDS_BEFORE; - round < (FORKSKINNY_128_256_ROUNDS_BEFORE + - FORKSKINNY_128_256_ROUNDS_AFTER); ++round) { - forkskinny_128_256_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-128-384 before forking. - */ -#define FORKSKINNY_128_384_ROUNDS_BEFORE 25 - -/** - * \brief Number of rounds of ForkSkinny-128-384 after forking. - */ -#define FORKSKINNY_128_384_ROUNDS_AFTER 31 - -/** - * \brief State information for ForkSkinny-128-384. - */ -typedef struct -{ - uint32_t TK1[4]; /**< First part of the tweakey */ - uint32_t TK2[4]; /**< Second part of the tweakey */ - uint32_t TK3[4]; /**< Third part of the tweakey */ - uint32_t S[4]; /**< Current block state */ - -} forkskinny_128_384_state_t; - -/** - * \brief Applies one round of ForkSkinny-128-384. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(state->TK1); - skinny128_permute_tk(state->TK2); - skinny128_permute_tk(state->TK3); - skinny128_LFSR2(state->TK2[0]); - skinny128_LFSR2(state->TK2[1]); - skinny128_LFSR3(state->TK3[0]); - skinny128_LFSR3(state->TK3[1]); -} - -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_BEFORE; ++round) { - forkskinny_128_384_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint32_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x08040201U; /* Branching constant */ - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&state, round); - } - le_store_word32(output_right, state.S[0]); - le_store_word32(output_right + 4, state.S[1]); - le_store_word32(output_right + 8, state.S[2]); - le_store_word32(output_right + 12, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-128-384 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_128_384_inv_round - (forkskinny_128_384_state_t *state, unsigned round) -{ - uint32_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1 and TK2 for the next round */ - skinny128_inv_LFSR2(state->TK2[0]); - skinny128_inv_LFSR2(state->TK2[1]); - skinny128_inv_LFSR3(state->TK3[0]); - skinny128_inv_LFSR3(state->TK3[1]); - skinny128_inv_permute_tk(state->TK1); - skinny128_inv_permute_tk(state->TK2); - skinny128_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left, which moves the cell - * values down closer to the LSB. That is, we do a right - * rotate on the word to rotate the cells in the word left */ - s1 = rightRotate8(s1); - s2 = rightRotate16(s2); - s3 = rightRotate24(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - (rc & 0x0F) ^ 0x00020000; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_128_384_state_t state; - forkskinny_128_384_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = le_load_word32(key); - state.TK1[1] = le_load_word32(key + 4); - state.TK1[2] = le_load_word32(key + 8); - state.TK1[3] = le_load_word32(key + 12); - state.TK2[0] = le_load_word32(key + 16); - state.TK2[1] = le_load_word32(key + 20); - state.TK2[2] = le_load_word32(key + 24); - state.TK2[3] = le_load_word32(key + 28); - state.TK3[0] = le_load_word32(key + 32); - state.TK3[1] = le_load_word32(key + 36); - state.TK3[2] = le_load_word32(key + 40); - state.TK3[3] = le_load_word32(key + 44); - state.S[0] = le_load_word32(input); - state.S[1] = le_load_word32(input + 4); - state.S[2] = le_load_word32(input + 8); - state.S[3] = le_load_word32(input + 12); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); ++round) { - skinny128_permute_tk(state.TK1); - skinny128_permute_tk(state.TK2); - skinny128_permute_tk(state.TK3); - skinny128_LFSR2(state.TK2[0]); - skinny128_LFSR2(state.TK2[1]); - skinny128_LFSR3(state.TK3[0]); - skinny128_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER * 2); - round > (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x08040201U; - state.S[1] ^= 0x82412010U; - state.S[2] ^= 0x28140a05U; - state.S[3] ^= 0x8844a251U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_128_384_ROUNDS_AFTER; ++round) { - skinny128_inv_LFSR2(state.TK2[0]); - skinny128_inv_LFSR2(state.TK2[1]); - skinny128_inv_LFSR3(state.TK3[0]); - skinny128_inv_LFSR3(state.TK3[1]); - skinny128_inv_permute_tk(state.TK1); - skinny128_inv_permute_tk(state.TK2); - skinny128_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_128_384_inv_round(&state, round - 1); - } - le_store_word32(output_left, state.S[0]); - le_store_word32(output_left + 4, state.S[1]); - le_store_word32(output_left + 8, state.S[2]); - le_store_word32(output_left + 12, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_128_384_ROUNDS_BEFORE; - round < (FORKSKINNY_128_384_ROUNDS_BEFORE + - FORKSKINNY_128_384_ROUNDS_AFTER); ++round) { - forkskinny_128_384_round(&fstate, round); - } - le_store_word32(output_right, fstate.S[0]); - le_store_word32(output_right + 4, fstate.S[1]); - le_store_word32(output_right + 8, fstate.S[2]); - le_store_word32(output_right + 12, fstate.S[3]); -} - -/** - * \brief Number of rounds of ForkSkinny-64-192 before forking. - */ -#define FORKSKINNY_64_192_ROUNDS_BEFORE 17 - -/** - * \brief Number of rounds of ForkSkinny-64-192 after forking. - */ -#define FORKSKINNY_64_192_ROUNDS_AFTER 23 - -/** - * \brief State information for ForkSkinny-64-192. - */ -typedef struct -{ - uint16_t TK1[4]; /**< First part of the tweakey */ - uint16_t TK2[4]; /**< Second part of the tweakey */ - uint16_t TK3[4]; /**< Third part of the tweakey */ - uint16_t S[4]; /**< Current block state */ - -} forkskinny_64_192_state_t; - -/** - * \brief Applies one round of ForkSkinny-64-192. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - * - * Note: The cells of each row are order in big-endian nibble order - * so it is easiest to manage the rows in bit-endian byte order. - */ -static void forkskinny_64_192_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Apply the S-box to all cells in the state */ - skinny64_sbox(s0); - skinny64_sbox(s1); - skinny64_sbox(s2); - skinny64_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Shift the cells in the rows right */ - s1 = rightRotate4_16(s1); - s2 = rightRotate8_16(s2); - s3 = rightRotate12_16(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_permute_tk(state->TK1); - skinny64_permute_tk(state->TK2); - skinny64_permute_tk(state->TK3); - skinny64_LFSR2(state->TK2[0]); - skinny64_LFSR2(state->TK2[1]); - skinny64_LFSR3(state->TK3[0]); - skinny64_LFSR3(state->TK3[1]); -} - -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Run all of the rounds before the forking point */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_BEFORE; ++round) { - forkskinny_64_192_round(&state, round); - } - - /* Determine which output blocks we need */ - if (output_left && output_right) { - /* We need both outputs so save the state at the forking point */ - uint16_t F[4]; - F[0] = state.S[0]; - F[1] = state.S[1]; - F[2] = state.S[2]; - F[3] = state.S[3]; - - /* Generate the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - - /* Restore the state at the forking point */ - state.S[0] = F[0]; - state.S[1] = F[1]; - state.S[2] = F[2]; - state.S[3] = F[3]; - } - if (output_left) { - /* Generate the left output block */ - state.S[0] ^= 0x1249U; /* Branching constant */ - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - } else { - /* We only need the right output block */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&state, round); - } - be_store_word16(output_right, state.S[0]); - be_store_word16(output_right + 2, state.S[1]); - be_store_word16(output_right + 4, state.S[2]); - be_store_word16(output_right + 6, state.S[3]); - } -} - -/** - * \brief Applies one round of ForkSkinny-64-192 in reverse. - * - * \param state State to apply the round to. - * \param round Number of the round to apply. - */ -static void forkskinny_64_192_inv_round - (forkskinny_64_192_state_t *state, unsigned round) -{ - uint16_t s0, s1, s2, s3, temp; - uint8_t rc; - - /* Load the state into local variables */ - s0 = state->S[0]; - s1 = state->S[1]; - s2 = state->S[2]; - s3 = state->S[3]; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny64_inv_LFSR2(state->TK2[0]); - skinny64_inv_LFSR2(state->TK2[1]); - skinny64_inv_LFSR3(state->TK3[0]); - skinny64_inv_LFSR3(state->TK3[1]); - skinny64_inv_permute_tk(state->TK1); - skinny64_inv_permute_tk(state->TK2); - skinny64_inv_permute_tk(state->TK3); - - /* Inverse mix of the columns */ - temp = s0; - s0 = s1; - s1 = s2; - s2 = s3; - s3 = temp ^ s2; - s2 ^= s0; - s1 ^= s2; - - /* Shift the cells in the rows left */ - s1 = leftRotate4_16(s1); - s2 = leftRotate8_16(s2); - s3 = leftRotate12_16(s3); - - /* XOR the round constant and the subkey for this round */ - rc = RC[round]; - s0 ^= state->TK1[0] ^ state->TK2[0] ^ state->TK3[0] ^ - ((rc & 0x0F) << 12) ^ 0x0020; - s1 ^= state->TK1[1] ^ state->TK2[1] ^ state->TK3[1] ^ - ((rc & 0x70) << 8); - s2 ^= 0x2000; - - /* Apply the inverse of the S-box to all cells in the state */ - skinny64_inv_sbox(s0); - skinny64_inv_sbox(s1); - skinny64_inv_sbox(s2); - skinny64_inv_sbox(s3); - - /* Save the local variables back to the state */ - state->S[0] = s0; - state->S[1] = s1; - state->S[2] = s2; - state->S[3] = s3; -} - -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input) -{ - forkskinny_64_192_state_t state; - forkskinny_64_192_state_t fstate; - unsigned round; - - /* Unpack the tweakey and the input */ - state.TK1[0] = be_load_word16(key); - state.TK1[1] = be_load_word16(key + 2); - state.TK1[2] = be_load_word16(key + 4); - state.TK1[3] = be_load_word16(key + 6); - state.TK2[0] = be_load_word16(key + 8); - state.TK2[1] = be_load_word16(key + 10); - state.TK2[2] = be_load_word16(key + 12); - state.TK2[3] = be_load_word16(key + 14); - state.TK3[0] = be_load_word16(key + 16); - state.TK3[1] = be_load_word16(key + 18); - state.TK3[2] = be_load_word16(key + 20); - state.TK3[3] = be_load_word16(key + 22); - state.S[0] = be_load_word16(input); - state.S[1] = be_load_word16(input + 2); - state.S[2] = be_load_word16(input + 4); - state.S[3] = be_load_word16(input + 6); - - /* Fast-forward the tweakey to the end of the key schedule */ - for (round = 0; round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); ++round) { - skinny64_permute_tk(state.TK1); - skinny64_permute_tk(state.TK2); - skinny64_permute_tk(state.TK3); - skinny64_LFSR2(state.TK2[0]); - skinny64_LFSR2(state.TK2[1]); - skinny64_LFSR3(state.TK3[0]); - skinny64_LFSR3(state.TK3[1]); - } - - /* Perform the "after" rounds on the input to get back - * to the forking point in the cipher */ - for (round = (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER * 2); - round > (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - - /* Remove the branching constant */ - state.S[0] ^= 0x1249U; - state.S[1] ^= 0x36daU; - state.S[2] ^= 0x5b7fU; - state.S[3] ^= 0xec81U; - - /* Roll the tweakey back another "after" rounds */ - for (round = 0; round < FORKSKINNY_64_192_ROUNDS_AFTER; ++round) { - skinny64_inv_LFSR2(state.TK2[0]); - skinny64_inv_LFSR2(state.TK2[1]); - skinny64_inv_LFSR3(state.TK3[0]); - skinny64_inv_LFSR3(state.TK3[1]); - skinny64_inv_permute_tk(state.TK1); - skinny64_inv_permute_tk(state.TK2); - skinny64_inv_permute_tk(state.TK3); - } - - /* Save the state and the tweakey at the forking point */ - fstate = state; - - /* Generate the left output block after another "before" rounds */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; round > 0; --round) { - forkskinny_64_192_inv_round(&state, round - 1); - } - be_store_word16(output_left, state.S[0]); - be_store_word16(output_left + 2, state.S[1]); - be_store_word16(output_left + 4, state.S[2]); - be_store_word16(output_left + 6, state.S[3]); - - /* Generate the right output block by going forward "after" - * rounds from the forking point */ - for (round = FORKSKINNY_64_192_ROUNDS_BEFORE; - round < (FORKSKINNY_64_192_ROUNDS_BEFORE + - FORKSKINNY_64_192_ROUNDS_AFTER); ++round) { - forkskinny_64_192_round(&fstate, round); - } - be_store_word16(output_right, fstate.S[0]); - be_store_word16(output_right + 2, fstate.S[1]); - be_store_word16(output_right + 4, fstate.S[2]); - be_store_word16(output_right + 6, fstate.S[3]); -} diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.h deleted file mode 100644 index 0c1a707..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-forkskinny.h +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_FORKSKINNY_H -#define LW_INTERNAL_FORKSKINNY_H - -/** - * \file internal-forkskinny.h - * \brief ForkSkinny block cipher family. - * - * ForkSkinny is a modified version of the SKINNY block cipher that - * supports "forking": half-way through the rounds the cipher is - * forked in two different directions to produce two different outputs. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-192 also uses this function with a padded tweakey. - */ -void forkskinny_128_256_encrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-256. - * - * \param key 256-bit tweakey for ForkSkinny-128-256. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_256_decrypt - (const unsigned char key[32], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of plaintext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 128-bit input plaintext block. - * - * ForkSkinny-128-288 also uses this function with a padded tweakey. - */ -void forkskinny_128_384_encrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-128-384. - * - * \param key 384-bit tweakey for ForkSkinny-128-384. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 128-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_128_384_decrypt - (const unsigned char key[48], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Encrypts a block of input with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left First output block, or NULL if left is not required. - * \param output_right Second output block, or NULL if right is not required. - * \param input 64-bit input block. - */ -/** - * \brief Encrypts a block of plaintext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block for the ciphertext, or NULL if - * the left output is not required. - * \param output_right Right output block for the authentication tag, - * or NULL if the right output is not required. - * \param input 64-bit input plaintext block. - */ -void forkskinny_64_192_encrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -/** - * \brief Decrypts a block of ciphertext with ForkSkinny-64-192. - * - * \param key 192-bit tweakey for ForkSkinny-64-192. - * \param output_left Left output block, which is the plaintext. - * \param output_right Right output block for the authentication tag. - * \param input 64-bit input ciphertext block. - * - * Both output blocks will be populated; neither is optional. - */ -void forkskinny_64_192_decrypt - (const unsigned char key[24], unsigned char *output_left, - unsigned char *output_right, const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-skinnyutil.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h +++ b/forkae/Implementations/crypto_aead/saefforkskinnyb128t256n120v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/api.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/encrypt.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/encrypt.c deleted file mode 100644 index 1286684..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "gift-cofb.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return gift_cofb_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return gift_cofb_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.c deleted file mode 100644 index 6f65524..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.c +++ /dev/null @@ -1,405 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "gift-cofb.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const gift_cofb_cipher = { - "GIFT-COFB", - GIFT_COFB_KEY_SIZE, - GIFT_COFB_NONCE_SIZE, - GIFT_COFB_TAG_SIZE, - AEAD_FLAG_NONE, - gift_cofb_aead_encrypt, - gift_cofb_aead_decrypt -}; - -/** - * \brief Structure of an L value. - * - * The value is assumed to have already been converted from big-endian - * to host byte order. - */ -typedef struct -{ - uint32_t x; /**< High word of the value */ - uint32_t y; /**< Low word of the value */ - -} gift_cofb_l_t; - -/** - * \brief Structure of a 128-bit block in host byte order. - * - * The block is assumed to have already been converted from big-endian - * to host byte order. - */ -typedef union -{ - uint32_t x[4]; /**< Words of the block */ - uint8_t y[16]; /**< Bytes of the block */ - -} gift_cofb_block_t; - -/** - * \brief Doubles an L value in the F(2^64) field. - * - * \param L The value to be doubled. - * - * L = L << 1 if the top-most bit is 0, or L = (L << 1) ^ 0x1B otherwise. - */ -#define gift_cofb_double_L(L) \ - do { \ - uint32_t mask = ((int32_t)((L)->x)) >> 31; \ - (L)->x = ((L)->x << 1) | ((L)->y >> 31); \ - (L)->y = ((L)->y << 1) ^ (mask & 0x1B); \ - } while (0) - -/** - * \brief Triples an L value in the F(2^64) field. - * - * \param L The value to be tripled. - * - * L = double(L) ^ L - */ -#define gift_cofb_triple_L(L) \ - do { \ - uint32_t mask = ((int32_t)((L)->x)) >> 31; \ - uint32_t tx = ((L)->x << 1) | ((L)->y >> 31); \ - uint32_t ty = ((L)->y << 1) ^ (mask & 0x1B); \ - (L)->x ^= tx; \ - (L)->y ^= ty; \ - } while (0) - -/** - * \brief Applies the GIFT-COFB feedback function to Y. - * - * \param Y The value to be modified with the feedback function. - * - * Y is divided into L and R halves and then (R, L <<< 1) is returned. - */ -#define gift_cofb_feedback(Y) \ - do { \ - uint32_t lx = (Y)->x[0]; \ - uint32_t ly = (Y)->x[1]; \ - (Y)->x[0] = (Y)->x[2]; \ - (Y)->x[1] = (Y)->x[3]; \ - (Y)->x[2] = (lx << 1) | (ly >> 31); \ - (Y)->x[3] = (ly << 1) | (lx >> 31); \ - } while (0) - -/** - * \brief Process the associated data for GIFT-COFB encryption or decryption. - * - * \param ks The GIFT-128 key schedule to use. - * \param Y GIFT-COFB internal state. - * \param L GIFT-COFB internal state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the plaintext in bytes. - */ -static void gift_cofb_assoc_data - (gift128b_key_schedule_t *ks, gift_cofb_block_t *Y, gift_cofb_l_t *L, - const unsigned char *ad, unsigned long long adlen, unsigned long long mlen) -{ - /* Deal with all associated data blocks except the last */ - while (adlen > 16) { - gift_cofb_double_L(L); - gift_cofb_feedback(Y); - Y->x[0] ^= L->x ^ be_load_word32(ad); - Y->x[1] ^= L->y ^ be_load_word32(ad + 4); - Y->x[2] ^= be_load_word32(ad + 8); - Y->x[3] ^= be_load_word32(ad + 12); - gift128b_encrypt_preloaded(ks, Y->x, Y->x); - ad += 16; - adlen -= 16; - } - - /* Pad and deal with the last block */ - gift_cofb_feedback(Y); - if (adlen == 16) { - Y->x[0] ^= be_load_word32(ad); - Y->x[1] ^= be_load_word32(ad + 4); - Y->x[2] ^= be_load_word32(ad + 8); - Y->x[3] ^= be_load_word32(ad + 12); - gift_cofb_triple_L(L); - } else { - unsigned temp = (unsigned)adlen; - unsigned char padded[16]; - memcpy(padded, ad, temp); - padded[temp] = 0x80; - memset(padded + temp + 1, 0, 16 - temp - 1); - Y->x[0] ^= be_load_word32(padded); - Y->x[1] ^= be_load_word32(padded + 4); - Y->x[2] ^= be_load_word32(padded + 8); - Y->x[3] ^= be_load_word32(padded + 12); - gift_cofb_triple_L(L); - gift_cofb_triple_L(L); - } - if (mlen == 0) { - gift_cofb_triple_L(L); - gift_cofb_triple_L(L); - } - Y->x[0] ^= L->x; - Y->x[1] ^= L->y; - gift128b_encrypt_preloaded(ks, Y->x, Y->x); -} - -/** @cond cofb_byte_swap */ - -/* Byte-swap a block if the platform is little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define gift_cofb_byte_swap_word(y) \ - (__extension__ ({ \ - uint32_t _y = (y); \ - (_y >> 24) | (_y << 24) | ((_y << 8) & 0x00FF0000U) | \ - ((_y >> 8) & 0x0000FF00U); \ - })) -#define gift_cofb_byte_swap(x) \ - do { \ - (x)[0] = gift_cofb_byte_swap_word((x)[0]); \ - (x)[1] = gift_cofb_byte_swap_word((x)[1]); \ - (x)[2] = gift_cofb_byte_swap_word((x)[2]); \ - (x)[3] = gift_cofb_byte_swap_word((x)[3]); \ - } while (0) -#else -#define gift_cofb_byte_swap(x) do { ; } while (0) -#endif - -/** @endcond */ - -int gift_cofb_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift128b_key_schedule_t ks; - gift_cofb_block_t Y; - gift_cofb_l_t L; - gift_cofb_block_t P; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + GIFT_COFB_TAG_SIZE; - - /* Set up the key schedule and use it to encrypt the nonce */ - gift128b_init(&ks, k); - Y.x[0] = be_load_word32(npub); - Y.x[1] = be_load_word32(npub + 4); - Y.x[2] = be_load_word32(npub + 8); - Y.x[3] = be_load_word32(npub + 12); - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - L.x = Y.x[0]; - L.y = Y.x[1]; - - /* Authenticate the associated data */ - gift_cofb_assoc_data(&ks, &Y, &L, ad, adlen, mlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - /* Deal with all plaintext blocks except the last */ - while (mlen > 16) { - P.x[0] = be_load_word32(m); - P.x[1] = be_load_word32(m + 4); - P.x[2] = be_load_word32(m + 8); - P.x[3] = be_load_word32(m + 12); - be_store_word32(c, Y.x[0] ^ P.x[0]); - be_store_word32(c + 4, Y.x[1] ^ P.x[1]); - be_store_word32(c + 8, Y.x[2] ^ P.x[2]); - be_store_word32(c + 12, Y.x[3] ^ P.x[3]); - gift_cofb_double_L(&L); - gift_cofb_feedback(&Y); - Y.x[0] ^= L.x ^ P.x[0]; - Y.x[1] ^= L.y ^ P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and deal with the last plaintext block */ - if (mlen == 16) { - P.x[0] = be_load_word32(m); - P.x[1] = be_load_word32(m + 4); - P.x[2] = be_load_word32(m + 8); - P.x[3] = be_load_word32(m + 12); - be_store_word32(c, Y.x[0] ^ P.x[0]); - be_store_word32(c + 4, Y.x[1] ^ P.x[1]); - be_store_word32(c + 8, Y.x[2] ^ P.x[2]); - be_store_word32(c + 12, Y.x[3] ^ P.x[3]); - gift_cofb_feedback(&Y); - Y.x[0] ^= P.x[0]; - Y.x[1] ^= P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift_cofb_triple_L(&L); - c += 16; - } else { - unsigned temp = (unsigned)mlen; - gift_cofb_block_t padded; - memcpy(padded.y, m, temp); - padded.y[temp] = 0x80; - memset(padded.y + temp + 1, 0, 16 - temp - 1); - P.x[0] = be_load_word32(padded.y); - P.x[1] = be_load_word32(padded.y + 4); - P.x[2] = be_load_word32(padded.y + 8); - P.x[3] = be_load_word32(padded.y + 12); - gift_cofb_byte_swap(padded.x); - padded.x[0] ^= Y.x[0]; - padded.x[1] ^= Y.x[1]; - padded.x[2] ^= Y.x[2]; - padded.x[3] ^= Y.x[3]; - gift_cofb_byte_swap(padded.x); - memcpy(c, padded.y, temp); - gift_cofb_feedback(&Y); - Y.x[0] ^= P.x[0]; - Y.x[1] ^= P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift_cofb_triple_L(&L); - gift_cofb_triple_L(&L); - c += temp; - } - Y.x[0] ^= L.x; - Y.x[1] ^= L.y; - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - } - - /* Generate the final authentication tag */ - be_store_word32(c, Y.x[0]); - be_store_word32(c + 4, Y.x[1]); - be_store_word32(c + 8, Y.x[2]); - be_store_word32(c + 12, Y.x[3]); - return 0; -} - -int gift_cofb_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift128b_key_schedule_t ks; - gift_cofb_block_t Y; - gift_cofb_l_t L; - gift_cofb_block_t P; - unsigned char *mtemp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < GIFT_COFB_TAG_SIZE) - return -1; - *mlen = clen - GIFT_COFB_TAG_SIZE; - - /* Set up the key schedule and use it to encrypt the nonce */ - gift128b_init(&ks, k); - Y.x[0] = be_load_word32(npub); - Y.x[1] = be_load_word32(npub + 4); - Y.x[2] = be_load_word32(npub + 8); - Y.x[3] = be_load_word32(npub + 12); - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - L.x = Y.x[0]; - L.y = Y.x[1]; - - /* Authenticate the associated data */ - gift_cofb_assoc_data(&ks, &Y, &L, ad, adlen, *mlen); - - /* Decrypt the ciphertext to produce the plaintext */ - mtemp = m; - clen -= GIFT_COFB_TAG_SIZE; - if (clen > 0) { - /* Deal with all ciphertext blocks except the last */ - while (clen > 16) { - P.x[0] = Y.x[0] ^ be_load_word32(c); - P.x[1] = Y.x[1] ^ be_load_word32(c + 4); - P.x[2] = Y.x[2] ^ be_load_word32(c + 8); - P.x[3] = Y.x[3] ^ be_load_word32(c + 12); - be_store_word32(m, P.x[0]); - be_store_word32(m + 4, P.x[1]); - be_store_word32(m + 8, P.x[2]); - be_store_word32(m + 12, P.x[3]); - gift_cofb_double_L(&L); - gift_cofb_feedback(&Y); - Y.x[0] ^= L.x ^ P.x[0]; - Y.x[1] ^= L.y ^ P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - c += 16; - m += 16; - clen -= 16; - } - - /* Pad and deal with the last ciphertext block */ - if (clen == 16) { - P.x[0] = Y.x[0] ^ be_load_word32(c); - P.x[1] = Y.x[1] ^ be_load_word32(c + 4); - P.x[2] = Y.x[2] ^ be_load_word32(c + 8); - P.x[3] = Y.x[3] ^ be_load_word32(c + 12); - be_store_word32(m, P.x[0]); - be_store_word32(m + 4, P.x[1]); - be_store_word32(m + 8, P.x[2]); - be_store_word32(m + 12, P.x[3]); - gift_cofb_feedback(&Y); - Y.x[0] ^= P.x[0]; - Y.x[1] ^= P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift_cofb_triple_L(&L); - c += 16; - } else { - unsigned temp = (unsigned)clen; - P.x[0] = Y.x[0]; - P.x[1] = Y.x[1]; - P.x[2] = Y.x[2]; - P.x[3] = Y.x[3]; - gift_cofb_byte_swap(P.x); - lw_xor_block_2_dest(m, P.y, c, temp); - P.y[temp] = 0x80; - memset(P.y + temp + 1, 0, 16 - temp - 1); - gift_cofb_byte_swap(P.x); - gift_cofb_feedback(&Y); - Y.x[0] ^= P.x[0]; - Y.x[1] ^= P.x[1]; - Y.x[2] ^= P.x[2]; - Y.x[3] ^= P.x[3]; - gift_cofb_triple_L(&L); - gift_cofb_triple_L(&L); - c += temp; - } - Y.x[0] ^= L.x; - Y.x[1] ^= L.y; - gift128b_encrypt_preloaded(&ks, Y.x, Y.x); - } - - /* Check the authentication tag at the end of the packet */ - gift_cofb_byte_swap(Y.x); - return aead_check_tag(mtemp, *mlen, Y.y, c, GIFT_COFB_TAG_SIZE); -} diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.h deleted file mode 100644 index 670d042..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/gift-cofb.h +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_GIFT_COFB_H -#define LWCRYPTO_GIFT_COFB_H - -#include "aead-common.h" - -/** - * \file gift-cofb.h - * \brief GIFT-COFB authenticated encryption algorithm. - * - * GIFT-COFB is an authenticated encryption algorithm that combines - * the COFB (COmbined FeedBack) block cipher mode with the GIFT-128 - * block cipher. The algorithm has a 128-bit key, a 128-bit nonce, - * and a 128-bit authentication tag. - * - * References: https://www.isical.ac.in/~lightweight/COFB/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for GIFT-COFB. - */ -#define GIFT_COFB_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all GIFT-COFB family members. - */ -#define GIFT_COFB_TAG_SIZE 16 - -/** - * \brief Size of the nonce for GIFT-COFB. - */ -#define GIFT_COFB_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the GIFT-COFB cipher. - */ -extern aead_cipher_t const gift_cofb_cipher; - -/** - * \brief Encrypts and authenticates a packet with GIFT-COFB. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa gift_cofb_aead_decrypt() - */ -int gift_cofb_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with GIFT-COFB-0. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa gift_cofb_aead_encrypt() - */ -int gift_cofb_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128-config.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-avr.S b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-avr.S deleted file mode 100644 index 641613a..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-avr.S +++ /dev/null @@ -1,2104 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-util.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c index ed70e07..6f65524 100644 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/gift-cofb.c @@ -206,8 +206,7 @@ int gift_cofb_aead_encrypt *clen = mlen + GIFT_COFB_TAG_SIZE; /* Set up the key schedule and use it to encrypt the nonce */ - if (!gift128b_init(&ks, k, GIFT_COFB_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); Y.x[0] = be_load_word32(npub); Y.x[1] = be_load_word32(npub + 4); Y.x[2] = be_load_word32(npub + 8); @@ -320,8 +319,7 @@ int gift_cofb_aead_decrypt *mlen = clen - GIFT_COFB_TAG_SIZE; /* Set up the key schedule and use it to encrypt the nonce */ - if (!gift128b_init(&ks, k, GIFT_COFB_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); Y.x[0] = be_load_word32(npub); Y.x[1] = be_load_word32(npub + 4); Y.x[2] = be_load_word32(npub + 8); diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128-config.h similarity index 51% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.h rename to gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128-config.h index 29d5ccf..62131ba 100644 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-cham.h +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128-config.h @@ -20,48 +20,61 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_CHAM_H -#define LW_INTERNAL_CHAM_H +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H /** - * \file internal-cham.h - * \brief CHAM block cipher. + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. */ -#ifdef __cplusplus -extern "C" { -#endif +/** + * \brief Select the full variant of GIFT-128. + * + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. + */ +#define GIFT128_VARIANT_FULL 0 /** - * \brief Encrypts a 128-bit block with CHAM-128-128. + * \brief Select the small variant of GIFT-128. * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. */ -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_SMALL 1 /** - * \brief Encrypts a 64-bit block with CHAM-64-128. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. + * \brief Select the tiny variant of GIFT-128. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. */ -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_TINY 2 -#ifdef __cplusplus -} +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 #endif #endif diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-full-avr.S b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-full-avr.S similarity index 100% rename from gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-full-avr.S rename to gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-full-avr.S diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-small-avr.S b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-small-avr.S similarity index 100% rename from gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-small-avr.S rename to gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-small-avr.S diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-tiny-avr.S b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-tiny-avr.S similarity index 100% rename from gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys-avr/internal-gift128b-tiny-avr.S rename to gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-gift128b-tiny-avr.S diff --git a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h +++ b/gift-cofb/Implementations/crypto_aead/giftcofb128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/api.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/api.h deleted file mode 100644 index fb1dab8..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/encrypt.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/encrypt.c deleted file mode 100644 index 53f563e..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "gimli24.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return gimli24_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return gimli24_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.c deleted file mode 100644 index 4bc7d9f..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.c +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "gimli24.h" -#include "internal-gimli24.h" -#include - -aead_cipher_t const gimli24_cipher = { - "GIMLI-24", - GIMLI24_KEY_SIZE, - GIMLI24_NONCE_SIZE, - GIMLI24_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - gimli24_aead_encrypt, - gimli24_aead_decrypt -}; - -aead_hash_algorithm_t const gimli24_hash_algorithm = { - "GIMLI-24-HASH", - sizeof(gimli24_hash_state_t), - GIMLI24_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - gimli24_hash, - (aead_hash_init_t)gimli24_hash_init, - (aead_hash_update_t)gimli24_hash_absorb, - (aead_hash_finalize_t)gimli24_hash_finalize, - (aead_xof_absorb_t)gimli24_hash_absorb, - (aead_xof_squeeze_t)gimli24_hash_squeeze -}; - -/** - * \brief Number of bytes of input or output data to process per block. - */ -#define GIMLI24_BLOCK_SIZE 16 - -/** - * \brief Structure of the GIMLI-24 state as both an array of words - * and an array of bytes. - */ -typedef union -{ - uint32_t words[12]; /**< Words in the state */ - uint8_t bytes[48]; /**< Bytes in the state */ - -} gimli24_state_t; - -/** - * \brief Absorbs data into a GIMLI-24 state. - * - * \param state The state to absorb the data into. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - */ -static void gimli24_absorb - (gimli24_state_t *state, const unsigned char *data, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block(state->bytes, data, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - data += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block(state->bytes, data, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -/** - * \brief Encrypts a block of data with a GIMLI-24 state. - * - * \param state The state to encrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to encrypt from \a src into \a dest. - */ -static void gimli24_encrypt - (gimli24_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block_2_dest(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - dest += GIMLI24_BLOCK_SIZE; - src += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block_2_dest(dest, state->bytes, src, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -/** - * \brief Decrypts a block of data with a GIMLI-24 state. - * - * \param state The state to decrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to decrypt from \a src into \a dest. - */ -static void gimli24_decrypt - (gimli24_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block_swap(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - dest += GIMLI24_BLOCK_SIZE; - src += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block_swap(dest, state->bytes, src, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -int gimli24_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gimli24_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + GIMLI24_TAG_SIZE; - - /* Format the initial GIMLI state from the nonce and the key */ - memcpy(state.words, npub, GIMLI24_NONCE_SIZE); - memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); - - /* Permute the initial state */ - gimli24_permute(state.words); - - /* Absorb the associated data */ - gimli24_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - gimli24_encrypt(&state, c, m, mlen); - - /* Generate the authentication tag at the end of the ciphertext */ - memcpy(c + mlen, state.bytes, GIMLI24_TAG_SIZE); - return 0; -} - -int gimli24_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gimli24_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < GIMLI24_TAG_SIZE) - return -1; - *mlen = clen - GIMLI24_TAG_SIZE; - - /* Format the initial GIMLI state from the nonce and the key */ - memcpy(state.words, npub, GIMLI24_NONCE_SIZE); - memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); - - /* Permute the initial state */ - gimli24_permute(state.words); - - /* Absorb the associated data */ - gimli24_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - gimli24_decrypt(&state, m, c, *mlen); - - /* Check the authentication tag at the end of the packet */ - return aead_check_tag - (m, *mlen, state.bytes, c + *mlen, GIMLI24_TAG_SIZE); -} - -int gimli24_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - gimli24_state_t state; - - /* Initialize the hash state to all zeroes */ - memset(&state, 0, sizeof(state)); - - /* Absorb the input */ - gimli24_absorb(&state, in, inlen); - - /* Generate the output hash */ - memcpy(out, state.bytes, GIMLI24_HASH_SIZE / 2); - gimli24_permute(state.words); - memcpy(out + GIMLI24_HASH_SIZE / 2, state.bytes, GIMLI24_HASH_SIZE / 2); - return 0; -} - -void gimli24_hash_init(gimli24_hash_state_t *state) -{ - memset(state, 0, sizeof(gimli24_hash_state_t)); -} - -#define GIMLI24_XOF_RATE 16 -#define gimli24_xof_permute() \ - gimli24_permute((uint32_t *)(state->s.state)) - -void gimli24_hash_absorb - (gimli24_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned temp; - - if (state->s.mode) { - /* We were squeezing output - go back to the absorb phase */ - state->s.mode = 0; - state->s.count = 0; - gimli24_xof_permute(); - } - - /* Handle the partial left-over block from last time */ - if (state->s.count) { - temp = GIMLI24_XOF_RATE - state->s.count; - if (temp > inlen) { - temp = (unsigned)inlen; - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count += temp; - return; - } - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count = 0; - in += temp; - inlen -= temp; - gimli24_xof_permute(); - } - - /* Process full blocks that are aligned at state->s.count == 0 */ - while (inlen >= GIMLI24_XOF_RATE) { - lw_xor_block(state->s.state, in, GIMLI24_XOF_RATE); - in += GIMLI24_XOF_RATE; - inlen -= GIMLI24_XOF_RATE; - gimli24_xof_permute(); - } - - /* Process the left-over block at the end of the input */ - temp = (unsigned)inlen; - lw_xor_block(state->s.state, in, temp); - state->s.count = temp; -} - -void gimli24_hash_squeeze - (gimli24_hash_state_t *state, unsigned char *out, - unsigned long long outlen) -{ - unsigned temp; - - /* Pad the final input block if we were still in the absorb phase */ - if (!state->s.mode) { - state->s.state[state->s.count] ^= 0x01; - state->s.state[47] ^= 0x01; - state->s.count = 0; - state->s.mode = 1; - } - - /* Handle left-over partial blocks from last time */ - if (state->s.count) { - temp = GIMLI24_XOF_RATE - state->s.count; - if (temp > outlen) { - temp = (unsigned)outlen; - memcpy(out, state->s.state + state->s.count, temp); - state->s.count += temp; - return; - } - memcpy(out, state->s.state + state->s.count, temp); - out += temp; - outlen -= temp; - state->s.count = 0; - } - - /* Handle full blocks */ - while (outlen >= GIMLI24_XOF_RATE) { - gimli24_xof_permute(); - memcpy(out, state->s.state, GIMLI24_XOF_RATE); - out += GIMLI24_XOF_RATE; - outlen -= GIMLI24_XOF_RATE; - } - - /* Handle the left-over block */ - if (outlen > 0) { - temp = (unsigned)outlen; - gimli24_xof_permute(); - memcpy(out, state->s.state, temp); - state->s.count = temp; - } -} - -void gimli24_hash_finalize - (gimli24_hash_state_t *state, unsigned char *out) -{ - gimli24_hash_squeeze(state, out, GIMLI24_HASH_SIZE); -} diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.h deleted file mode 100644 index f72aec7..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/gimli24.h +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_GIMLI24_H -#define LWCRYPTO_GIMLI24_H - -#include "aead-common.h" - -/** - * \file gimli24.h - * \brief Gimli authenticated encryption algorithm. - * - * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag. - * It is the spiritual successor to the widely used ChaCha20 and has a - * similar design. - * - * This library also includes an implementation of the hash algorithm - * GIMLI-24-HASH in both regular hashing and XOF modes. - * - * References: https://gimli.cr.yp.to/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for GIMLI-24. - */ -#define GIMLI24_KEY_SIZE 32 - -/** - * \brief Size of the nonce for GIMLI-24. - */ -#define GIMLI24_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for GIMLI-24. - */ -#define GIMLI24_TAG_SIZE 16 - -/** - * \brief Size of the hash output for GIMLI-24. - */ -#define GIMLI24_HASH_SIZE 32 - -/** - * \brief State information for GIMLI-24-HASH incremental modes. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} gimli24_hash_state_t; - -/** - * \brief Meta-information block for the GIMLI-24 cipher. - */ -extern aead_cipher_t const gimli24_cipher; - -/** - * \brief Meta-information block for the GIMLI-24-HASH algorithm. - * - * This meta-information block can also be used in XOF mode. - */ -extern aead_hash_algorithm_t const gimli24_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with GIMLI-24 using the - * full AEAD mode. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa gimli24_aead_decrypt() - */ -int gimli24_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with GIMLI-24 using the - * full AEAD mode. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa gimli24_aead_encrypt() - */ -int gimli24_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with GIMLI-24 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * GIMLI24_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int gimli24_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a GIMLI-24-HASH hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash() - */ -void gimli24_hash_init(gimli24_hash_state_t *state); - -/** - * \brief Aborbs more input data into a GIMLI-24-HASH state. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa gimli24_hash_init(), gimli24_hash_squeeze() - */ -void gimli24_hash_absorb - (gimli24_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Squeezes output data from an GIMLI-24-HASH state. - * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - * - * \sa gimli24_hash_init(), gimli24_hash_absorb() - */ -void gimli24_hash_squeeze - (gimli24_hash_state_t *state, unsigned char *out, - unsigned long long outlen); - -/** - * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - * - * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length - * of GIMLI24_HASH_SIZE bytes. - * - * \sa gimli24_hash_init(), gimli24_hash_absorb() - */ -void gimli24_hash_finalize - (gimli24_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.c deleted file mode 100644 index d719988..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gimli24.h" - -#if !defined(__AVR__) - -/* Apply the SP-box to a specific column in the state array */ -#define GIMLI24_SP(s0, s4, s8) \ - do { \ - x = leftRotate24(s0); \ - y = leftRotate9(s4); \ - s4 = y ^ x ^ ((x | s8) << 1); \ - s0 = s8 ^ y ^ ((x & y) << 3); \ - s8 = x ^ (s8 << 1) ^ ((y & s8) << 2); \ - } while (0) - -void gimli24_permute(uint32_t state[12]) -{ - uint32_t s0, s1, s2, s3, s4, s5; - uint32_t s6, s7, s8, s9, s10, s11; - uint32_t x, y; - unsigned round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - s4 = state[4]; - s5 = state[5]; - s6 = state[6]; - s7 = state[7]; - s8 = state[8]; - s9 = state[9]; - s10 = state[10]; - s11 = state[11]; -#else - s0 = le_load_word32((const unsigned char *)(&(state[0]))); - s1 = le_load_word32((const unsigned char *)(&(state[1]))); - s2 = le_load_word32((const unsigned char *)(&(state[2]))); - s3 = le_load_word32((const unsigned char *)(&(state[3]))); - s4 = le_load_word32((const unsigned char *)(&(state[4]))); - s5 = le_load_word32((const unsigned char *)(&(state[5]))); - s6 = le_load_word32((const unsigned char *)(&(state[6]))); - s7 = le_load_word32((const unsigned char *)(&(state[7]))); - s8 = le_load_word32((const unsigned char *)(&(state[8]))); - s9 = le_load_word32((const unsigned char *)(&(state[9]))); - s10 = le_load_word32((const unsigned char *)(&(state[10]))); - s11 = le_load_word32((const unsigned char *)(&(state[11]))); -#endif - - /* Unroll and perform the rounds 4 at a time */ - for (round = 24; round > 0; round -= 4) { - /* Round 0: SP-box, small swap, add round constant */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - x = s0; - y = s2; - s0 = s1 ^ 0x9e377900U ^ round; - s1 = x; - s2 = s3; - s3 = y; - - /* Round 1: SP-box only */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - - /* Round 2: SP-box, big swap */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - x = s0; - y = s1; - s0 = s2; - s1 = s3; - s2 = x; - s3 = y; - - /* Round 3: SP-box only */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - } - - /* Convert state to little-endian if the platform is not little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; - state[4] = s4; - state[5] = s5; - state[6] = s6; - state[7] = s7; - state[8] = s8; - state[9] = s9; - state[10] = s10; - state[11] = s11; -#else - le_store_word32(((unsigned char *)(&(state[0]))), s0); - le_store_word32(((unsigned char *)(&(state[1]))), s1); - le_store_word32(((unsigned char *)(&(state[2]))), s2); - le_store_word32(((unsigned char *)(&(state[3]))), s3); - le_store_word32(((unsigned char *)(&(state[4]))), s4); - le_store_word32(((unsigned char *)(&(state[5]))), s5); - le_store_word32(((unsigned char *)(&(state[6]))), s6); - le_store_word32(((unsigned char *)(&(state[7]))), s7); - le_store_word32(((unsigned char *)(&(state[8]))), s8); - le_store_word32(((unsigned char *)(&(state[9]))), s9); - le_store_word32(((unsigned char *)(&(state[10]))), s10); - le_store_word32(((unsigned char *)(&(state[11]))), s11); -#endif -} - -#endif /* !__AVR__ */ diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-util.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24-avr.S b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24-avr.S similarity index 100% rename from gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24-avr.S rename to gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24-avr.S diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c index ab2c830..d719988 100644 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-gimli24.c @@ -22,6 +22,8 @@ #include "internal-gimli24.h" +#if !defined(__AVR__) + /* Apply the SP-box to a specific column in the state array */ #define GIMLI24_SP(s0, s4, s8) \ do { \ @@ -136,3 +138,5 @@ void gimli24_permute(uint32_t state[12]) le_store_word32(((unsigned char *)(&(state[11]))), s11); #endif } + +#endif /* !__AVR__ */ diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h +++ b/gimli/Implementations/crypto_aead/gimli24v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/api.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.c deleted file mode 100644 index 4bc7d9f..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.c +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "gimli24.h" -#include "internal-gimli24.h" -#include - -aead_cipher_t const gimli24_cipher = { - "GIMLI-24", - GIMLI24_KEY_SIZE, - GIMLI24_NONCE_SIZE, - GIMLI24_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - gimli24_aead_encrypt, - gimli24_aead_decrypt -}; - -aead_hash_algorithm_t const gimli24_hash_algorithm = { - "GIMLI-24-HASH", - sizeof(gimli24_hash_state_t), - GIMLI24_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - gimli24_hash, - (aead_hash_init_t)gimli24_hash_init, - (aead_hash_update_t)gimli24_hash_absorb, - (aead_hash_finalize_t)gimli24_hash_finalize, - (aead_xof_absorb_t)gimli24_hash_absorb, - (aead_xof_squeeze_t)gimli24_hash_squeeze -}; - -/** - * \brief Number of bytes of input or output data to process per block. - */ -#define GIMLI24_BLOCK_SIZE 16 - -/** - * \brief Structure of the GIMLI-24 state as both an array of words - * and an array of bytes. - */ -typedef union -{ - uint32_t words[12]; /**< Words in the state */ - uint8_t bytes[48]; /**< Bytes in the state */ - -} gimli24_state_t; - -/** - * \brief Absorbs data into a GIMLI-24 state. - * - * \param state The state to absorb the data into. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - */ -static void gimli24_absorb - (gimli24_state_t *state, const unsigned char *data, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block(state->bytes, data, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - data += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block(state->bytes, data, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -/** - * \brief Encrypts a block of data with a GIMLI-24 state. - * - * \param state The state to encrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to encrypt from \a src into \a dest. - */ -static void gimli24_encrypt - (gimli24_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block_2_dest(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - dest += GIMLI24_BLOCK_SIZE; - src += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block_2_dest(dest, state->bytes, src, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -/** - * \brief Decrypts a block of data with a GIMLI-24 state. - * - * \param state The state to decrypt with. - * \param dest Points to the destination buffer. - * \param src Points to the source buffer. - * \param len Length of the data to decrypt from \a src into \a dest. - */ -static void gimli24_decrypt - (gimli24_state_t *state, unsigned char *dest, - const unsigned char *src, unsigned long long len) -{ - unsigned temp; - while (len >= GIMLI24_BLOCK_SIZE) { - lw_xor_block_swap(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); - gimli24_permute(state->words); - dest += GIMLI24_BLOCK_SIZE; - src += GIMLI24_BLOCK_SIZE; - len -= GIMLI24_BLOCK_SIZE; - } - temp = (unsigned)len; - lw_xor_block_swap(dest, state->bytes, src, temp); - state->bytes[temp] ^= 0x01; /* Padding */ - state->bytes[47] ^= 0x01; - gimli24_permute(state->words); -} - -int gimli24_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gimli24_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + GIMLI24_TAG_SIZE; - - /* Format the initial GIMLI state from the nonce and the key */ - memcpy(state.words, npub, GIMLI24_NONCE_SIZE); - memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); - - /* Permute the initial state */ - gimli24_permute(state.words); - - /* Absorb the associated data */ - gimli24_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - gimli24_encrypt(&state, c, m, mlen); - - /* Generate the authentication tag at the end of the ciphertext */ - memcpy(c + mlen, state.bytes, GIMLI24_TAG_SIZE); - return 0; -} - -int gimli24_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gimli24_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < GIMLI24_TAG_SIZE) - return -1; - *mlen = clen - GIMLI24_TAG_SIZE; - - /* Format the initial GIMLI state from the nonce and the key */ - memcpy(state.words, npub, GIMLI24_NONCE_SIZE); - memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); - - /* Permute the initial state */ - gimli24_permute(state.words); - - /* Absorb the associated data */ - gimli24_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - gimli24_decrypt(&state, m, c, *mlen); - - /* Check the authentication tag at the end of the packet */ - return aead_check_tag - (m, *mlen, state.bytes, c + *mlen, GIMLI24_TAG_SIZE); -} - -int gimli24_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - gimli24_state_t state; - - /* Initialize the hash state to all zeroes */ - memset(&state, 0, sizeof(state)); - - /* Absorb the input */ - gimli24_absorb(&state, in, inlen); - - /* Generate the output hash */ - memcpy(out, state.bytes, GIMLI24_HASH_SIZE / 2); - gimli24_permute(state.words); - memcpy(out + GIMLI24_HASH_SIZE / 2, state.bytes, GIMLI24_HASH_SIZE / 2); - return 0; -} - -void gimli24_hash_init(gimli24_hash_state_t *state) -{ - memset(state, 0, sizeof(gimli24_hash_state_t)); -} - -#define GIMLI24_XOF_RATE 16 -#define gimli24_xof_permute() \ - gimli24_permute((uint32_t *)(state->s.state)) - -void gimli24_hash_absorb - (gimli24_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned temp; - - if (state->s.mode) { - /* We were squeezing output - go back to the absorb phase */ - state->s.mode = 0; - state->s.count = 0; - gimli24_xof_permute(); - } - - /* Handle the partial left-over block from last time */ - if (state->s.count) { - temp = GIMLI24_XOF_RATE - state->s.count; - if (temp > inlen) { - temp = (unsigned)inlen; - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count += temp; - return; - } - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count = 0; - in += temp; - inlen -= temp; - gimli24_xof_permute(); - } - - /* Process full blocks that are aligned at state->s.count == 0 */ - while (inlen >= GIMLI24_XOF_RATE) { - lw_xor_block(state->s.state, in, GIMLI24_XOF_RATE); - in += GIMLI24_XOF_RATE; - inlen -= GIMLI24_XOF_RATE; - gimli24_xof_permute(); - } - - /* Process the left-over block at the end of the input */ - temp = (unsigned)inlen; - lw_xor_block(state->s.state, in, temp); - state->s.count = temp; -} - -void gimli24_hash_squeeze - (gimli24_hash_state_t *state, unsigned char *out, - unsigned long long outlen) -{ - unsigned temp; - - /* Pad the final input block if we were still in the absorb phase */ - if (!state->s.mode) { - state->s.state[state->s.count] ^= 0x01; - state->s.state[47] ^= 0x01; - state->s.count = 0; - state->s.mode = 1; - } - - /* Handle left-over partial blocks from last time */ - if (state->s.count) { - temp = GIMLI24_XOF_RATE - state->s.count; - if (temp > outlen) { - temp = (unsigned)outlen; - memcpy(out, state->s.state + state->s.count, temp); - state->s.count += temp; - return; - } - memcpy(out, state->s.state + state->s.count, temp); - out += temp; - outlen -= temp; - state->s.count = 0; - } - - /* Handle full blocks */ - while (outlen >= GIMLI24_XOF_RATE) { - gimli24_xof_permute(); - memcpy(out, state->s.state, GIMLI24_XOF_RATE); - out += GIMLI24_XOF_RATE; - outlen -= GIMLI24_XOF_RATE; - } - - /* Handle the left-over block */ - if (outlen > 0) { - temp = (unsigned)outlen; - gimli24_xof_permute(); - memcpy(out, state->s.state, temp); - state->s.count = temp; - } -} - -void gimli24_hash_finalize - (gimli24_hash_state_t *state, unsigned char *out) -{ - gimli24_hash_squeeze(state, out, GIMLI24_HASH_SIZE); -} diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.h deleted file mode 100644 index f72aec7..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/gimli24.h +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_GIMLI24_H -#define LWCRYPTO_GIMLI24_H - -#include "aead-common.h" - -/** - * \file gimli24.h - * \brief Gimli authenticated encryption algorithm. - * - * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag. - * It is the spiritual successor to the widely used ChaCha20 and has a - * similar design. - * - * This library also includes an implementation of the hash algorithm - * GIMLI-24-HASH in both regular hashing and XOF modes. - * - * References: https://gimli.cr.yp.to/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for GIMLI-24. - */ -#define GIMLI24_KEY_SIZE 32 - -/** - * \brief Size of the nonce for GIMLI-24. - */ -#define GIMLI24_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for GIMLI-24. - */ -#define GIMLI24_TAG_SIZE 16 - -/** - * \brief Size of the hash output for GIMLI-24. - */ -#define GIMLI24_HASH_SIZE 32 - -/** - * \brief State information for GIMLI-24-HASH incremental modes. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} gimli24_hash_state_t; - -/** - * \brief Meta-information block for the GIMLI-24 cipher. - */ -extern aead_cipher_t const gimli24_cipher; - -/** - * \brief Meta-information block for the GIMLI-24-HASH algorithm. - * - * This meta-information block can also be used in XOF mode. - */ -extern aead_hash_algorithm_t const gimli24_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with GIMLI-24 using the - * full AEAD mode. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa gimli24_aead_decrypt() - */ -int gimli24_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with GIMLI-24 using the - * full AEAD mode. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa gimli24_aead_encrypt() - */ -int gimli24_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with GIMLI-24 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * GIMLI24_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int gimli24_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a GIMLI-24-HASH hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash() - */ -void gimli24_hash_init(gimli24_hash_state_t *state); - -/** - * \brief Aborbs more input data into a GIMLI-24-HASH state. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa gimli24_hash_init(), gimli24_hash_squeeze() - */ -void gimli24_hash_absorb - (gimli24_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Squeezes output data from an GIMLI-24-HASH state. - * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - * - * \sa gimli24_hash_init(), gimli24_hash_absorb() - */ -void gimli24_hash_squeeze - (gimli24_hash_state_t *state, unsigned char *out, - unsigned long long outlen); - -/** - * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - * - * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length - * of GIMLI24_HASH_SIZE bytes. - * - * \sa gimli24_hash_init(), gimli24_hash_absorb() - */ -void gimli24_hash_finalize - (gimli24_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.c deleted file mode 100644 index d719988..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.c +++ /dev/null @@ -1,142 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gimli24.h" - -#if !defined(__AVR__) - -/* Apply the SP-box to a specific column in the state array */ -#define GIMLI24_SP(s0, s4, s8) \ - do { \ - x = leftRotate24(s0); \ - y = leftRotate9(s4); \ - s4 = y ^ x ^ ((x | s8) << 1); \ - s0 = s8 ^ y ^ ((x & y) << 3); \ - s8 = x ^ (s8 << 1) ^ ((y & s8) << 2); \ - } while (0) - -void gimli24_permute(uint32_t state[12]) -{ - uint32_t s0, s1, s2, s3, s4, s5; - uint32_t s6, s7, s8, s9, s10, s11; - uint32_t x, y; - unsigned round; - - /* Load the state into local variables and convert from little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - s4 = state[4]; - s5 = state[5]; - s6 = state[6]; - s7 = state[7]; - s8 = state[8]; - s9 = state[9]; - s10 = state[10]; - s11 = state[11]; -#else - s0 = le_load_word32((const unsigned char *)(&(state[0]))); - s1 = le_load_word32((const unsigned char *)(&(state[1]))); - s2 = le_load_word32((const unsigned char *)(&(state[2]))); - s3 = le_load_word32((const unsigned char *)(&(state[3]))); - s4 = le_load_word32((const unsigned char *)(&(state[4]))); - s5 = le_load_word32((const unsigned char *)(&(state[5]))); - s6 = le_load_word32((const unsigned char *)(&(state[6]))); - s7 = le_load_word32((const unsigned char *)(&(state[7]))); - s8 = le_load_word32((const unsigned char *)(&(state[8]))); - s9 = le_load_word32((const unsigned char *)(&(state[9]))); - s10 = le_load_word32((const unsigned char *)(&(state[10]))); - s11 = le_load_word32((const unsigned char *)(&(state[11]))); -#endif - - /* Unroll and perform the rounds 4 at a time */ - for (round = 24; round > 0; round -= 4) { - /* Round 0: SP-box, small swap, add round constant */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - x = s0; - y = s2; - s0 = s1 ^ 0x9e377900U ^ round; - s1 = x; - s2 = s3; - s3 = y; - - /* Round 1: SP-box only */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - - /* Round 2: SP-box, big swap */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - x = s0; - y = s1; - s0 = s2; - s1 = s3; - s2 = x; - s3 = y; - - /* Round 3: SP-box only */ - GIMLI24_SP(s0, s4, s8); - GIMLI24_SP(s1, s5, s9); - GIMLI24_SP(s2, s6, s10); - GIMLI24_SP(s3, s7, s11); - } - - /* Convert state to little-endian if the platform is not little-endian */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; - state[4] = s4; - state[5] = s5; - state[6] = s6; - state[7] = s7; - state[8] = s8; - state[9] = s9; - state[10] = s10; - state[11] = s11; -#else - le_store_word32(((unsigned char *)(&(state[0]))), s0); - le_store_word32(((unsigned char *)(&(state[1]))), s1); - le_store_word32(((unsigned char *)(&(state[2]))), s2); - le_store_word32(((unsigned char *)(&(state[3]))), s3); - le_store_word32(((unsigned char *)(&(state[4]))), s4); - le_store_word32(((unsigned char *)(&(state[5]))), s5); - le_store_word32(((unsigned char *)(&(state[6]))), s6); - le_store_word32(((unsigned char *)(&(state[7]))), s7); - le_store_word32(((unsigned char *)(&(state[8]))), s8); - le_store_word32(((unsigned char *)(&(state[9]))), s9); - le_store_word32(((unsigned char *)(&(state[10]))), s10); - le_store_word32(((unsigned char *)(&(state[11]))), s11); -#endif -} - -#endif /* !__AVR__ */ diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-util.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/aead-common.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys/aead-common.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/aead-common.c rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/aead-common.c diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/aead-common.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys/aead-common.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/aead-common.h rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/aead-common.h diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys/api.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/gimli/Implementations/crypto_hash/gimli24v1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.c new file mode 100644 index 0000000..4bc7d9f --- /dev/null +++ b/gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.c @@ -0,0 +1,330 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "gimli24.h" +#include "internal-gimli24.h" +#include + +aead_cipher_t const gimli24_cipher = { + "GIMLI-24", + GIMLI24_KEY_SIZE, + GIMLI24_NONCE_SIZE, + GIMLI24_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + gimli24_aead_encrypt, + gimli24_aead_decrypt +}; + +aead_hash_algorithm_t const gimli24_hash_algorithm = { + "GIMLI-24-HASH", + sizeof(gimli24_hash_state_t), + GIMLI24_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + gimli24_hash, + (aead_hash_init_t)gimli24_hash_init, + (aead_hash_update_t)gimli24_hash_absorb, + (aead_hash_finalize_t)gimli24_hash_finalize, + (aead_xof_absorb_t)gimli24_hash_absorb, + (aead_xof_squeeze_t)gimli24_hash_squeeze +}; + +/** + * \brief Number of bytes of input or output data to process per block. + */ +#define GIMLI24_BLOCK_SIZE 16 + +/** + * \brief Structure of the GIMLI-24 state as both an array of words + * and an array of bytes. + */ +typedef union +{ + uint32_t words[12]; /**< Words in the state */ + uint8_t bytes[48]; /**< Bytes in the state */ + +} gimli24_state_t; + +/** + * \brief Absorbs data into a GIMLI-24 state. + * + * \param state The state to absorb the data into. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + */ +static void gimli24_absorb + (gimli24_state_t *state, const unsigned char *data, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block(state->bytes, data, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + data += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block(state->bytes, data, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +/** + * \brief Encrypts a block of data with a GIMLI-24 state. + * + * \param state The state to encrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to encrypt from \a src into \a dest. + */ +static void gimli24_encrypt + (gimli24_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block_2_dest(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + dest += GIMLI24_BLOCK_SIZE; + src += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block_2_dest(dest, state->bytes, src, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +/** + * \brief Decrypts a block of data with a GIMLI-24 state. + * + * \param state The state to decrypt with. + * \param dest Points to the destination buffer. + * \param src Points to the source buffer. + * \param len Length of the data to decrypt from \a src into \a dest. + */ +static void gimli24_decrypt + (gimli24_state_t *state, unsigned char *dest, + const unsigned char *src, unsigned long long len) +{ + unsigned temp; + while (len >= GIMLI24_BLOCK_SIZE) { + lw_xor_block_swap(dest, state->bytes, src, GIMLI24_BLOCK_SIZE); + gimli24_permute(state->words); + dest += GIMLI24_BLOCK_SIZE; + src += GIMLI24_BLOCK_SIZE; + len -= GIMLI24_BLOCK_SIZE; + } + temp = (unsigned)len; + lw_xor_block_swap(dest, state->bytes, src, temp); + state->bytes[temp] ^= 0x01; /* Padding */ + state->bytes[47] ^= 0x01; + gimli24_permute(state->words); +} + +int gimli24_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + gimli24_state_t state; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + GIMLI24_TAG_SIZE; + + /* Format the initial GIMLI state from the nonce and the key */ + memcpy(state.words, npub, GIMLI24_NONCE_SIZE); + memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); + + /* Permute the initial state */ + gimli24_permute(state.words); + + /* Absorb the associated data */ + gimli24_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + gimli24_encrypt(&state, c, m, mlen); + + /* Generate the authentication tag at the end of the ciphertext */ + memcpy(c + mlen, state.bytes, GIMLI24_TAG_SIZE); + return 0; +} + +int gimli24_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + gimli24_state_t state; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < GIMLI24_TAG_SIZE) + return -1; + *mlen = clen - GIMLI24_TAG_SIZE; + + /* Format the initial GIMLI state from the nonce and the key */ + memcpy(state.words, npub, GIMLI24_NONCE_SIZE); + memcpy(state.words + 4, k, GIMLI24_KEY_SIZE); + + /* Permute the initial state */ + gimli24_permute(state.words); + + /* Absorb the associated data */ + gimli24_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + gimli24_decrypt(&state, m, c, *mlen); + + /* Check the authentication tag at the end of the packet */ + return aead_check_tag + (m, *mlen, state.bytes, c + *mlen, GIMLI24_TAG_SIZE); +} + +int gimli24_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + gimli24_state_t state; + + /* Initialize the hash state to all zeroes */ + memset(&state, 0, sizeof(state)); + + /* Absorb the input */ + gimli24_absorb(&state, in, inlen); + + /* Generate the output hash */ + memcpy(out, state.bytes, GIMLI24_HASH_SIZE / 2); + gimli24_permute(state.words); + memcpy(out + GIMLI24_HASH_SIZE / 2, state.bytes, GIMLI24_HASH_SIZE / 2); + return 0; +} + +void gimli24_hash_init(gimli24_hash_state_t *state) +{ + memset(state, 0, sizeof(gimli24_hash_state_t)); +} + +#define GIMLI24_XOF_RATE 16 +#define gimli24_xof_permute() \ + gimli24_permute((uint32_t *)(state->s.state)) + +void gimli24_hash_absorb + (gimli24_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned temp; + + if (state->s.mode) { + /* We were squeezing output - go back to the absorb phase */ + state->s.mode = 0; + state->s.count = 0; + gimli24_xof_permute(); + } + + /* Handle the partial left-over block from last time */ + if (state->s.count) { + temp = GIMLI24_XOF_RATE - state->s.count; + if (temp > inlen) { + temp = (unsigned)inlen; + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count += temp; + return; + } + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count = 0; + in += temp; + inlen -= temp; + gimli24_xof_permute(); + } + + /* Process full blocks that are aligned at state->s.count == 0 */ + while (inlen >= GIMLI24_XOF_RATE) { + lw_xor_block(state->s.state, in, GIMLI24_XOF_RATE); + in += GIMLI24_XOF_RATE; + inlen -= GIMLI24_XOF_RATE; + gimli24_xof_permute(); + } + + /* Process the left-over block at the end of the input */ + temp = (unsigned)inlen; + lw_xor_block(state->s.state, in, temp); + state->s.count = temp; +} + +void gimli24_hash_squeeze + (gimli24_hash_state_t *state, unsigned char *out, + unsigned long long outlen) +{ + unsigned temp; + + /* Pad the final input block if we were still in the absorb phase */ + if (!state->s.mode) { + state->s.state[state->s.count] ^= 0x01; + state->s.state[47] ^= 0x01; + state->s.count = 0; + state->s.mode = 1; + } + + /* Handle left-over partial blocks from last time */ + if (state->s.count) { + temp = GIMLI24_XOF_RATE - state->s.count; + if (temp > outlen) { + temp = (unsigned)outlen; + memcpy(out, state->s.state + state->s.count, temp); + state->s.count += temp; + return; + } + memcpy(out, state->s.state + state->s.count, temp); + out += temp; + outlen -= temp; + state->s.count = 0; + } + + /* Handle full blocks */ + while (outlen >= GIMLI24_XOF_RATE) { + gimli24_xof_permute(); + memcpy(out, state->s.state, GIMLI24_XOF_RATE); + out += GIMLI24_XOF_RATE; + outlen -= GIMLI24_XOF_RATE; + } + + /* Handle the left-over block */ + if (outlen > 0) { + temp = (unsigned)outlen; + gimli24_xof_permute(); + memcpy(out, state->s.state, temp); + state->s.count = temp; + } +} + +void gimli24_hash_finalize + (gimli24_hash_state_t *state, unsigned char *out) +{ + gimli24_hash_squeeze(state, out, GIMLI24_HASH_SIZE); +} diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.h similarity index 52% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.h rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.h index 12e18c3..f72aec7 100644 --- a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/drygascon.h +++ b/gimli/Implementations/crypto_hash/gimli24v1/rhys/gimli24.h @@ -20,31 +20,23 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_DRYGASCON_H -#define LWCRYPTO_DRYGASCON_H +#ifndef LWCRYPTO_GIMLI24_H +#define LWCRYPTO_GIMLI24_H #include "aead-common.h" /** - * \file drygascon.h - * \brief DryGASCON authenticated encryption algorithm. + * \file gimli24.h + * \brief Gimli authenticated encryption algorithm. * - * DryGASCON is a family of authenticated encryption algorithms based - * around a generalised version of the ASCON permutation. DryGASCON - * is designed to provide some protection against power analysis. + * GIMLI-24-CIPHER has a 256-bit key, a 128-bit nonce, and a 128-bit tag. + * It is the spiritual successor to the widely used ChaCha20 and has a + * similar design. * - * There are four algorithms in the DryGASCON family: + * This library also includes an implementation of the hash algorithm + * GIMLI-24-HASH in both regular hashing and XOF modes. * - * \li DryGASCON128 is an authenticated encryption algorithm with a - * 128-bit key, a 128-bit nonce, and a 128-bit authentication tag. - * \li DryGASCON256 is an authenticated encryption algorithm with a - * 256-bit key, a 128-bit nonce, and a 128-256 authentication tag. - * \li DryGASCON128-HASH is a hash algorithm with a 256-bit output. - * \li DryGASCON256-HASH is a hash algorithm with a 512-bit output. - * - * DryGASCON128 and DryGASCON128-HASH are the primary members of the family. - * - * References: https://github.com/sebastien-riou/DryGASCON + * References: https://gimli.cr.yp.to/ */ #ifdef __cplusplus @@ -52,67 +44,54 @@ extern "C" { #endif /** - * \brief Size of the key for DryGASCON128. - */ -#define DRYGASCON128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for DryGASCON128. - */ -#define DRYGASCON128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for DryGASCON128. - */ -#define DRYGASCON128_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for DryGASCON128-HASH. + * \brief Size of the key for GIMLI-24. */ -#define DRYGASCON128_HASH_SIZE 32 +#define GIMLI24_KEY_SIZE 32 /** - * \brief Size of the key for DryGASCON256. + * \brief Size of the nonce for GIMLI-24. */ -#define DRYGASCON256_KEY_SIZE 32 +#define GIMLI24_NONCE_SIZE 16 /** - * \brief Size of the authentication tag for DryGASCON256. + * \brief Size of the authentication tag for GIMLI-24. */ -#define DRYGASCON256_TAG_SIZE 32 +#define GIMLI24_TAG_SIZE 16 /** - * \brief Size of the nonce for DryGASCON256. + * \brief Size of the hash output for GIMLI-24. */ -#define DRYGASCON256_NONCE_SIZE 16 +#define GIMLI24_HASH_SIZE 32 /** - * \brief Size of the hash output for DryGASCON256-HASH. + * \brief State information for GIMLI-24-HASH incremental modes. */ -#define DRYGASCON256_HASH_SIZE 64 +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ -/** - * \brief Meta-information block for the DryGASCON128 cipher. - */ -extern aead_cipher_t const drygascon128_cipher; - -/** - * \brief Meta-information block for the DryGASCON256 cipher. - */ -extern aead_cipher_t const drygascon256_cipher; +} gimli24_hash_state_t; /** - * \brief Meta-information block for DryGASCON128-HASH. + * \brief Meta-information block for the GIMLI-24 cipher. */ -extern aead_hash_algorithm_t const drygascon128_hash_algorithm; +extern aead_cipher_t const gimli24_cipher; /** - * \brief Meta-information block for DryGASCON256-HASH. + * \brief Meta-information block for the GIMLI-24-HASH algorithm. + * + * This meta-information block can also be used in XOF mode. */ -extern aead_hash_algorithm_t const drygascon256_hash_algorithm; +extern aead_hash_algorithm_t const gimli24_hash_algorithm; /** - * \brief Encrypts and authenticates a packet with DryGASCON128. + * \brief Encrypts and authenticates a packet with GIMLI-24 using the + * full AEAD mode. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -125,14 +104,14 @@ extern aead_hash_algorithm_t const drygascon256_hash_algorithm; * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa drygascon128_aead_decrypt() + * \sa gimli24_aead_decrypt() */ -int drygascon128_aead_encrypt +int gimli24_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -141,7 +120,8 @@ int drygascon128_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with DryGASCON128. + * \brief Decrypts and authenticates a packet with GIMLI-24 using the + * full AEAD mode. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -155,14 +135,14 @@ int drygascon128_aead_encrypt * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa drygascon128_aead_encrypt() + * \sa gimli24_aead_encrypt() */ -int drygascon128_aead_decrypt +int gimli24_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -171,91 +151,67 @@ int drygascon128_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with DryGASCON256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \brief Hashes a block of input data with GIMLI-24 to generate a hash value. * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \param out Buffer to receive the hash output which must be at least + * GIMLI24_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa drygascon256_aead_decrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int drygascon256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +int gimli24_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Decrypts and authenticates a packet with DryGASCON256. + * \brief Initializes the state for a GIMLI-24-HASH hashing operation. * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \param state Hash state to be initialized. * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \sa gimli24_hash_absorb(), gimli24_hash_squeeze(), gimli24_hash() + */ +void gimli24_hash_init(gimli24_hash_state_t *state); + +/** + * \brief Aborbs more input data into a GIMLI-24-HASH state. * - * \sa drygascon256_aead_encrypt() + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa gimli24_hash_init(), gimli24_hash_squeeze() */ -int drygascon256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +void gimli24_hash_absorb + (gimli24_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); /** - * \brief Hashes a block of input data with DRYGASCON128. + * \brief Squeezes output data from an GIMLI-24-HASH state. * - * \param out Buffer to receive the hash output which must be at least - * DRYGASCON128_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. * - * \return Returns zero on success or -1 if there was an error in the - * parameters. + * \sa gimli24_hash_init(), gimli24_hash_absorb() */ -int drygascon128_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); +void gimli24_hash_squeeze + (gimli24_hash_state_t *state, unsigned char *out, + unsigned long long outlen); /** - * \brief Hashes a block of input data with DRYGASCON256. + * \brief Returns the final hash value from a GIMLI-24-HASH hashing operation. * - * \param out Buffer to receive the hash output which must be at least - * DRYGASCON256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. * - * \return Returns zero on success or -1 if there was an error in the - * parameters. + * \note This is a wrapper around gimli24_hash_squeeze() for a fixed length + * of GIMLI24_HASH_SIZE bytes. + * + * \sa gimli24_hash_init(), gimli24_hash_absorb() */ -int drygascon256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); +void gimli24_hash_finalize + (gimli24_hash_state_t *state, unsigned char *out); #ifdef __cplusplus } diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/hash.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys/hash.c similarity index 100% rename from gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/hash.c rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/hash.c diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24-avr.S b/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24-avr.S similarity index 100% rename from gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24-avr.S rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24-avr.S diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24.c b/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24.c new file mode 100644 index 0000000..d719988 --- /dev/null +++ b/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24.c @@ -0,0 +1,142 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-gimli24.h" + +#if !defined(__AVR__) + +/* Apply the SP-box to a specific column in the state array */ +#define GIMLI24_SP(s0, s4, s8) \ + do { \ + x = leftRotate24(s0); \ + y = leftRotate9(s4); \ + s4 = y ^ x ^ ((x | s8) << 1); \ + s0 = s8 ^ y ^ ((x & y) << 3); \ + s8 = x ^ (s8 << 1) ^ ((y & s8) << 2); \ + } while (0) + +void gimli24_permute(uint32_t state[12]) +{ + uint32_t s0, s1, s2, s3, s4, s5; + uint32_t s6, s7, s8, s9, s10, s11; + uint32_t x, y; + unsigned round; + + /* Load the state into local variables and convert from little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s0 = state[0]; + s1 = state[1]; + s2 = state[2]; + s3 = state[3]; + s4 = state[4]; + s5 = state[5]; + s6 = state[6]; + s7 = state[7]; + s8 = state[8]; + s9 = state[9]; + s10 = state[10]; + s11 = state[11]; +#else + s0 = le_load_word32((const unsigned char *)(&(state[0]))); + s1 = le_load_word32((const unsigned char *)(&(state[1]))); + s2 = le_load_word32((const unsigned char *)(&(state[2]))); + s3 = le_load_word32((const unsigned char *)(&(state[3]))); + s4 = le_load_word32((const unsigned char *)(&(state[4]))); + s5 = le_load_word32((const unsigned char *)(&(state[5]))); + s6 = le_load_word32((const unsigned char *)(&(state[6]))); + s7 = le_load_word32((const unsigned char *)(&(state[7]))); + s8 = le_load_word32((const unsigned char *)(&(state[8]))); + s9 = le_load_word32((const unsigned char *)(&(state[9]))); + s10 = le_load_word32((const unsigned char *)(&(state[10]))); + s11 = le_load_word32((const unsigned char *)(&(state[11]))); +#endif + + /* Unroll and perform the rounds 4 at a time */ + for (round = 24; round > 0; round -= 4) { + /* Round 0: SP-box, small swap, add round constant */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + x = s0; + y = s2; + s0 = s1 ^ 0x9e377900U ^ round; + s1 = x; + s2 = s3; + s3 = y; + + /* Round 1: SP-box only */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + + /* Round 2: SP-box, big swap */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + x = s0; + y = s1; + s0 = s2; + s1 = s3; + s2 = x; + s3 = y; + + /* Round 3: SP-box only */ + GIMLI24_SP(s0, s4, s8); + GIMLI24_SP(s1, s5, s9); + GIMLI24_SP(s2, s6, s10); + GIMLI24_SP(s3, s7, s11); + } + + /* Convert state to little-endian if the platform is not little-endian */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state[0] = s0; + state[1] = s1; + state[2] = s2; + state[3] = s3; + state[4] = s4; + state[5] = s5; + state[6] = s6; + state[7] = s7; + state[8] = s8; + state[9] = s9; + state[10] = s10; + state[11] = s11; +#else + le_store_word32(((unsigned char *)(&(state[0]))), s0); + le_store_word32(((unsigned char *)(&(state[1]))), s1); + le_store_word32(((unsigned char *)(&(state[2]))), s2); + le_store_word32(((unsigned char *)(&(state[3]))), s3); + le_store_word32(((unsigned char *)(&(state[4]))), s4); + le_store_word32(((unsigned char *)(&(state[5]))), s5); + le_store_word32(((unsigned char *)(&(state[6]))), s6); + le_store_word32(((unsigned char *)(&(state[7]))), s7); + le_store_word32(((unsigned char *)(&(state[8]))), s8); + le_store_word32(((unsigned char *)(&(state[9]))), s9); + le_store_word32(((unsigned char *)(&(state[10]))), s10); + le_store_word32(((unsigned char *)(&(state[11]))), s11); +#endif +} + +#endif /* !__AVR__ */ diff --git a/gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24.h similarity index 100% rename from gimli/Implementations/crypto_aead/gimli24v1/rhys-avr/internal-gimli24.h rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-gimli24.h diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-util.h b/gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-util.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-util.h rename to gimli/Implementations/crypto_hash/gimli24v1/rhys/internal-util.h diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/api.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/encrypt.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/encrypt.c deleted file mode 100644 index 2724d30..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "grain128.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return grain128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return grain128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.c deleted file mode 100644 index fa41b64..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "grain128.h" -#include "internal-grain128.h" -#include - -aead_cipher_t const grain128_aead_cipher = { - "Grain-128AEAD", - GRAIN128_KEY_SIZE, - GRAIN128_NONCE_SIZE, - GRAIN128_TAG_SIZE, - AEAD_FLAG_NONE, - grain128_aead_encrypt, - grain128_aead_decrypt -}; - -/** - * \brief Encodes the associated data length in DER. - * - * \param buf The buffer to encode the length into. - * \param adlen The length of the associated data in bytes, which must be - * less than 2^32 to limit the length of the DER encoding to 5 bytes. - * - * \return The length of the DER encoding that was written to \a buf. - */ -static unsigned grain128_encode_adlen - (unsigned char buf[5], unsigned long long adlen) -{ - if (adlen < 0x80U) { - buf[0] = (unsigned char)adlen; - return 1; - } else if (adlen < 0x100U) { - buf[0] = 0x81; - buf[1] = (unsigned char)adlen; - return 2; - } else if (adlen < 0x10000U) { - buf[0] = 0x82; - buf[1] = (unsigned char)(adlen >> 8); - buf[2] = (unsigned char)adlen; - return 3; - } else if (adlen < 0x1000000U) { - buf[0] = 0x83; - buf[1] = (unsigned char)(adlen >> 16); - buf[2] = (unsigned char)(adlen >> 8); - buf[3] = (unsigned char)adlen; - return 4; - } else { - buf[0] = 0x84; - buf[1] = (unsigned char)(adlen >> 24); - buf[2] = (unsigned char)(adlen >> 16); - buf[3] = (unsigned char)(adlen >> 8); - buf[4] = (unsigned char)adlen; - return 5; - } -} - -int grain128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - grain128_state_t state; - unsigned char der[5]; - unsigned derlen; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + GRAIN128_TAG_SIZE; - - /* Limit the amount of associated data to make DER encoding easier */ - if (adlen >= 0x100000000ULL) - return -2; - - /* Initialize the Grain-128 stream cipher with the key and nonce */ - grain128_setup(&state, k, npub); - - /* Authenticate the associated data, prefixed with the DER-encoded length */ - derlen = grain128_encode_adlen(der, adlen); - grain128_authenticate(&state, der, derlen); - grain128_authenticate(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - grain128_encrypt(&state, c, m, mlen); - - /* Generate the authentication tag */ - grain128_compute_tag(&state); - memcpy(c + mlen, state.ks, GRAIN128_TAG_SIZE); - return 0; -} - -int grain128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - grain128_state_t state; - unsigned char der[5]; - unsigned derlen; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < GRAIN128_TAG_SIZE) - return -1; - *mlen = clen - GRAIN128_TAG_SIZE; - - /* Limit the amount of associated data to make DER encoding easier */ - if (adlen >= 0x100000000ULL) - return -2; - - /* Initialize the Grain-128 stream cipher with the key and nonce */ - grain128_setup(&state, k, npub); - - /* Authenticate the associated data, prefixed with the DER-encoded length */ - derlen = grain128_encode_adlen(der, adlen); - grain128_authenticate(&state, der, derlen); - grain128_authenticate(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= GRAIN128_TAG_SIZE; - grain128_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - grain128_compute_tag(&state); - return aead_check_tag(m, clen, state.ks, c + clen, GRAIN128_TAG_SIZE); -} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.h deleted file mode 100644 index c8d6de9..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/grain128.h +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_GRAIN128_H -#define LWCRYPTO_GRAIN128_H - -#include "aead-common.h" - -/** - * \file grain128.h - * \brief Grain-128AEAD authenticated encryption algorithm. - * - * Grain-128AEAD is an authenticated encryption algorithm based around a - * combination of a 128-bit linear feedback shift register (LFSR) and a - * 128-bit non-linear feedback shift register (NFSR). It is a member of - * the Grain family of stream ciphers. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Grain-128AEAD. - */ -#define GRAIN128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Grain-128AEAD. - */ -#define GRAIN128_TAG_SIZE 8 - -/** - * \brief Size of the nonce for Grain-128AEAD. - */ -#define GRAIN128_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Grain-128AEAD cipher. - */ -extern aead_cipher_t const grain128_aead_cipher; - -/** - * \brief Encrypts and authenticates a packet with Grain-128AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa grain128_aead_decrypt() - */ -int grain128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Grain-128AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa grain128_aead_encrypt() - */ -int grain128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.c b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.c deleted file mode 100644 index d0d71ea..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.c +++ /dev/null @@ -1,411 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-grain128.h" - -/* Extracts 32 bits from the Grain state that are not word-aligned */ -#define GWORD(a, b, start_bit) \ - (((a) << ((start_bit) % 32)) ^ ((b) >> (32 - ((start_bit) % 32)))) - -/** - * \brief Performs 32 rounds of Grain-128 in parallel. - * - * \param state Grain-128 state. - * \param x 32 bits of input to be incorporated into the LFSR state, or zero. - * \param x2 Another 32 bits to be incorporated into the NFSR state, or zero. - */ -static void grain128_core - (grain128_state_t *state, uint32_t x, uint32_t x2) -{ - uint32_t s0, s1, s2, s3; - - /* From the Grain-128AEAD specification, the LFSR feedback algorithm is: - * - * s'[i] = s[i + 1] - * s'[127] = s[0] ^ s[7] ^ s[38] ^ s[70] ^ s[81] ^ s[96] ^ x - * - * The bits are numbered from the most significant bit in the first - * word of the LFSR state. Calculate the feedback bits 32 at a time. - */ - s0 = state->lfsr[0]; - s1 = state->lfsr[1]; - s2 = state->lfsr[2]; - s3 = state->lfsr[3]; - x ^= s0; /* s[0] */ - x ^= GWORD(s0, s1, 7); /* s[7] */ - x ^= GWORD(s1, s2, 38); /* s[38] */ - x ^= GWORD(s2, s3, 70); /* s[70] */ - x ^= GWORD(s2, s3, 81); /* s[81] */ - x ^= s3; /* s[96] */ - - /* Rotate the LFSR state left by 32 bits and feed s0 into the NFSR */ - state->lfsr[0] = s1; - state->lfsr[1] = s2; - state->lfsr[2] = s3; - state->lfsr[3] = x; - x2 ^= s0; - - /* Perform the NFSR feedback algorithm from the specification: - * - * b'[i] = b[i + 1] - * b'[127] = s'[127] ^ b[0] ^ b[26] ^ b[56] ^ b[91] ^ b[96] - * ^ (b[3] & b[67]) ^ (b[11] & b[13]) ^ (b[17] & b[18]) - * ^ (b[27] & b[59]) ^ (b[40] & b[48]) ^ (b[61] & b[65]) - * ^ (b[68] & b[84]) ^ (b[22] & b[24] & b[25]) - * ^ (b[70] & b[78] & b[82]) - * ^ (b[88] & b[92] & b[93] & b[95]) ^ x2 - * - * Once again, we calculate 32 feedback bits in parallel. - */ - s0 = state->nfsr[0]; - s1 = state->nfsr[1]; - s2 = state->nfsr[2]; - s3 = state->nfsr[3]; - x2 ^= s0; /* b[0] */ - x2 ^= GWORD(s0, s1, 26); /* b[26] */ - x2 ^= GWORD(s1, s2, 56); /* b[56] */ - x2 ^= GWORD(s2, s3, 91); /* b[91] */ - x2 ^= s3; /* b[96] */ - x2 ^= GWORD(s0, s1, 3) & GWORD(s2, s3, 67); /* b[3] & b[67] */ - x2 ^= GWORD(s0, s1, 11) & GWORD(s0, s1, 13); /* b[11] & b[13] */ - x2 ^= GWORD(s0, s1, 17) & GWORD(s0, s1, 18); /* b[17] & b[18] */ - x2 ^= GWORD(s0, s1, 27) & GWORD(s1, s2, 59); /* b[27] & b[59] */ - x2 ^= GWORD(s1, s2, 40) & GWORD(s1, s2, 48); /* b[40] & b[48] */ - x2 ^= GWORD(s1, s2, 61) & GWORD(s2, s3, 65); /* b[61] & b[65] */ - x2 ^= GWORD(s2, s3, 68) & GWORD(s2, s3, 84); /* b[68] & b[84] */ - x2 ^= GWORD(s0, s1, 22) & GWORD(s0, s1, 24) & /* b[22] & b[24] & b[25] */ - GWORD(s0, s1, 25); - x2 ^= GWORD(s2, s3, 70) & GWORD(s2, s3, 78) & /* b[70] & b[78] & b[82] */ - GWORD(s2, s3, 82); - x2 ^= GWORD(s2, s3, 88) & GWORD(s2, s3, 92) & /* b[88] & b[92] ... */ - GWORD(s2, s3, 93) & GWORD(s2, s3, 95); /* ... & b[93] & b[95] */ - - /* Rotate the NFSR state left by 32 bits */ - state->nfsr[0] = s1; - state->nfsr[1] = s2; - state->nfsr[2] = s3; - state->nfsr[3] = x2; -} - -/** - * \brief Generates 32 bits of pre-output data. - * - * \param state Grain-128 state. - * - * \return The generated 32 bits of pre-output data. - */ -static uint32_t grain128_preoutput(const grain128_state_t *state) -{ - uint32_t s0, s1, s2, s3; - uint32_t b0, b1, b2, b3; - uint32_t x0, x4, y; - - /* From the Grain-128AEAD specification, each pre-output bit y is given by: - * - * x[0..8] = b[12], s[8], s[13], s[20], b[95], - * s[42], s[60], s[79], s[94] - * h(x) = (x[0] & x[1]) ^ (x[2] & x[3]) ^ (x[4] & x[5]) - * ^ (x[6] & x[7]) ^ (x[0] & x[4] & x[8]) - * y = h(x) ^ s[93] ^ b[2] ^ b[15] ^ b[36] ^ b[45] - * ^ b[64] ^ b[73] ^ b[89] - * - * Calculate 32 pre-output bits in parallel. - */ - s0 = state->lfsr[0]; - s1 = state->lfsr[1]; - s2 = state->lfsr[2]; - s3 = state->lfsr[3]; - b0 = state->nfsr[0]; - b1 = state->nfsr[1]; - b2 = state->nfsr[2]; - b3 = state->nfsr[3]; - x0 = GWORD(b0, b1, 12); - x4 = GWORD(b2, b3, 95); - y = (x0 & GWORD(s0, s1, 8)); /* x[0] & x[1] */ - y ^= (GWORD(s0, s1, 13) & GWORD(s0, s1, 20)); /* x[2] & x[3] */ - y ^= (x4 & GWORD(s1, s2, 42)); /* x[4] & x[5] */ - y ^= (GWORD(s1, s2, 60) & GWORD(s2, s3, 79)); /* x[6] & x[7] */ - y ^= (x0 & x4 & GWORD(s2, s3, 94)); /* x[0] & x[4] & x[8] */ - y ^= GWORD(s2, s3, 93); /* s[93] */ - y ^= GWORD(b0, b1, 2); /* b[2] */ - y ^= GWORD(b0, b1, 15); /* b[15] */ - y ^= GWORD(b1, b2, 36); /* b[36] */ - y ^= GWORD(b1, b2, 45); /* b[45] */ - y ^= b2; /* b[64] */ - y ^= GWORD(b2, b3, 73); /* b[73] */ - y ^= GWORD(b2, b3, 89); /* b[89] */ - return y; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ -#define bit_permute_step_simple(_y, mask, shift) \ - do { \ - (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ - } while (0) - -void grain128_setup - (grain128_state_t *state, const unsigned char *key, - const unsigned char *nonce) -{ - uint32_t k[4]; - unsigned round; - - /* Internally, the Grain-128 stream cipher uses big endian bit - * order, but the Grain-128AEAD specification for NIST uses little - * endian bit order. We need to swap the bits around when we load - * the bits of the key and the nonce. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [7 6 5 4 3 2 1 0 15 14 13 12 11 10 9 8 - * 23 22 21 20 19 18 17 16 31 30 29 28 27 26 25 24] - */ - #define SWAP_BITS(out, in) \ - do { \ - uint32_t tmp = (in); \ - bit_permute_step_simple(tmp, 0x55555555, 1); \ - bit_permute_step_simple(tmp, 0x33333333, 2); \ - bit_permute_step_simple(tmp, 0x0f0f0f0f, 4); \ - (out) = tmp; \ - } while (0) - - /* Initialize the LFSR state with the nonce and padding */ - SWAP_BITS(state->lfsr[0], be_load_word32(nonce)); - SWAP_BITS(state->lfsr[1], be_load_word32(nonce + 4)); - SWAP_BITS(state->lfsr[2], be_load_word32(nonce + 8)); - state->lfsr[3] = 0xFFFFFFFEU; /* pad with all-1s and a terminating 0 */ - - /* Initialize the NFSR state with the key */ - SWAP_BITS(k[0], be_load_word32(key)); - SWAP_BITS(k[1], be_load_word32(key + 4)); - SWAP_BITS(k[2], be_load_word32(key + 8)); - SWAP_BITS(k[3], be_load_word32(key + 12)); - state->nfsr[0] = k[0]; - state->nfsr[1] = k[1]; - state->nfsr[2] = k[2]; - state->nfsr[3] = k[3]; - - /* Perform 256 rounds of Grain-128 to mix up the initial state. - * The rounds can be performed 32 at a time: 32 * 8 = 256 */ - for (round = 0; round < 8; ++round) { - uint32_t y = grain128_preoutput(state); - grain128_core(state, y, y); - } - - /* Absorb the key into the state again and generate the initial - * state of the accumulator and the shift register */ - state->accum = ((uint64_t)(grain128_preoutput(state))) << 32; - grain128_core(state, k[0], 0); - state->accum |= grain128_preoutput(state); - grain128_core(state, k[1], 0); - state->sr = ((uint64_t)(grain128_preoutput(state))) << 32; - grain128_core(state, k[2], 0); - state->sr |= grain128_preoutput(state); - grain128_core(state, k[3], 0); - - /* No keystream data has been generated yet */ - state->posn = sizeof(state->ks); -} - -/** - * \brief Generates the next 16 byte block of keystream output data. - * - * \param state Grain-128 state. - */ -static void grain128_next_keystream(grain128_state_t *state) -{ - unsigned posn; - for (posn = 0; posn < sizeof(state->ks); posn += 4) { - /* Get the next word of pre-output and run the Grain-128 core */ - uint32_t x = grain128_preoutput(state); - grain128_core(state, 0, 0); - - /* Grain-128 uses big-endian bit order, but the NIST functions - * that are built on top of this use little-endian bit order. - * Swap the bits around so that they are ready for use later. - * - * We also need to separate the bits: even bits are used to encrypt - * and odd bits are used to authenticate. Shift them to separate - * bytes to make it easier to access the even and odd bits later. - * - * P = [7 15 6 14 5 13 4 12 3 11 2 10 1 9 0 8 - * 23 31 22 30 21 29 20 28 19 27 18 26 17 25 16 24] - */ - bit_permute_step(x, 0x11111111, 3); - bit_permute_step(x, 0x03030303, 6); - bit_permute_step(x, 0x000f000f, 12); - bit_permute_step_simple(x, 0x00ff00ff, 8); - be_store_word32(state->ks + posn, x); - } -} - -void grain128_authenticate - (grain128_state_t *state, const unsigned char *data, - unsigned long long len) -{ - unsigned char abyte; - unsigned char sbyte; - unsigned char bit; - uint64_t accum = state->accum; - uint64_t sr = state->sr; - unsigned posn = state->posn; - while (len > 0) { - /* Fetch the next byte to be authenticated */ - abyte = *data++; - --len; - - /* Request more keystream data if necessary */ - if (posn >= sizeof(state->ks)) { - grain128_next_keystream(state); - posn = 0; - } - - /* Get the next byte of keystream to add to the shift register. - * We use the odd bytes from the keystream and ignore even ones */ - sbyte = state->ks[posn + 1]; - posn += 2; - - /* XOR the shift register with the accumulator for each 1 bit - * in the byte that we are authenticating. And shift in the - * keystream byte we retrieved above */ - for (bit = 0; bit < 8; ++bit) { - accum ^= sr & (-((uint64_t)(abyte & 0x01))); - sr = (sr << 1) ^ (sbyte & 0x01); - abyte >>= 1; - sbyte >>= 1; - } - } - state->accum = accum; - state->sr = sr; - state->posn = posn; -} - -void grain128_encrypt - (grain128_state_t *state, unsigned char *c, const unsigned char *m, - unsigned long long len) -{ - unsigned char mbyte; - unsigned char sbyte; - unsigned char bit; - uint64_t accum = state->accum; - uint64_t sr = state->sr; - unsigned posn = state->posn; - while (len > 0) { - /* Fetch the next byte to be encrypted and authenticated */ - mbyte = *m++; - --len; - - /* Request more keystream data if necessary */ - if (posn >= sizeof(state->ks)) { - grain128_next_keystream(state); - posn = 0; - } - - /* Get the next two bytes of keystream data. The even byte is - * used to encrypt the input and the odd byte is shifted into - * the shift register for authentication purposes */ - *c++ = mbyte ^ state->ks[posn]; - sbyte = state->ks[posn + 1]; - posn += 2; - - /* XOR the shift register with the accumulator for each 1 bit - * in the plaintext byte that we are authenticating. And shift - * in the keystream byte we retrieved above */ - for (bit = 0; bit < 8; ++bit) { - accum ^= sr & (-((uint64_t)(mbyte & 0x01))); - sr = (sr << 1) ^ (sbyte & 0x01); - mbyte >>= 1; - sbyte >>= 1; - } - } - state->accum = accum; - state->sr = sr; - state->posn = posn; -} - -void grain128_decrypt - (grain128_state_t *state, unsigned char *m, const unsigned char *c, - unsigned long long len) -{ - unsigned char mbyte; - unsigned char sbyte; - unsigned char bit; - uint64_t accum = state->accum; - uint64_t sr = state->sr; - unsigned posn = state->posn; - while (len > 0) { - /* Fetch the next byte to be decrypted and authenticated */ - mbyte = *c++; - --len; - - /* Request more keystream data if necessary */ - if (posn >= sizeof(state->ks)) { - grain128_next_keystream(state); - posn = 0; - } - - /* Get the next two bytes of keystream data. The even byte is - * used to decrypt the input and the odd byte is shifted into - * the shift register for authentication purposes */ - mbyte ^= state->ks[posn]; - *m++ = mbyte; - sbyte = state->ks[posn + 1]; - posn += 2; - - /* XOR the shift register with the accumulator for each 1 bit - * in the plaintext byte that we are authenticating. And shift - * in the keystream byte we retrieved above */ - for (bit = 0; bit < 8; ++bit) { - accum ^= sr & (-((uint64_t)(mbyte & 0x01))); - sr = (sr << 1) ^ (sbyte & 0x01); - mbyte >>= 1; - sbyte >>= 1; - } - } - state->accum = accum; - state->sr = sr; - state->posn = posn; -} - -void grain128_compute_tag(grain128_state_t *state) -{ - uint64_t x; - - /* Authenticate a final 1 bit as padding on the stream */ - state->accum ^= state->sr; - - /* Swap the bits of the accumulator into little endian - * order and write them to the keystream buffer */ - x = state->accum; - bit_permute_step_simple(x, 0x5555555555555555ULL, 1); - bit_permute_step_simple(x, 0x3333333333333333ULL, 2); - bit_permute_step_simple(x, 0x0f0f0f0f0f0f0f0fULL, 4); - be_store_word64(state->ks, x); -} diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.h deleted file mode 100644 index 4c3a6e4..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-grain128.h +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GRAIN128_H -#define LW_INTERNAL_GRAIN128_H - -#include "internal-util.h" - -/** - * \file internal-grain128.h - * \brief Internal implementation of the Grain-128 stream cipher. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Representation of the state of Grain-128. - * - * Note: The specification numbers bits starting with the most significant, - * so bit 0 is in the highest bit of the first word of each field below. - */ -typedef struct -{ - uint32_t lfsr[4]; /**< 128-bit LFSR state for Grain-128 */ - uint32_t nfsr[4]; /**< 128-bit NFSR state for Grain-128 */ - uint64_t accum; /**< 64-bit accumulator for authentication */ - uint64_t sr; /**< 64-bit shift register for authentication */ - unsigned char ks[16]; /**< Keystream block for auth or encrypt mode */ - unsigned posn; /**< Current position within the keystream */ - -} grain128_state_t; - -/** - * \brief Sets up the initial Grain-128 state with the key and nonce. - * - * \param state Grain-128 state to be initialized. - * \param key Points to the 128-bit key. - * \param nonce Points to the 96-bit nonce. - */ -void grain128_setup - (grain128_state_t *state, const unsigned char *key, - const unsigned char *nonce); - -/** - * \brief Authenticates data with Grain-128. - * - * \param state Grain-128 state. - * \param data Points to the data to be authenticated. - * \param len Length of the data to be authenticated. - */ -void grain128_authenticate - (grain128_state_t *state, const unsigned char *data, - unsigned long long len); - -/** - * \brief Encrypts and authenticates data with Grain-128. - * - * \param state Grain-128 state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param len Length of the data to be encrypted. - */ -void grain128_encrypt - (grain128_state_t *state, unsigned char *c, const unsigned char *m, - unsigned long long len); - -/** - * \brief Decrypts and authenticates data with Grain-128. - * - * \param state Grain-128 state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param len Length of the data to be decrypted. - */ -void grain128_decrypt - (grain128_state_t *state, unsigned char *m, const unsigned char *c, - unsigned long long len); - -/** - * \brief Computes the final authentiation tag. - * - * \param state Grain-128 state. - * - * The final authentication tag is written to the first 8 bytes of state->ks. - */ -void grain128_compute_tag(grain128_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-util.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h index e79158c..e30166d 100644 --- a/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h +++ b/grain-128aead/Implementations/crypto_aead/grain128aead/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c index 3af79fa..db5ba2b 100644 --- a/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/hyena.c @@ -52,6 +52,23 @@ static void hyena_double_delta(unsigned char D[8]) } /** + * \brief Triples a delta value in the F(2^64) field. + * + * \param D The delta value to be tripled. + * + * D' = D ^ (D << 1) if the top-most bit is 0, or D' = D ^ (D << 1) ^ 0x1B + * otherwise. + */ +static void hyena_triple_delta(unsigned char D[8]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)(D[0])) >> 7); + for (index = 0; index < 7; ++index) + D[index] ^= (D[index] << 1) | (D[index + 1] >> 7); + D[7] ^= (D[7] << 1) ^ (mask & 0x1B); +} + +/** * \brief Process the associated data for HYENA. * * \param ks Key schedule for the GIFT-128 cipher. @@ -66,27 +83,26 @@ static void hyena_process_ad unsigned long long adlen) { unsigned char feedback[16]; - hyena_double_delta(D); while (adlen > 16) { + hyena_double_delta(D); memcpy(feedback, ad, 16); lw_xor_block(feedback + 8, Y + 8, 8); lw_xor_block(feedback + 8, D, 8); lw_xor_block(Y, feedback, 16); gift128n_encrypt(ks, Y, Y); - hyena_double_delta(D); ad += 16; adlen -= 16; } if (adlen == 16) { - hyena_double_delta(D); + hyena_triple_delta(D); memcpy(feedback, ad, 16); lw_xor_block(feedback + 8, Y + 8, 8); lw_xor_block(feedback + 8, D, 8); lw_xor_block(Y, feedback, 16); } else { unsigned temp = (unsigned)adlen; - hyena_double_delta(D); - hyena_double_delta(D); + hyena_triple_delta(D); + hyena_triple_delta(D); memcpy(feedback, ad, temp); feedback[temp] = 0x01; memset(feedback + temp + 1, 0, 15 - temp); @@ -116,8 +132,7 @@ int hyena_aead_encrypt *clen = mlen + HYENA_TAG_SIZE; /* Set up the key schedule and use it to encrypt the nonce */ - if (!gift128n_init(&ks, k, HYENA_KEY_SIZE)) - return -1; + gift128n_init(&ks, k); Y[0] = 0; if (adlen == 0) Y[0] |= 0x01; @@ -149,8 +164,7 @@ int hyena_aead_encrypt } gift128n_encrypt(&ks, Y, Y); if (mlen == 16) { - hyena_double_delta(D); - hyena_double_delta(D); + hyena_triple_delta(D); memcpy(feedback, m, 16); lw_xor_block(feedback + 8, Y + 8, 8); lw_xor_block(feedback + 8, D, 8); @@ -159,9 +173,8 @@ int hyena_aead_encrypt c += 16; } else { unsigned temp = (unsigned)mlen; - hyena_double_delta(D); - hyena_double_delta(D); - hyena_double_delta(D); + hyena_triple_delta(D); + hyena_triple_delta(D); memcpy(feedback, m, temp); feedback[temp] = 0x01; memset(feedback + temp + 1, 0, 15 - temp); @@ -207,8 +220,7 @@ int hyena_aead_decrypt *mlen = clen - HYENA_TAG_SIZE; /* Set up the key schedule and use it to encrypt the nonce */ - if (!gift128n_init(&ks, k, HYENA_KEY_SIZE)) - return -1; + gift128n_init(&ks, k); Y[0] = 0; if (adlen == 0) Y[0] |= 0x01; @@ -242,8 +254,7 @@ int hyena_aead_decrypt } gift128n_encrypt(&ks, Y, Y); if (clen == 16) { - hyena_double_delta(D); - hyena_double_delta(D); + hyena_triple_delta(D); memcpy(feedback + 8, c + 8, 8); lw_xor_block_2_src(m, c, Y, 16); memcpy(feedback, m, 8); @@ -252,9 +263,8 @@ int hyena_aead_decrypt c += 16; } else { unsigned temp = (unsigned)clen; - hyena_double_delta(D); - hyena_double_delta(D); - hyena_double_delta(D); + hyena_triple_delta(D); + hyena_triple_delta(D); if (temp > 8) { memcpy(feedback + 8, c + 8, temp - 8); lw_xor_block_2_src(m, c, Y, temp); diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128-config.h similarity index 51% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.h rename to hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128-config.h index 29d5ccf..62131ba 100644 --- a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-cham.h +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128-config.h @@ -20,48 +20,61 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_CHAM_H -#define LW_INTERNAL_CHAM_H +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H /** - * \file internal-cham.h - * \brief CHAM block cipher. + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. */ -#ifdef __cplusplus -extern "C" { -#endif +/** + * \brief Select the full variant of GIFT-128. + * + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. + */ +#define GIFT128_VARIANT_FULL 0 /** - * \brief Encrypts a 128-bit block with CHAM-128-128. + * \brief Select the small variant of GIFT-128. * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. */ -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_SMALL 1 /** - * \brief Encrypts a 64-bit block with CHAM-64-128. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. + * \brief Select the tiny variant of GIFT-128. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. */ -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_TINY 2 -#ifdef __cplusplus -} +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 #endif #endif diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-full-avr.S b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-full-avr.S similarity index 100% rename from hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-full-avr.S rename to hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-full-avr.S diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-small-avr.S b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-small-avr.S similarity index 100% rename from hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-small-avr.S rename to hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-small-avr.S diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-tiny-avr.S b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-tiny-avr.S similarity index 100% rename from hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-tiny-avr.S rename to hyena/Implementations/crypto_aead/hyenav1/rhys/internal-gift128n-tiny-avr.S diff --git a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h +++ b/hyena/Implementations/crypto_aead/hyenav1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/hyena/Implementations/crypto_aead/hyenav2/LWC_AEAD_KAT_128_96.txt b/hyena/Implementations/crypto_aead/hyenav2/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index dee108b..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = F83CA141A233342B1507192F171774A6 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = E350763873B36471681989E03CDFB4BE - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 9A9914D7A8CDFEDB8A688BE6DB7D214F - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = B15A5A5F09385A20B035E7FEB346BD61 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 05B95CD0688782299C70A33BBCAF1684 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 1DBC0D28C0FB4AD8872754FD420BD92E - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 74258B43E575F6FC33E26F0B552BC750 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = A85F470EEE90CA2A94FE30415E31CAFF - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 39017F93CEE6B83AA4C4C1FF48273564 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = 3A2894D1043FD54DC77289FFE4333AD1 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = DABDA6CF51150E19F164F2C7C6C22D16 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = 6FCDB8AD80BDFAE150D0AE919A172C20 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 66AF967D66CB56F87083C660A30AC8C9 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = C30EBDA26826BCC6F99C0A4D54773D8F - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = 4A813C69C95F24DCF669940B1AA189F9 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 1AE6DDA58C17F337366DF7FADA1D4497 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 50A5C6ABBA4CE9171452107468ADE5AE - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 9F5DEF663FFEE7A15C4D6FA673D359FC - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 9DF77CB405D36668958F398ABF7B28FC - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = E209CB81746B72716538D7CD17A6444D - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = F00A350C020334FB5EA7B33F289AD795 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 7106B19BBDBD2FDF3D11D9B91FC154DF - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 14B8A10E0682BB2482DF9B1DCE755551 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = BDA04DE64CD80319EB5DF8EBBA42EFC4 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 216C14D4CD1829198C545681F3864970 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 334AD62CC8D101B3D5033B2FAC7C739C - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2DAA8A8E5294BDF1A81B3D8993EC2546 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9E698F85F7C7807B9C9F7185B4BCDF95 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 5865A44D9F5A99CD3F5CF29AD20E57DE - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 42F7FDFDD34381AE9CD411EFA7BD638C - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 331D1718FACA29369FDBE92ED53A15B8 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F7CF8AA4B345A3CDA36ACE0A25997D8C - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = DFA8FCE97F530C981A0CDAE70790A0CA - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = 3562C0CAC7E1F43E1B2FA4D8ADDBF15C3F - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = A79E7781A6274290D22A1A52590920EE64 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = 4475D06FDAC2DC3DDE1351FFC32C9E3E13 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = B1F3073D129A6E7A0B81367EDD40FA3890 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = B1AD4FD7FC82BF695D564B556257B42D8E - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = 36DC47D07AEC68DE8FBAF06182443D539B - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = 28232093DA22D93FC6D8123279D0071932 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 5ACA0451CACDDFA47EA49DE67C73DF3817 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = D697C88429C45EF9B3DCC6D3C7E2352CB0 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = 640A80F88EC038155DF0ABC679F34521DD - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = CA95BAAB316AB874D2DE2BFF4019B3477C - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = DFFB4C3FE417CD5CFDF4EE44CA44576CA9 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = 7C081DAA73C942F805281CBB6C426C9A0B - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = D8F97AB08D58B59AF1C3150F992DF970A1 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 25234BD0773F5EAE650DE66ADEA41A0854 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = D258F7088B90612A4DCEDDF603A976077B - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 833D4C27499C767911E2929950EDACC21C - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 718EEA718E4DC268685A18D0407C92AA59 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36DC969FBDC053E80A15D73ED54B2540B5 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1010983DF8CB9D4BD1A8EFA7E77D31258D - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DAE7EB670A106B4D223123EC7109B335E2 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CE15813C9EE3A15FE59023C1E86CA30D53 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C6C7D076B14D455913FDCE8DAE036F399B - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F0F0EE9B7A5BBA5EA6462D4D245B4E63ED - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4F172F8293E584BF57CE0B3801C49C938 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA7EA9F6FC6F184ABD2FAB6A08E652B3B - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 367A2D3B489283BB3BD1F4386530D3F4A1 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 440DC0D046FF381F6A7B45CE9BD43CF9BC - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FB8705E1F4E34658F8EAE8A83DFFDC433B - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4BAB51B967FB6FA25FCD916115FD54674 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 643BF7DFE1C94C8F1548776FBAB5965672 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 42063D5D026E34C4B7D23841A100707208 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 811C29BB1E14BDDB4AE15DCEAD47A81F17 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = 35D79A22166BB4D0E9935BB287A19E81FE98 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = A72543D69E4BAF2D1030E7DC99E6A9614D05 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = 44264EDFD4613C5F859B5159705C887F2CB2 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = B15380C041A3FB771C20782D07A525C9ED11 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = B1B9BEA459A8BC11ABEEFFF03BB146B52807 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = 36E0ADD5CCD30E0973311BA0B60AC425DFDD - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = 28D16747FC810E892ED126C425E2D44776B1 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 5A8DB34960533773DE982BD0A9294B9944A3 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = D608DC147826F87CF8404F307FB6B551C05D - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = 64BB2614E435F0FB897796B47DD26012144B - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = CA122C90F50F64675A0ADB84D44017178758 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = DF242E5B614746020E22599C02B1C00109D5 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = 7C05E3E715DD8635C649C80C31703F92329E - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = D8217C97B35A45C3FF15449E2EFA0CB041A4 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 25D4885DC4830DAA08A6FE22BC74C324C011 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC1A6893FA251E7515A6F1CA44ADE80D2 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 8342598DC9DDC63BC64B1116E82A273174C7 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C25E3FA43AAB31DEA6B4201CBB5771340F - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36027ACAB06E71C015DFE6B5D9173891B0BD - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1039ACB1CA0FF2F8056AD8B407AB146D4C92 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68217622B178B099FA3522DCC32C2707E6 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9018DD5BED384650928846202D86C88B4 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679AD3EA098339E9C0793E2CCA92CC9E44F - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F0984E4D0E9EEA6FB513F71329F82A8BC5F9 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B498222971AFDD5DB88E409D661EECB47B2E - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA215F2DECE20F034D95CA50625744ADFF6 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364B5FAA2A3C81EAFF4E814B81A015BAC911 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F73C8A10FBA9D6288BEB7C6501AC571045 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEE733548947F8009455C8DC8DF186838E - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9B5F1A9AE528F7BE15DBD2C576B6F8639 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CABD51665B67F002AB214648F19938159B - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC8FC414ABDA2C6077D6FE1ACFAE737FF - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 81569C1EDB56CA6FD92C92BC9879809C2ABF - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = 35D7CE2D348E74CEDEC9DA86A4A64CF3A42AC5 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = A725E9A1EE98E58D43886172CD47F172B2414D - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = 4426F9075F7E2B8032E07F0F834AC78B08B90E - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = B153788F81307B6B6F0A30B78F08E57C132163 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = B1B9715FDC523D22A6BAE49392757971A39959 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = 36E0B2E597B2DE9587C236A5238A3A3DF431A8 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = 28D156A6B95EF521FA67753B0E343266BBC964 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = 5A8DBE26F2189A2652D3312D4AACC256620E59 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = D60875801F168BCEDD767B421D00FAF1F87805 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = 64BB3CCFB62570B4E2E4C0CE8B7898C545B117 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = CA126124AEFAD7F4148F0A217333D26A5802CE - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = DF24A59085FE8D00516F4EE97B812A9A652F80 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = 7C053AED09A1CF3EEA8E2FD933D2E0B79B81CA - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = D82115F0AA3F2C11ED152985C62C0F03F7CF42 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 25D49FB9CA8BA623C9D54AB7480E5A80F07F3D - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC0C0B3764F22A4B0683ADEBD16CB749D3B - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 83428751D259EE5F9104C40E1770BD95D9387B - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F5D1C72AD868BB451C3E871F7E06958571 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D481C21A5FB7D280153367A2202206CF7A - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F5DDFC067CF5B617D785A2102927EBDD1 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBD67FBEA8ECC2746933EAEB89389ED5DA - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C124FC56FE6B9F49069DC64A6C1C75A6C0 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEB71225B8C9A7BC5536C11CB5DB25706B - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098974450B2F447B843280055B829E38945B4 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989FFCB0898F1D315E54F1E0536FDDFA210A - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F33E18AA005E2E35AC2C6F828AC90050E - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE32850521DA7BAC74C481AA3FF2B6320B8 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2853505F1C916ED453AF409DE862CF41C - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA117578CCAF0B102B56E3FD93104E4D18 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F13A1A52935233B01BF6947CC012AF3AA7 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0A2E9B55B6DFC5F0241C5EF582AFAA016D - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC417C7DA55CDE36ECEBD731806F9EFFFA1 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BEFC7FC71A8EC5D14EAA6328407373F230 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = 35D7CEADBEB429B3F757FDBB0DE8BBFA3A9B86DB - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = A725E9310D2521C06E7A9A0DA227D41BD7C47489 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = 4426F96A548CE9B03F97A1FFDB0A1072F9D86164 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = B15378691058BA7D7DFB57654620B11063F1ED14 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = B1B971ECEE4725ADF77B1AD5B3DD46C5216C1DFA - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = 36E0B2DBA03451251576B5F2AFAC30657BE8366F - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = 28D1565C9EFB769ED07CD875AD2511D5C3EDD021 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = 5A8DBE79A9657E15D928356CA177423E84CFD291 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = D60875BC0810BB15950AAA9852295A5DCEA2EA61 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = 64BB3CDACB38C3DBE947A577B5639BCE7139AA40 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = CA126131FC39CEE5E5091525C549D55CF452BFAB - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = DF24A5AF9FF19EE8BE8FD7AED6FDB2DB9472747D - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = 7C053A55597EAECD10D9856BA37F0FABF574BB01 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = D82115EDB5FD700C27616ED1067BCD68D7A9FEC9 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 25D49F7479F3F9458223B2DD54052E9E79B6C3DD - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E0CA1B2D02F9E1A598B6490E42ECA93C4 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 83428794E3F6BBF6BC1B5D239CF64AF9D1197987 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B307D061E4EF4D4490788216804421C10 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D4000EF47EED8E53D6A02349469703346331 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03BBEBBF42FD17EC1634C687287B045923 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF56D0EEE1D3704F5747FBC94B9E2707AE - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C148B3ADB929BD18B24C6F075FCEB1B1244C - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD250F45B09314E7E91DE8BCD394026AA7 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D8BF787838FC486B6F358DD8F50108648 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F213212DFA5909E2D87BD7F2EB580CB0069 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F389397788A8BB8CB3EE1D069759714E3C0 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE3524E6772BAFCE394083CE6C156EC36A0D2 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2737CCC7913F6E37902520A312B1A4F6E94 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA087FE844D4B6187066B645386ED2519231 - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0637DA52119A77DF1CDFB661430538477 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF4042F4719DFFECDC914B9CEC2FC3BA438 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43DBBE1D724A1BFD640ACCF238CBC7CC6C4 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE510BCF653037BFF094C1428155381C7118 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = 35D7CEAD7D8DB819DAD5FAC3BB8003574DCD7FEAC5 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = A725E931A0BD08D6451C45495EBD60359B4056A239 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = 4426F96A07AD5EB0A92EEBB502EFBABAD4A6E096D7 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = B15378691A8FD93BDDD3D0A12B8FE7A142F16B1A6F - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = B1B971ECE73007A7FAD7F92500768E7CB2BE19C72E - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = 36E0B2DB67F3F62FC1510CF45C5E60DE88FB0ED13C - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = 28D1565CED7DE3B08D91DE92420335545D6A0C2BCB - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = 5A8DBE79CD8053C920ECBA7B060D4382E4C2DA3741 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = D60875BC19AC3B27393B991DB7453D3D2DF9CA921F - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = 64BB3CDA2A9B08D9F2AE5CFCCED0FE310218260FE6 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = CA1261316A136DE2C5A75DE87DC201CC13A34C7586 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = DF24A5AF538241442F6256DDE11BDAF6A54D585574 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 7C053A5598C5B67F2ED61EEE418A764D1EE7676A6A - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = D82115EDF58479DCE4F8ADC78DD694BEA6CCBF23F6 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D5FDD395291944A5BE36FEA396E0BB38DF - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8CAA593407EF8B560E328E2CC6A42BEBCA - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945FAF6CA4FAD641763BFD5A261A55DEB3CF - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0DF2EDDBC650B7FF8EE3D560FE462519D9 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B316AF9F6BA3501D8F9D3B2BCBCE8A359E - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5B5426D142B4827D944D94329E0D0645E - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF98A2D6058C482BC8B986901CA2FAFF4302 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C148986742812D6F1E78C47DC16BD2BB8D9364 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD038E7A58D66814ED57D42C7440341451A9 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D351E18BA4F0F5800E6A7B628DE47D1F883 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A5B3A8B4D741939C94CEA886326F558D1D - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F3862F3D974806569A494C38A4BD3D2F28DD2 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE35231A5F4ED74877F40046CD305574ADFEAC0 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F6E217957036003975829DE2E8D193A68 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A4ECEA7D76A1B13F76025F239A3D0137AF - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DEECD3EAA1924AF6B1EAA23A6F2A2584E8 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494EA5EF6C0C4A0CA9654FF3B622E0DF977 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F87789DC819748981094BC74F9D691B68 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107B9F6B65E4B9343F33387C17448903882 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = 35D7CEAD7DB155EA008D848CAB1834C60C26B6C3D0CB - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = A725E931A0E103D4B6F4E7B0D69C8209C92CA2A8C4C8 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = 4426F96A072F35CF7A9499225CDDB3A5FD43F157CA55 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = B15378691AB463E59A38652A602A16120B90273A0E42 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = B1B971ECE73E76AB3BDC77C418F3A100EF85EAA23F56 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = 36E0B2DB67E7A055644E922BDF35FF4CE9508713E5EF - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = 28D1565CED2D3BF5B8534CB5010E244BB3DC4C5DD107 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 5A8DBE79CDF0677B08692DB36F4865CDEC4E4CC862BC - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = D60875BC195D077A3753D5699925E0D123207979F51C - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = 64BB3CDA2ACC6510A0078D3702E824381BDE092C0284 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = CA1261316A9F97BFF24721815F0E592EA98A4FC3D610 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = DF24A5AF535A3844154C74DA1DAC6811A971A24661E2 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 7C053A5598BEA204FE64BDC86ECFE79CB1B823D51307 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = D82115EDF548F949976ABF04419136C1357F2376DE92 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D5304FE322EBB0CCC10E8CEE9E85C1EDB66C - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C892DBB8AFC4E4DE6191D5A6540F9564964 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B3614D90419FA406D74F61B7541EC2112 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2DD5113F2575784C63894D27B7D0D97589 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B365A66135F08EA35439DE97C0E09FAAB3B9 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EEF7FC91BD9B82A3CDC0E20286839FD195 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861916DE5452255CD6B6412931300040202 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898595745B00E9117C1674D885EB440BD0B5D - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD037454781E4F6CD3A52BC02D87E46AABDDFB - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C37AA4DDE64C863E98D5A2C021307FC648 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51B6186E02D0858B5CB3B42658217FFD615 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F3862575843315F9C162B2CA8A18E6989F327E5 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311E28BBB40994D712B185C92CF9F7C3C525 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09B280BF003DADCFECE5B5636BFD306889 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B59C558B844BDF4312B3DFCAD682CF32D - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE922FD55F59B09FD252A7010A0BD3CC15A1 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AAD5E4C100ABA0729DBB3CCDF9FC8791B8 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F122D5F76B7EAFAAD6BCBF0DD288FCAABEA - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE510769280B391811DE0E733E4998B0CBBE3C03 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = 35D7CEAD7DB14EBA290EE9B86AC6B0F1E37B819662C1C3 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = A725E931A0E1C446F43D79985B62645838541066CB96B2 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = 4426F96A072FA52A9437E2ECD1F17312BB324A21C85BF7 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = B15378691AB46A8370806D4E4990D25C8C10B4B1F85722 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = B1B971ECE73E52A57986B5B9E5EFB5FA9E26160C639124 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = 36E0B2DB67E79F5FEDB489D7A19BD5257F77DA93448ACE - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = 28D1565CED2D7E5CE9134A9D7239AED97C8355009F08B3 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 5A8DBE79CDF0A3DE15BA7527DB0E7DE9492223EFF3193D - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = D60875BC195DDE88DA03F76B2CBBC2F742EA30D988E00D - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DE5CCE2E0F23A0A1B8072FD68D269AF5F - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = CA1261316A9FCF9A4D988A90EC6AB7E8F56A807D6D982C - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = DF24A5AF535A101DCEDB81764B7BB50D64013D5698D497 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0FA03A7206C600A0BD18B278A2FADAE563 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = D82115EDF548111EABF18021C68000E27B53AB66657A1E - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C84178686923E225F98FCF6ADEA210C5B1 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C8903532880687286CC12CF45E6E1FE181F65 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B587BD8490C4151C5F7E9A6C661DC53F - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D225B9794022783444D2B271A971B8F85DD - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B3652724BEE855D853415C7AA4543A0E089915 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE583A58803DE7A140070A3FF43A85033909 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AFD82E7B1D45748724D8418484EAAB99A0 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B5EE276DB70B37298AC96E33EB8316D88 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A9431758C15D345FD68DA9B14B037E6F57 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E54DEBDBD5AAEB8780D7FC862F73F66B31 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA898631C2C2C667BB0E2F58566792DD5A6 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F3862578428154FF9563C2984971435A2F8F1B8C2 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD4ED9557DA7899469CFFCE244AFB28E20 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1F5D3087F4BE41B7AE2A515A28566DAA6 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B88C6B44770C7379725B7F447D9210F33C5 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE92192C6D6EB67BEEE7C710233B9F3814E6EE - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5BD2CF76F6E7038E02AFC419B8358182E9 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0D29CF628E43045153DF6F8B23BC23FEF - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE51076960BAE6B3C46BCE79B3D2418853ED11C656 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = 35D7CEAD7DB14E4836C63264A30966C5C34C4AECE1D0D4A2 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = A725E931A0E1C4F4D865AFE9261C1425A91C8852F757659A - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = 4426F96A072FA511F88C2EE72B67F77FA13A57F716EF2240 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = B15378691AB46AC0367B0854761405ED34F347F24791E158 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = B1B971ECE73E528C623B65082BC8A5DE6547C4A09C3DBBEE - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = 36E0B2DB67E79F26DBF03B0CCC3E968DBDE42C99E606BDE0 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = 28D1565CED2D7E1B8861988F2681713444C030B13D2FC9F7 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = 5A8DBE79CDF0A3184B7EBCDA5DA0737994FD6D26F4DFE68B - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = D60875BC195DDE2928BEA79A8DD5F24B434F3C827210FD20 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFFBB8B2EB086D7709E33CE023B22E63B74 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = CA1261316A9FCF245EBF11544933CC4843E91AC5CBD00FB4 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = DF24A5AF535A10455B2D0D3EFE0FEBE07F3D231ECEA24646 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F14C01C4763CDE960D9CD94F36ED447C351 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC68720A102E5AEE74AFED62E95CAFA170 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C865BB39CAF17F6E165C02CD2BFD252600A3 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C8903197B1A8A0C095A01EDB77A639E841920BA - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B28AD5F0666065501FF17763126B4EB06F - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD8BB3913EC48D4A1356761A4D69B68338 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FAF74FDB20AE7B434D11CF32E05908E2BC - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58660070B5AD7EA9D8EED88C192885E79313 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF201B85A0BCD07B4E2E1C1459E04F681CBD - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7953A6B1165AA1DC8C03559EBC0FBD7453 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A939FB3FCECE35E8AB562E76DB12F13530F0 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E5705AF19F1D14A8E844BCBA82CE2AF42C4F - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D64859F882C8431DEFC6C292943763BA04 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A013077AFD148C6EF2BDAC0A437F83616E - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0C4D9496493919B1F79B6EE4AA10DB6A27 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA488BEEA451F461975E274B5DFBCE6B6D - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B883049C479642EC2B078032D423E8C478BA2 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE921909B28C3627908CAF0901C2423F2A403F52 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1F13065A1E0E782A853029CB4CD473F73D - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0095DB65F4F1431951E15E7D1955657E85F - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054DA53F82C21C3A4905F8738BDB6DC3E13 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = 35D7CEAD7DB14E481688A07DD865A91B54C979AC8F4AF0F541 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = A725E931A0E1C4F45A6C68395DD02892AAE3A59AA2C8EDFE60 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = 4426F96A072FA511D93D1B91A6A1B9825C1C0F33CB7E18B3D6 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = B15378691AB46AC0846D9689FEECE3FBD2C73EA14D5B7F3B3F - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = B1B971ECE73E528CA00665BBC4E87988624ECC17654A7559AE - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = 36E0B2DB67E79F267E70A2F66596EDDC24DCCB898FEE1FCE40 - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = 28D1565CED2D7E1B384F1E1FA58FA50C0A8E3FC6785EB5EC67 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = 5A8DBE79CDF0A318911B2E6EEFD7D0C5F47DC376EC30508437 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = D60875BC195DDE2953FE99FADBE7D35943875DEC17572C282E - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF7752BB6A5FBF95036F6D5A97F5A0A987D1 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B29223CC77BC724BA6174959468C3346EA - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = DF24A5AF535A10459FA9EB2DB41082924418110C9E92F087A7 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F14619DC4D00D2E51C0F129B1CEAD1798BB8C - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B3B18A939367BA1EA09778CCF65CC931F - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B1E0196B9D19EB490CCBD3F3E0D8C3466 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A377FD7248D15D33F9EE19C84203A254E1 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD465FBD3B71CFE9ADC903F0CA083A44AE - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD631066A4F94DFDA5FC469CE04E145E20F6 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6F262637A8490F690B21CCE0487AEB7F1C - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A5125517E5A28BAEB101A03B21865777A - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C2E7DD342066582EBC14ED9D6BF34186BA - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989B117036EEAA82A7C30B019532A0262C0 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955BC8318E8992BDC05FB0E11987BE08626 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E570331672D9EFF50103715C82155F4C257FCB - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D662B6129CCC80651C307826ED7A34C50E56 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A32EF322001D941678FC0EC58DFFF9B20 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCF0C6462F57D945FDA56B9BA5245969F59 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA679C767BE34633161CCAEE66E051FC5BA4 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B883040123F9A58AC986738656C5FD355B68E54 - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098DEDA870B170406D6161694438C41D7834 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB945A8C899B87F14093BB5CCEDD3705604 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F4B3BE13545F2CF05E8323959C6C91BBD - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B44D0AA49EF3DAE14EC6779FB00A951F35 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = 35D7CEAD7DB14E4816783981D6AA2A53EB84AD90AABB5FB61012 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = A725E931A0E1C4F45A840DD590B2ADBBC4805397592B429993FD - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = 4426F96A072FA511D990A13ABAB4898A3DBD355801CEA598EA22 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = B15378691AB46AC08404AB50F966211DB5A3D17157530B77B3BC - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = B1B971ECE73E528CA034219A2053AEC02D06487253342AD39B79 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4904F97D137BD9A1B24E9BA7613251223E - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = 28D1565CED2D7E1B386651B0E90815FD4A934EA60F686E635BDA - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E6AD6D526BE67970F5D214D3BDBC705818 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = D60875BC195DDE2953615B7F907641438DC4955C57C29279A13F - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E196AC3654B8DC9657B36703282D37BE6C - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26B5D4868D98D3E8C3DEF8E981840D7B6C7 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FFC2BF05E579131919A6E3245DD0B2802 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE8F401D37102DA5656485B0D274176807 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2522C9E332AB084A0DA5FE577470BAF0CE - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6EE4116312258ED52D4583374B25152A88 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395221D4A319EE5660537816AC029872E1F - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD0143369A2BD16B249C655F3C87B5D6CBEA - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD636143AA50AC11F5E986B9ED041B3A489B4C - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF44718DE47D9C2D97B4694620F9FB0C8D9 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4F18B53D4AD234A98D1BC7344F9A2205B5 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22E3B654BAE4096811165A4885421E51155 - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989400379F51B7C80B0A7620A4EC11203C8E7 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB6C6E0B08C85DBCB772BBE41DE9C32E52 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E1BF262FE3AEADA2A69359F05128C993BA - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624B4EB7FB73A043B44E78BC0C1F51FB93F9 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A7004BF8FEC56D9749E840B7307D62AB1AA - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC15B4383A5CEA1E62BE8AC9ADEE6A40105 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9636A6B6A6996B84946201BD2EC74644D - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406C1E42D7063051BCBAF0AE9753A1E4E6FE - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D814376585B2D9B6449904C6D28CBC1F536 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C1BC76D31CB6E86BF9E981E715182F5A42 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F537F953A185E06298013D7BDAA9E52AA92 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469F1D65C895F24C6ADD2473A7AE6EE96F7 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = 35D7CEAD7DB14E4816787F03664F18419FBFBD3DE2C1EAD4947422 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = A725E931A0E1C4F45A84F211D0E96EFB72CAF556276D43A8161ECA - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = 4426F96A072FA511D990633EF01B6156BCD7317D7BB833CF6861D5 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = B15378691AB46AC08404F4FD434DEAD6594180C14795942B62BF0C - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = B1B971ECE73E528CA0343BC3F9B9FFF617D2D45FBEC2E0C81F5535 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = 36E0B2DB67E79F267E49435EC5B73D66D123B8BC97E7CAAF5EA6FE - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A91C2940D057ED838DCA26CA07A72C1F81 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A640A55630CE0EADFDF0C09289CD6C00D - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = D60875BC195DDE295361AF4A5BBB2F2F4C6510CEB1E621C7425BC4 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E1368BD386F8C6FD01163B37E0A1835EC570 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD18823FC83F886BDD07922CA49C76CA907 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4953AE156C4A331978D8D6C30F66E2D67 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5CB4E9CD9471DF1CE11A599A24E700E531 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501B18E1C5478C613AF7F9462F6187607D0 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E6772432F465E8E11C8D1F59FE45ED7DA47 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A7E9AB0BC2C8AF227E22E0BFA36B184F7A - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E435AEC425949DCF4941A555BD1C14125A - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD63612528B2B9155B6221253B9935B91043A5F8 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF457F9C9FB8EAB9B4717521D43C53F453172 - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA19C9791AF6D909E5489FB4AAF30C89C01 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF57113EB607775DA505BA718270D74F781 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F71CBA5F2E8EDB16E04E71152D8273A4A - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB19B5DE3439F7B0F2403F9F6F74F597E6CC - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CDA0670398A1B743D43CD6961AD2C3BE5 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB018D3A22C89391C7976F56D3C3600664 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A595AF6C7CF59451AB48C16E00FF60AEF2 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A49CD5C3BBFCA3D19CD1BEF30102F89B5E - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C4E16CB70087B6EBCA56808E396F88768F - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFFB773BCDD0CDF916CB4512991FD90E81C - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D8178A1883F799B5DC508D667ACF2DD645A60 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12EA3F56AD72851CB734C6D5FE8FCDFC7B4 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323F589C55B961B0857E10A5FD238AD994D - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB06EA4FBA1D5BD5B1F66AF7ACFEAD1CA - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = 35D7CEAD7DB14E4816787F463AD98F1C95F345860603C361429A4782 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = A725E931A0E1C4F45A84F2B7B0324BF07147B9BBFF103EA9C7D1184B - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = 4426F96A072FA511D99063C6B81B7428C6DC7F48F02B3B2BEA217BA1 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = B15378691AB46AC08404F4CD7F2AD8584A75717D253E7D8036EFA851 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E57FAFCA91DF96F42AA01B74C85D4D706 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DDD50718CCD6C87D6EB986AAD1303CED50 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D56268CB81F94DA84B7D29364AAFABAA9F - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604B29F06A98FFF437F8BB24D872E18530 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C139855830A6823EEA7BE13674FACA2B9 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC00B000CF86C289D4ADC1E60830F1CBDC - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB0267FAA21DAE755800EE22905344AFCE - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B1C972C725788A01A8FBC1EC81DEC984E2 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D2041A59CA0C6E799153028AF1615A6A1 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C28F47D01B6CE26C1592BA9A577341E64E - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAD1789A4210DE70D4F08019844F65797A - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A7864281C235EB3BB43B3FC8AEDCC8EF6BCB - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E45009567D8C4A8F67F0C3765ACF07AF4D2C - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252923901FF947048AA948F26522A561EBE7 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571AFA0EE65C1E41D2C5C4D0A0A8E072E571 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1732277DF285E3D2D1AB5BA89CD69D29E13 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7CAE25FBDBD045128A60D29EB106AFFF9 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88093D4E318ADAB2877D2C4D9AA53215F1 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199F65CA992AD4DCE2727DCD9F23F0406B69 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF89209319C47449AB69B5650AB872946B1 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66BC61EFD1E6A41885FDECF6D30C137363 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C67688A415FA69F400428AC2629E232815 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C83A31ACC3398B51D4E489CB42AFA76BC7 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F4D4D0281350A08CFCCBB5B91125D81C2 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C2230191A66E0450B60474681B1B0C0EA - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884DAE6D10482F593BC7A538AB69EEAB7A6 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65089CD91E6DBFACD06E3342C5534CF5DA - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323291D83A5DC6E4616173A0933E2147124DC - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB4E93975418EB2EAF9FAABAAD13A824E99 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = 35D7CEAD7DB14E4816787F46E9F04D7EF51E4A0D38CA258FFB8BFD4B45 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = A725E931A0E1C4F45A84F2B7554004F58D87832AA4285C92BCAB97F9C1 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 4426F96A072FA511D99063C675900FE9140A8742C53EDB3D6C9670F507 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = B15378691AB46AC08404F4CD3126250B5AE725ACDF6F99FEF54C1196CF - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E399389DF256267D6115760E8425EAE9D1E - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD47999A040D9567A8F4D09CB088D64D4734 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58C5086990480B8B2F770D6085E0271A34D - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FE8DBE7BEFEF2131F87BCDBFA67E995ED - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C748726A2A4198383D1E38C1C950FD83F33 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC48CDFCC9F2E2B44CCC3685D1343716A735 - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2C08C4EF7A2415907A2AECF4F5DC79F81D - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13CBF79C393CBD68BE6E207382B73BEB7F9 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B40E3C1CEE8946721A643EC6921E5B26F - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21E9DF01F43403EC7D657A5948B7D81EDC0 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF66936BD9BC57616960535D1DE9E4122FF - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FA68BA35CCAE859D1F63C17CF1FF508519 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501AF7AFD41DAA1F32DBCEE0EA8555064BF0 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD636125299973955C7CA24033A35B6F0083B8132898 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A32ACE2AB37925427911A14010C3804AFBE - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F2CD7BCDC4F4F3891D9789F62CF459616 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D77933F7EAA658837D20A9D0FAA976CADA14 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB1DB6B0315244872F58FD90D083C1C776 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA81D62BEF5EFA6BA8949E32B295A7374B1 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B982E04F9CE3EA01961D77C94DF373C70E - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB6685E7188D3EE4E2EED75F2E93E4B17DD9B2 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E563E3DE03FFD265F75112BDD4C4D6DFB9 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C8918192B85CC1E218BD357AE6EA726B19B2 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A3795D4B43BCAE26DE01667D3B9B03632 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C98E6B9AC62A2F76F9B14916BFCFC13367E - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D81788485772B0903D75E702F516CFD7085BFF449 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D44E4B9BCF9C3C8808F94B916CB0E17CCA - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297AFA7A7E61EABCB01EFC15FABA5F105FAB - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479F93A1BC3E5D04B0695D29A30D919ED6A - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB6815039497154663E6F7B0CA5CE17056 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B63FAF86C45E64B40CD14EFB06F59D04F - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 4426F96A072FA511D99063C6752BD65FC9F7AB1EDB7E9E7148B7EB875605 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA9DC0640CF4D2A13CB8B5632B040A45F9 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E39102022225815DB471DD96F5DA8E02AB55D - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D5DB3DCD6538E55FE272C14012CA31BA9 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF3E96005AA9B905081756AC7D2CCE0385 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB0A761590248E62EEF1076F4DA6D52C3BB - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A7E502085CBEF1BBDB4B9682018D2F3890 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E6B336EB8045ED49AC1720C91A0B89062 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8A9478FBB46C91F7D83F6C3354F05759C - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B49B38969EC9EDD6D0EB437D2241EFB6D - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EAD96F65C1F751071608E1DF1E5556506 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF0951261CBA8F2B0F5E2907AA5A9102B93 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68DD5780138B47534602567D7C7C0280C04 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA5B893367C1A4E7E20C743763DB0B210BE - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A890EEE609FAF4971A2681FC097BD73F8C1 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CAF36C46A321202943F08C4AF2B51F412C - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A3283910DCA88657D2199C6D61BC4D069BA1E - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F32D60D717EA88ADCE56CFFC7F71B97F284 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D77908F700EB0E6C811337F4EB3AE6F3234613 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB914C1069DEC628CB9EF612C22C4452C896 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA852215103AB93312872F869240F6F984308 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B9788835D04E4C36BCFA11E97A7FCA9907A4 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB668548E1831D622C28AB11F796B36265E3CA07 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58BD7BB2F05943D6F5545F789AEAC1BBC0D - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C89182A65FA9CF04656D7C30D42F4A75E8E7C8 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7BFC29D7C0E22B3074F28A04C805E9F19A - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F9C3BEDA0B4629CCD9D13BF9B42D1340C - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D8178848521F4D0DA889F8A29F7BAF53288535BE0B4 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BFEFDBADD1D73609EFD373FA1E1BF28E1 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A2526DCF7B795391BFBD6A794B564E437BC - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0400E3E24ACD3E192F49E81872CDCD216 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E486201057C51E2F61350555A33BB94EE - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B2D360A19093773F0276367BD6E00DE11 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 4426F96A072FA511D99063C6752B19EA6CCCAFA0999B405A0F27EEFC7B7083 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3F4024BB3A7D297289C91684C7AAF83F4B - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BF16AC0E349C6E3B6E8A0BAE4F090117E0 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45EDEDE6024ABC2EBBC34A7BB7F0B57283 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF166F004C1060F9513E71D6F6E4F3B908DC - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D86C36F9BBEAE394CDD4AA8CFC7FB60A0 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70E32AD32BFFB4C2242D2B15010796C7427 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF98AB8932D40806889F7C37B5ED26FBB - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F44FBF95294B4FC942FAAEFB4D80367CB8 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07EDFF1F50FB39C63D681D4837CC59BE40 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA41A365A98E1BBE8490150BE0CB8C3CCCF - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C7940C04B2313515D1E7BE79D172EF5D9 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D786D83923941EB13544B60778ED67C3D65 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564A733C12AB6C1835E8A06E3E6E220FEA4 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9991E5DE43620CDCB05F700717A6FFB3A - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E1131EE06B6F4B360C4C1DE407823D39A - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A32832690C038AC3D24C7D4A003F561689CA5C0 - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328C64A1D70C99C9A1FC3702F0D554C63EC9 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813EC8A4DC41FE275C96D0076627B6FE76F - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147143CF8FC0BC408B023F3F62D5513BE49 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520E2547640B06AFD2F614F45EEA068D3B64 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A79A36413A8E69084FDD5E2174C79E3D45 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB668548268F3DC20E47E5519707C04D58A8BFCD7D - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B840844AD6870C46E8C00C72E0E75E95067 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F387F54383E39866FA693916E54EBF609 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF97969FE697459510BA517CF28F69B7F - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A30F23C2DFEB8C9A795A8D6C3A823A415 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D81788485218502614590209990C53539546C43A9CA58 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA25D24597E56162CF704614A6F9E68BC47 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255DFF87FD19FEDC365E37066A22CDCD80C0 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC5A921F31AE8FD3B14A87E8F4DA924B0C - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F61E3770F386BF3DB3675C0C70F043D05 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B8795E0B01C023A5C1CDCD582314D727FEF - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190847EDB9C3701C746E2F8C27299C398798 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE377E2179D73DF1E98C771D8CCD999F0DB - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC41DD7C51438F17A7FE39343FF23C99AB4 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D2610F595730D5D153E1AAA2872585958C - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF163765F21527085809492E6B48A763A38233 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D9442B7D3E5EFFA0E4DA3959423E32C7E60 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC5CB3DAC8B31B9118FE038838A2F39D226 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2A8B2007597AF648AABBD2606728CD9C2 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43DA6D650FA7FC4134BFB020C56C325D1FA - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C936457F3E7EB9BACB26A75572FA1A8A59 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA49925924259B4D92DDB9C50F7DF361FA816 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CC4134D8D210EC99499DAF74A84887100 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF9574C0CA2815453E0052E99611CE390E - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C21E87779CF06364B7EB6EE7831C6EF45A - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A30485FE51DA7BE31E0FE87280DD7A7912 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E4233663C034680D2122B92C500D93690EA - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C37FA4C2757F2749042DF63747E58ADC7F - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC74B7F8F9E8B8D05DC7B8EFC28C7466A5C - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AADD3F4AC28F8D9ADF8A063932C6FF05A5 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E0D1367C9981E4477D53C20502C44CAA6B - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF687D2D62D022D7AB4D31E98DE07BB9F22 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A7116475BC2BE5A521BE62BA8DCFDE9F82E2 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B943CF0BD7D5F4BB35753FC65E9846C828 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846174FF31419446132E8E1E6E4FB2C105BA - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A33B94C75A23537D68257DC04A415517F - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF55EAF753FF5136DAF8CE06D519A097F86 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AAB1D278F34069B13166F778C75BEC170 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD921186A35CDFD30248A68F61E79613FE - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E588BE871466FF6FACB109EBCE7BAC797D - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D248BD71A961E72284AB504CDB05AF7E148 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46460D6A42E0F4ED3317DDE9127778E541 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373D02DABAE0A1CFAA910629D6C8125BC4 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BBD90208C0C1F4CE6E00F8E6049EE7D94F - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896C76FA3C4A0474E0B369DA810373CB325 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FEAD0A12AD31DAF6BDF5D4DE977E516F2A - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D3754650A68C69C9E72A390A514317B1AD - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D283A1CEBA0191207B8B3FE1751651DC56C0 - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CAA270AD5D45C8F0C221CA8BBF0B5AF4C8 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FB520D8872660A20FFF19CA35CB7652B6C - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC5378B1F740276F0650235A073277A4BDF02 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2415F50A42C049F1D05D0444F7A518BECD5 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D308C5686B83C700736FFC56AAD74BF414B - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979785BF7CAA6FEAB725C2E79DBCB7A8DF0 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A00A7291D08B5A1E10B4A3A66CF3810F0D - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB928FD12750FFFA71BFE00A63485BD38C3 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF6273E4F4B57CD22B8E628AD5FF8867F063 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D6280FBB60B39CF908C90D0330DD70D4B - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B5D37D0150AD45B3C785B52FBE1D3FB6E9 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E4209D2AF0F7766B219C3BEAAB77008ECC90C - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C1C5F0EBE4787E41657803A98538AEBE - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E2DEC2E97E291E0F1A40A55B71F190AEA - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA899FAE83E954E7E2022B7773589340791F - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06D8C3AF19ACD89C26287F543B791D361F3 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D8B12D459014153EDB73725C7E9F76F69F - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A882666920E0D5F01DDF5009DFB5C59CC4 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B5AE9A1CF67977B23F203AC1AC1E82CA - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B84613335B53083F2E276CD28EF91BF4170B839 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B2633BB7A73A47702EE729EB0DD21938B - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EAC4C1B42A0F3E1F6444A7B62E14486A6F - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEB989F9C37B7F1DE28960D35AA0E800FE7 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD45422D9BB0B2ED3D272F8941652CED13AA - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D22A6CBCAEB8B35ECADDEF04E2FFA6F275 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247ACDE956B4162FBA32E5FEE457C095054F - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E97433F61D801943691694F27F80F8FE42 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E3FC2956D5083A3B4AAD1FD53E2FBB662 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB61A469F4F750737FFC23E63347FF0E4DAB - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B19089662143015F78C281B4AA07969E71278E3B1 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0A9E6CAB3B53CBA44EAA84E110E9B61FEF - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D3176B926CF579F8CB3954741FE9F6EFB94D - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344A5E28D81A0E1F86B240EBDFE0CF6999A - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA679038BA2E902A6722D113C69DE2B3487E - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB1F4297ADB5C00EAD2A16FB1CDDCED187D - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9C3F312019C7B327487AB5EDF100AE1DC - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F3FA3CF7153166161EAFF747BB78E4E70 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A616059539BAA49DC51FAFA23171690A - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E041CFB0C0AF0C366970B564B311B3F9DF - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A833C37D80AC498927DDE9034E82E08E32 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE2300EA0EBC4922C1F9F342A96E775D75 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F241728CF8FEF310AAC4C491CC266F56C0 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88C2AF0A0F687415361AFD6682D30D2B88 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557C5A4E309CC608A25B069283948B24EC4 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E42090169CFEDE75020E502F8D745C0F619D727 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3D26CD4BDFF942C1AD11D75FA363576F5 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E334D0E15EE39D74A0660F5A0B354E0ABD6 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7EDB5724F83F1339C7C04314CA91F2C67 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA18F70EE43382F0F2BC7B01F48F1258321 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86DF1D57EFE23F047ABD3B7F6865DD7668C - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A85425C3883476D6AECC3035335EBFC57B83 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B455A2875D51E75D57A63868E04E5066AA - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B84613362DB6A7EDFA217DE1FE1A00742A4D7C66E - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B00F0D48D63410EFCB4024D13DCDF17DD20 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D0D44F81C54EDB0050BA7143DF8F6ED7E - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4E22633F14D0E5E118D3FD2D0B43F8838 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD4552B208A719B8AD0603755B7C73AED17CA4 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D276560509A7C6B3BC118B293B3006AA001F - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA3BD699260AA14FCDA0CEE920BEA26B286 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9087AA9D223581F56528C10489B2E2BE946 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40CB341E8ACAA1DF9EDCE2C596DFB6DB2D - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB6102D84008A82B703B4CE36D17A374F0B377 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B1908966255D6E6E80BFBA72C216CA44C10EE7071FD - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDF9E37FD4674F570332F8CBFA1FD355F1 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D3171729AD0A928B39AA0962EBEE896F23DFB1 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344ABD3AA221599929474930572AFBFFE3039 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA67763BEAE560481914AD60EE338342C081C1 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB173C7DF762FDFE1840F85A89C01E42BEF07 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D2F3C89D4BAE0EC969B84E064D061BC871 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9AD579353A47FC620ADABFEEB1F9BDBD35 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A644B4617810258BD02DD4B42DE1DD16B1 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FA55C7E3EF05E7D9728CDBD962F40070E0 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A828CFF6789F2050343F1DB09C092C203A3A - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE71E61133286A3B67F76DC0A19FBF191CDB - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E5AD654F85BD9D208C8700EA731D763F3C - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7657136021B21847B10871EE8F2C4364E - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F1040DCF5FDD9F5908FDE8ADDF8C4E29DB - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901996AD3944225C594CC946C5B8DFD97BBB6 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C0BBFE22246FD5992A41B69D0B3BE52E8A - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D3477BF21084215436D44D1ED202595682 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D2DA517E1B4DCF23786C5FB16A709F9F44 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191D6F199B48F56AB7400F22BFAF367A7B2 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45C7932D4333776DD9F1EEF90F569FFE10 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A64A99FA40C5965BB45F9795009693A8E0 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454D3A1AEF00CDAEB0C0EE97CDF21515525 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627C0384382AE96794DCC50892C7CA1CB12E - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001639190A318CA3B7B13E98573173F525AB - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B723C476FF22D3D02EA5A050933409028 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF480FC11569EE441D4B3109C5B52407CD0A2 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD45521868D579956359751412BC95046DB43C7B - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763C46DF3414CA7DABB61D26A515A44BADA7 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC8EC8B2FA3773268723AD493F87CB09B - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C671F1C055C25E1E77A015558D57C5502 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A767B07EAC4731CD7BD22E224F606EC372 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB6102832713466AEEF04592581CDFD890A60DA3 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B1908966255062B723BFA84D0781AD324122347142A6A - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13D9083C51FDF0C98D3095BA282BF275E - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D317173150FF63D63BE2BCB60CC19C00C3040662 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF5C47CFC5080E4D4C086C28FECDC56AF - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771E14CC733E2485A7CCF1FD745182B4A8 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315A9DBDC9225180D4CFA62D73DAF7A2622 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25725DC24BA7ACD5BE184877622C376AF60 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54CC5B9D9F1C49B131184F3D65FCB6D926 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6771F2D3FC6807761DD899E815CFFD0D080 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA11CC170A51E3579D17329E0A6E4E64A5 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A828635D4F308F938DCC1573DD693B2462F1F0 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184C07BB265972A6FFD26F8720E29A16555 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568F0CCA24DDC07CBE1C7E6E1F29C2D578C - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE0A83DB4B4597BC02E1B31CFECE335D3E - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F4B6C85126EFBCA5741CF4655F7BAE93E - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AFC3EA9498BB8A504E60D5E586B8D63A2 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00C07A179D0DE3BAB8D4DC5A70A889217AA - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389CE4A26604D86235FCA78B53C1AA48010 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D232A586939C0B58B0E5EA5F194D313D0040 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C5D165E6532CF0C4F6EBF1D94E2674B314 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D4571BB0B3A7A2AB4FE68BC7FCDF07ECBD267 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61E3F5680A0B950DACFBCC06AA99094F4EA - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454212C190FDF96870A2C3F871959BB68FC1F - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB3ADE236785CBE99CF09C6133E05F9AF57 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B0016492AE0F277B8261E1FB3BDAC45B7EF492E - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53277CB77F5A737D1683B4B41AC99738BA - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802BBC1F6BBCC8C6B5FB7BC5FAAA89A10D9D - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD45521863CDA4E8C619769BC5A61D21E7D6A44886 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFAD2482B4F51571CCF116A8A281BB741DD - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC4414B9620F8F16F01881ABFCF7940F066 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0A4D4EBDBC0BEBFF877090C201B3C5FC05 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A703AB19CE2B4AB27724C26C9BE762BD4A28 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D48AA857C5757C02173AF15FE31319153D - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FDEC05786C2FDDEF37CB457F4D201492C2 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13B9AA364FA993E1626B3AE6C67618BF1ED - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DD61F7D48912F89FAF539CF81E677F9B9 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF33A0124A003EBA4FBCB6E1CC4B5886FD4 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771D8CA76997AFD365F41DE7EDF071DBDCBB - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FF3D1C7D41426FF7B26907B088A29D6646 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745040888C1B211284DA55D64629ADB4E5D - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9DF2F14CF30E1A2772955D3BE1FB558F0 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BB5EEF65473675A9DD1ECEF089B09007A - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9D123205DDB901382CB8C5CD7520796D48 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A828630336BED6E2895A65B29FFDC1ACE43BFCDE - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D50BC0FCF46149BF6CB5FDB04CC2CFC309 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8A778DB00B6BA0D0FA00DF20508995ACC - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3F39E456580529DAE5737DF976F56C192B - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6FEA150D0B0EDBBA3117C7FA1D0A414340 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED8665BC736A87FA9FD95D77692ADA5339 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF27DC6D45C877F7E678F88CD3799DF5E81 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389364B1D5134DE1651900ED690BDC40EEE7A - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264E11DDDBCB7036DF24C6F67153AF0D6E4 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59BE23A5A17CC83D03D02BB9E2C0FDBDDD7 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F38CBD2841C8514C2A3104A69445A1897 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED9D6665C7BED65D3D5086DB1BC1FCDE8D7 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214BDD6833AA1260DC5E70648DAEC6EDE16E - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D50128ADA7929740878CCD4125140DE3A - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BA96F4158F15D9CF78003B46B21DD38B38 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B5358D52409938A275270F0BA2D217B82DE16 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B730CEF2C6AB3CE371857AC2A04162C229C - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBCFEB6894A8C13D20A730F6D45087E1E - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CF5001409547AD66825A261C5DA3F4475 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E433463B15A9C3CF8433797FF3317C4A3 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD07D46A28ACCEC2AD502D8D5623FF0D3C8 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A703862E09F0CD5A8D355E56C2B32CB7488E4A - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41AE39B5955C68BE5A22165ADEEAC8C529D - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4B512EDB6BD12C3BA707BA332361300D35 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA73670CBF80BDB19DBDB132216897596BA - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC460319A0E89184322CFC49E8608D169B6 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38287762CF0460C64ED3B83889BE059DDBF - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA2A77473E4E8E5A877BA78CFED837FBCA - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD011168793E048FD049C6405D4468DFF4B - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D257457617A377A0BEF5CEB1DD4256B9E0A47394 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7413F06B127D09559297026AE50A9E863 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE5B86E8A92C250B9F13215787ACF008D8 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB56E62C531B91869BFD70982E1EE0F138E - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A8286303844646C79CF012FECCCBDD5AC3B1BCBCA5 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D575CF3D9B130E2A0D1A57EA5628197F1C10 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C2A732BC8808A5F81F74739690CDDC29D7 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF0A742D34FDC22D7E48DF1FEE2E9AF71BE - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F771D665C550E4C1AD5149F4184B4898329 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1FB7A5A333425F34277CFF011929FFEEB0 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A957945D297FED84D13B14F5C9A7327E17 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366DB711E81C345BD55F5C005FD4FDF4D330 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D2326474000FFA664E13D03F877AB277F1B6CEB7 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B75BDB6FDDDDB20B82A45CB1F229E1F7C2D - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72A4F19D9DDEDE2B96FB4670CBBA396AD8 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED9910D30523DEAE6E29E062DC1F2CA93390E - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B86BF18C3B153467A377BD31CBC50EAE46F - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08C36A99601F4FCB1FEA61BD9CF2E92773 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABAF9E27D83590AA4FC09E1817321AD161F - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B5358294B3553524846EE94FD7494599A70190A - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FD1AD1A9575E52A9BDBC791ACA90A956C - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB9E3B456AF2B92A48F0E05594CB8F4BDD - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB9343EC01275DE864CB28F4B8328BF0902 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B8DBF5CCBF6F7F5917AEE20B60E4C8126 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C15CA4DC531CD904478ABFB76B527ACCF - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E70941EE21809DF01629DFEF710916C802 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1607D6B15E447C114247273A987A826850 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBBE3459EE05CF2299D82781EE69EA8DF33 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74D610B9AE1A0C5C6EE52544E5EF1A3E13A - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E27E5DC4010526DC61BD77E4D60D4838DC - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298271A90ABA3697CDE45323A76EAA9EDD4 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02A2CEA9C744D58E31C9B7C404D9F165D4 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05EE3D454C28C146559DA149DA53689AEBD - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F1C8F448C5531D2D93403BE449D018AED - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F67DF4DD2DBE462111A0382D26D9829B73 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB70B1E727C4FB631F3B4733620CEDD37 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB5552199683ACC403BE4374E74E0650B1468 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494B17A2B0898BBEAE343DE302DDC6A5B6B - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515BC40C7ABD680D427BE9E52BD01F94972 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2DED859316FC1684B743590EB62DB34E - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02B32554D503F122A2FD696F6D7F5900830 - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5BD6BCDDA9F3B7E31FCE087C0F0CAA7AF - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4EAB32E75D27A7B27647C82FF97D5BC1D2 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E81C3BBADAD4B4B2043233FF7828928D2B - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D6013F0453DCF8AD527D35500B55C3B1CD8 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DC743D48CB267A5D73FD4576E57415B32 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750CC45F52878671A344176D0F7D88D47BBA - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDF4AA3764A81E68E0EB49A0EBFF679F07 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B68C97839C0E2548FB36106CF6F4CFCDE3 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861EF533FF6E140CF85E777A65427CF01C26 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D09A4AD7E7B7296508BE1067A09F38264C - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0037BEF6CFC44E65227904FAA8D2F5A3D6 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915726347DCBA4209C632D7FBCB3043B48B - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1172E0A03EE1E18D58AB63FC9AB00D6FD - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB13DBF3F8D250053D6284227E998B1B6FFF - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99BE556BE5E321247C328A1788AB4423708 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B488A4C31ABF390F1F73DB59EE385FC68FC - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24969B8E06D6D563B1D66747C7228CCEE9 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBF0261FFBF96433FAB827ABC23A3E9A1B - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685439BDD9868F672F6F698AC67A74EC97C - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB485523EBAC2D75663EDC45626881C86423 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBF3227B9F5E199D98347241FD250CE3704 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4621231CE502906BEF1B3BB712FD89DB9 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BE8627612295370D112C22A2EA280326C9 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F7F125B54A74522650EB7BD95E67282937 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96EAE7947E74B34CEBEEFC8482E670741D - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E759BF8285F5049E0D4FF370F19137599 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A2012E4B574FED2FAF209EB67DDFF7483 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9A3C87CC193BAB79E2AB3DDB2464E2C95 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF46624CA2818DF23BE61B145406AB07BF - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DF9DEA8150AA01B466582EA9E8A3E588A3 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D90C335F099FF4968EE5A945C373346A6C - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C21B8F6EC60AAB19B6FFE861DDA06CB2C02 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB8D01D4D93BE0A95B04BBFC1E4433E5794 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C1287D1B7CB72ABDF6EDFB01571C7FE094 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E7906FB787AC86F3EA560F8C613C93545CF - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4DDC81517E99611FCE2C3A0DE68096953 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F6C5338E81EF71B49EAA51BC68739EF93A - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF4966C086F38E4CA3CF5E53A345BF412DE - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C2837D2CCBEE7654F866EB35770BF426CD5 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBB703B692FEB4267D275B5AF43DAF0E837 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6454169993341B14CCCE8F3AB011DAB2ECA - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E8447A952E4FACF2F7BB5ED3FA3419A9E27 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07FE9241DE731EECF2E02DE35044D5E81BF - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA000020151B40077776C50E9A7415DA18BD24 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B535829152259D3583D80BFA90513399C587667ACCD - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA16595B2AEDD56B813CF1F988C529DC52BD5 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130CDE732D6F88420CAE001A4B9E9B1F400F - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B648C47C4BCAB45090ECDA251EF92224A04 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B4847AACE82AE1DFCE7697921D4FAEF53BE8C - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C2427ECB5BEA0F34E3F61BA712BCDC7E2BA02 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2E61D0E7C5C3E72D1ECEB5A5AF945B971 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A16855294752BC3623417BCAA7A3DB1B136C384 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A76C4D19D26065E80B6DC3417529AA77FD - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC71C7EECAE04B0D692F3396A1DC31EFCC7 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4942EA964B0EA7C689BA2C26095C5C5FA7C - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB042B6DA6FBBB2ED7C5019A5CB46F16E8A - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79EF3149A7A960747FEB1ED506027619EA8 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE626C7670966560B7CA848E112EF52893 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E884AFE3BC791FD99C6C68FF1706D2E0373 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00442B6BAFDABBD6A796A490363904279E - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D0C21F48A21B18847B91EF677961C69ADE - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF432405B9F8F7B41CDDE9ADDD8D5FB1802C - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA173A8215BB6A5E85306E6139079A01BD4 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B43F4E8325D263C055FC1AEB69F6401611 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C21635FF210F079AD95380D3E886E3995C2B5 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83B77D0ED07EFFE3C47B73E6BE12A6FD576 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B65841E6774B5C92E0608CE4545AD36EC - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E7991B2A769183AD3200986969C6C2A876362 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D485029559823E056F8D5C8F76C939CCF751 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F60396335695FE559929C6135C28509EBECD - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF4456BF69972F5115CA1A408B186BD9FEA14 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289BDFE1D610DCDD4EA54A2658684AFDCE34 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA9724DEBE1CB2E87BA7FB012ABED391BF1 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B64502354CE3ED80DFAB07C295CD4FE7497E6D - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3DD544032DD79D84A5D7B8AC6BF6BCF20 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8A1DE9158ECC96E7942CC26C1D620A44B2 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AFAC3D83B37A770B5F6616F0F28C4E93E0 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B5358291522861A7476C20059DABA7CF71A6F35DAC508 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654B277C5EE5214A03EACAC3553C44475A7C - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3CBC31F7A8F136FA62A3597C3525A6B559 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473FC97AB6716A3095773396936D96FB837 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B4847141590017A6F9A0F98079B00BD71E4E1FB - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278CFD70497A09EC2A38BD1595D0A9639298 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF791FDD370E07D53B69680728F4E6849D - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B857CEB81064E73F01DC3484DD94D56FD - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A77543D2D8EC2D6075E283E54C995D74815C - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E71CDF8469AB650A9B2F00A7DDB10BC73B - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940E156A713FFCB09197AFE16A11DE18B40C - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D726E0B5BEA883F469214E80AAB5E94D13 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E518BC46B58FC7336B92944FD7C2BDEBD0F - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4BE98C2D4D9CA085BD235AF9538DA49C05 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882C8C8C7A9284812839A937287054EE0173 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A02D75ED8983D344B207A91B9403E74F4B - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02BE3EBE226D74977EB8CC3A1F0B902783E - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339434226830999386DDD725C655516660F - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA13484EBF33B8AB7570E95F52DAA43D4C830 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B13F1CE26C9E75D14E83B2D477889190A8 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B50B8498FDA031930557650FA216A816E0 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDCC7A37B62D8DB5AA62C0619DD5F914382 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F435B013A271D5172D2C6E34B06822A4C - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183D729B71849ABD248EAA594087DF24359 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855CA2D99DC4433C0C87E259F71F072B375A - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A96E42964A3F3203B8931E7A9C672FF467 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D06523455C134815D4AD816B6AEBADE284 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B9D976587FCD4136C196B3EE2171806D8 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA9163723FDF766BA7EAD01A610E5AE7D895C - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226043D7DFBCBFA5219986180A7826BEF41 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F384A9AF819DEDCD82A2DAB981D339925CAC - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACDC8A7E97E0AA9CE9946E21866E674A648 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF575B434BBC1819434032FBD4E83704040D - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B535829152286025BBBF9AAFE91D859D301AB00C670640C - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE172AF9826BADFEEEA64CDD61A77D715AE - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C670F82AB3A3D554788D8A3BC4427D632A1 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD5BFA8B372CA380D4087970BB555CFC7E - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435B751D506C0AEF4EFF7B775A4D113F472 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C95D2A6C5E4B976B41C83D913229D31600A - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF618E2AF65E29309FE88FBB0421098E1255 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B320DF93EBD21B23B0A74B8C9F03AFA680C - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A77514751486AA75C72DF8214D3B02D27D80A4 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7823DCC0FDD473750D9627B5AA82F836F2C - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE31446B187DDF97DD1B1B7C2026EFF4987 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7615039A67AC339541C55A6FAD3BF3C9E71 - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B5DA9189111DB332BB67C18F1336C214C - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B713674D0FB7D278995FC72A48BE79FA651 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8FAFC5213A17DDB2E6C4B61098A9FE46D - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00E724D6891751087C8E523665484999CF0 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E6FFAB730EE17A104C3CD3D9DB9F64D5E - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BFDF623CE5CBF23677788A5D06D596AEF1 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C1783F68E09EFC511068B91872A0B3D523 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E45A696C01ABFA186482954D354124391C - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F7859CEE6DAB68505A2B8A35C54EE7DFA - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC925982F942090C8743C2FA63633FF615E3 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F50C4080E7826006226E032C51E75DBBE53 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF525C2E9A13425016ED1A3E619BE140CE - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C24ECD759322633CDED5920C7EA6FFE825F - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE2C869B9A3A6B8158D69132904059582D - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049A242AAC1EA88ECDDCB83711909443B27 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7DDE77A0E4C85654C68B02895A7C20E22D - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614ACFAF69C187898C2CF1CF185188B6C85 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5388BC48A2FEC39CACA19DB26553672A9 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F384268673D5B23FE78B2012C0476367D5C681 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD055F6275FBA2A5F6804B2D18E1C0353991 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0EF0D991525B25F0617436EA9E4C40414 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BAD93D5BC70E835B51D4E717CDAEBBFFC8 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DBB0B03D2DDBB0282BA22ED47BC7D5BA8D - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1E42A1F79A2258B98F1C32E0BAADDE5BB - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23AE1A739C3CBF95B2F808A2ABBFB9652A - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D2462FD5B5210CEABDBB6CD42A21973D6D - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C95396C7C4FBD9E56E460920ED42460286273 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF61D601FC8D935AE115FC68FA809EA1919000 - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B325503A5BA3F6B50C8A57F2035807BDB2E7C - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A775141E8882CC4D961AFD82C912086FEDA9949C - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7827797CEB2064A4B1F564C24A1CAFA13CC43 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE362BEF959711B240C3BC7E52C60AD791669 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7611ADEE07BA96159FE1A8F8371F35F52FE7B - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B9081AEEAD33C68AF7C6DE6C666CB289DE7 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B71D20FC28320D318C4D71C4976F96FD702E5 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8D6998603DDE922955CCB76D8725C2A2CAA - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00ED4499479CC1001F8341116AF9B24F7BEFE - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E20565DFFBE6544DA845804A8226104DE97 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BF5601EDC543B6A92EFCBCEB8F0C9EF9BF0F - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C1887884049A9AB0D8494AEBA8774CFF008C - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E42A9D43B5C6CDA79A6A339824CB04987E35 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F186A9822EA6C684361A395381A5E0BABDC - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC9270712B41E8B77D57C4F114AE43E2E8EBA4 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F5071B9358EA104014C4CBE6D2CA19AC5B093 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF47AEE72E57C659F3C43FF6E8BE0A243BE3 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C242BFC55AAD3EF3C5C00DC74A863A4E0DD28 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE037533D8925587278CC5889B95D2D961B9 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049BE21227510F979C4EDACB5E171055D9E22 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7D9F5D9713031EA86095DB2680989F4A7DC5 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614508B32298E2C5067AC946C0177B6531346 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5DF82E4819FEC617BE12785CC9912A737C0 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3842627D1672771DDAD37804BDA50047078EF8D - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD05355BAE4472689D5A3E25F96806CDC128B5 - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0A16DC3A871B0C9156386A2DFBFE949454B - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BA6C8D90F610D6B809C130BDC6A58F4C1705 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DB67AC2FC2C5775D4892733E716E9C3476DB - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1D1D7692B93FFD21A5B09E836DE2ED82342 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23FA90E8801038161C888FCCC61093ED97A6 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D21AC86405D8633B765DBA54CCFAEFC61D35 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C953900708D73678561D58F000B2947246B9520 - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF61D6F4E46AE3E4E09C9086B8C0A1104674F7AB - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B32555045A364085E5A7F9862C1360E0D1F5DCA - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A775141EED0A6E55536B55EE14E1CB0196756CD8EC - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7827786532AD1FDDFA552420E08917678E53782 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE362E5EA5BCBF7C268164041E925D916E69775 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7611A97E551CDDD5F8B13A65518F50CBA31970B - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B90EDA50007834FFADEF42B3EF8C93FEF71A3 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B71D2413395545AAF23E2007276B2A690448759 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8D62AF57A18DE0800CC731FE304B6FD925626 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00ED4EED52F7447E3DFFD19163A00B513B14C9F - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E20579595A3F38CBBD4F88EB7B967DD555BE1 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BF56C32EDD79AF4098E217C976389DFFCE7190 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C18826640D8A06E581BD20620F8219A2A7B1DA - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E42A067198E9F827C33E4B4192BA44A14748E9 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F18FDBC34980E8700FDD27925921F631E33FB - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC92708589EA0C1FA6EEFDCA2E628C91A4B7E2E8 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F5071C5A3046695D23283B89E72FA1079604955 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF4712B70ABA9ABFFCDF6212A43531BFDD71F0 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C242BEA73A61A037F447346B0591A3B5A79535B - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE0353CF315A892C002CFC48B9A5E96E1D5FB7 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049BE141486845D00714E0EC920905B9B8AEE7F - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7D9F85F731EAD083C51C1F3D4B702E0C5CEB8A - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614501AC3E77839E574FA9D7ADD25FE6F70516A - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5DF36483C8C62E4347AB8939EF91DBB47E29C - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3842627AA9462AA1CC949204E5C7BB565D47D8238 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD05359897E281CE65904E940FDEB9F1472FBB92 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0A11E96BA966040A7E04E6F7E0D014F3C6515 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BA6CD795773895DBA3FCF4EA8836A21DB04B6A - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DB67556C2D873888A7E654223E927F6A064F6B - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1D148320CFD07E8103AFBF1B436434AF15E69 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23FA74FC53C7842DD67EBF7F5A443257C81C1F - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D21A4BA37315F5521B7B0FE1C20AC216D2496A - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C953900F7A1D2BD913C2BF7824695CBB21E3EF7DC - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF61D6F4AF017EE2449038D2610DA50AF512955078 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B325550C2888702703F9E8ECF28D727BC5CAC20E6 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A775141EED5275E9D0A99AF622B0526FC1C079077DB6 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7827786B1482B7778D63F6768E60E6B6AC078FD9C - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE362E51471602E2F397FDDBE404542D16EBD7CDC - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7611A97883E9CEC7D2C7D8378EC22088CFFCFC8BC - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B90ED13545E44452CAA6A070AAC5555BDFA0CF8 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B71D241C5B74453EB6C5DE69604A0FF8E94E84EF0 - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8D62A42D36D260AFEAF3363B5523F4A561A807F - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00ED4EE6522FE27C32893043B5625C4C50EA5D1A2 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E20571DEE4659265D61E8499B053C90591BAA58 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BF56C3363C453C854963114871C7DAEBD139BBB3 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C188268814511C0D1148B0E07D256E713DA67EBA - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E42A0623FD2B905CBC170833D50D2BFE8436CCFA - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F18FD2275FAE299B8B2FB5A970C5676E97231D8 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC927085C743CC8D3A1373B77AD91804DA26A402BD - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F5071C52EDF2ED1A8F42AA9F370C5F611C6C06ABD - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF4712DA93DDD7B5EC28FBC7C6242F91051821D9 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C242BEA3B8D49DCF1A6366E314C708FD8E6B3FF7E - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE0353A13E4C3A6A221B3720A212A3B866913799 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049BE14381BC299EA05B4481E46065AC182BCF60A - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7D9F8518872CA509FA76E955035282C573242703 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614501AAB8689803462E0E58580F489F6C529D372 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5DF36AEB64B827270A0EAD105008A45A24A37A9 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3842627AA144AF2F85781552EE93145BA01E4020A8F - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD053598B421E5F2028E64B6FA907D7A37511E4058 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0A11E9124031834372432CE6A693F6DB0E253AF - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BA6CD7135CD10023C52AFE239ECE78413AD7E46E - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DB67555B95DB6B4F84D1CC19F8BE142A7F2E012D - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1D148F4679B4FE8601AAA76BD9FA6793F657F94 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23FA74D3649987D35E8D373132D084182269125E - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D21A4BD75AB86AC0105848948354F920D474E05B - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C953900F7CBD0E7C86B2775ED893740A041479D898A - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF61D6F4AF86B4487791EF985543FC62B920A32D5891 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B325550C2BE70390D9190010FB275462464A8019DC3 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A775141EED528FF293F9C0A63D6421C98DA23005D88BD6 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7827786B1B7738593C3A2AF4E1318875B4A27481931 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE362E5144C8C0B7BCDFA0EC8CD6B9B6C5D6B66DC15 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7611A978858CA5ED9D238262E040EF42B94DB0F4566 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B90ED13983522822A1952C6C3795A333F0657FA20 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B71D241C58DAAC585C9456E0CD88651336C8849A4E0 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8D62A42E99900AF901916D83026474F09498B432B - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00ED4EE657DE8EF08E606341F586F28328495A61CB0 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E20571DB566B98DA2E04702B9C488C0316972455E - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BF56C3369A28A6312468EFCA8EF66EADC2D7282642 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C1882688CC6A69405D54A0F504BF0F1E3A4031A4A5 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E42A062323545D18A06584DE289E1303614434BB7C - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F18FD2227D451072FF5A2664719C2E55D8F74EF78 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC927085C77C069B4A612BFFE1D53FCFCBAA64D12D42 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F5071C52EE183B4AA9658B50D79633B72E7013FC784 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF4712DA18DFDEEFAE2CCFBE3C1B17D982B41EDA36 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C242BEA3B793C6DDA5F3D154D1AF8468AF02A1F125D - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE0353A10710C69F6344BC51D01B7142891B4591F8 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049BE143855E305DBDC910636DF8DB92C255428AE9F - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7D9F8518542F96982B89CA97B88DEB9E306B08C9E8 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614501AAB1CFFE88BFB9D03018F51D37B4F4A6061B6 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5DF36AE5E99DD0D4202535D3BEE2ED815DCE93E1E - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3842627AA1474FA5ECA07BCC05472D6EC3BF2F62CAB25 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD053598B4ABA8688E402E38277AAF976C124F35FB72 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0A11E91720DE4DC24D92F10B549951AD9BEB0F561 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BA6CD713EDE91AD1CC5CE85D46A8A3D078E9617218 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DB67555BF78B5D6BC65AD704F0779FEFF0F47040C1 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1D148F43F8DE7699CF5DF4129F1CE5EA11139962A - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23FA74D335D2D50641463E02E1FD1E7BAB4FBFDBE9 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D21A4BD7EBB598412D1A117589F8606294035B855D - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C953900F7CB3971F76F659F3999021F4AE7E1F3E3D7AC - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 35D7CEAD7DB14E4816787F46E9FB0E7F373E40A70386E7EBB2FF61D6F4AF86E9D34460C99B9E65BA9DBEAC265AC16889 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = A725E931A0E1C4F45A84F2B7556B2B87BB610283D41A1685526B325550C2BED6FBC22069E6D80CCF175DEED1F56F0139 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 4426F96A072FA511D99063C6752B190896625506FD4BBB48A775141EED528F708B264324881CB8B45FC0F41D102116F2 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = B15378691AB46AC08404F4CD31EA3FE3FE0ADDE13BA74DBFC7E7827786B1B75630A2B38ABEFC851DE40C43CF316BEE42 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = B1B971ECE73E528CA0343B1E3910BFC4D31717318DC4E2C4940EE362E5144C04406FB1DC65ADE66562489C257796205F - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 36E0B2DB67E79F267E4943DD473D45D28344AB5AF38298BEB0D7611A978858D4655AD6E351DBED0BB4D51294F6C340AF - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 28D1565CED2D7E1B3866A9D58CEF1637CA6776771DBA02F79E512B90ED1398329C634BE68F9E1816431D11B2EFD5A0C5 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 5A8DBE79CDF0A31891E65A604FB00D94FBB17315FFD05E96BE4B71D241C58D1FC2DBB15BAFDBACD4E79A75BDD488711E - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = D60875BC195DDE295361AF0C74A70EC537A9D25745767F2E882CE8D62A42E9A23D30371A3FAD07DE79010463B0311B54 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 64BB3CDA2ACC9DFF77E136EC480E4BF2418F9A54B9D7F69A00A00ED4EE657DECFFD493E2619535BC92345A9FAC1C61FA - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = CA1261316A9FCF24B26BD1FB2CF8F43D3071A6774BEE9DB9D02B5E20571DB56ACB882128019691C8A27C4C22307D7882 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = DF24A5AF535A10459F0FB4B13C3B07C979E0FAEA9DB555DF4339BF56C3369A105689CC8EBE018DC080BB7C30B9C910DC - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 7C053A5598BE0F1461BE5C3D7B9EA499A0A82863038494DFA134C1882688CCBE04483866F45FAB87E21FABB1DA7AA6AD - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = D82115EDF54811FC5B2501C21EF09C2CB9FE7184D57515D9B4B1E42A0623238CC5EA1557A019882B5111558C9A65F303 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 25D49F74D530C8657B6E67FAF68D78BF62F2E568C8C22C2163B57F18FD22271C85920F395DDC10181DC7B27F4AE9E3FE - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = D2ACC02E8C890319A395A786FAA564C24D88F7FE3FF02BB83BDC927085C77CFDA4BC593D2EDFF5A25644362D4B29E89F - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 834287945F8B85B2BD01E4501A89C9A3B557F17F6F77C5C15B6F5071C52EE1C8BF4B74743A84F97570159901804467D1 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 71C2F52B0D2D22FD6361252999CA8E420901998AED1F4E799183FF4712DA186D8B64187ED772D23C30A247E25885D1A7 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3602D400B36527FA6FF4571A328326C3A7C3C00CF2A9E8D4855C242BEA3B793131082B9C813D41EDF1458775B276568F - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 10397F03E5EE58663A4FA1734F328CC72E33D389366D60F603A9DE0353A10797EF26B3F639B05A4D890419AD95077999 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DA68CBAF9861AF20C22EF5D7790813AA89B7D23264748DF445D049BE143855C5A6BE4E3C6D889706DE7734CB5F2F2802 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CEE9C14898596B7989402F88DB9147E06DA191C59B750C289B5B7D9F851854B02770092F25F2508AE2766879E26E3D6C - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C679FEBD0374A93955EB199FA8520EF6D86D45711F72BDBBA91614501AAB1C80D325631EC2DC94B2124F2BF12824E3D0 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F098972D35C3E57033E18CF8B978A711A854A61ED991B6450226C5DF36AE5E507BD48B571538A7FBE7CB93565184B622 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B4989F21A51BA8D6624BEB66854826B903B454214B861E84F3842627AA1474B77EE5597812A7035E7E9BD7DB6B198E67 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5DA22F38625784A09A70A5C6E58B846133627CB30D08D07F8ACD053598B4AB036B72A04B3657E1BCF4DF2BBF0BCC8AE1 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 364BE352311ECD0CCFC1A4C891823F2A2B001649BABA0000AF57D0A11E91728DC9F227EA012535A4820E5F9F2BE6F10E - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 44F7B2739F09F1EA67A9C43F5A7B3CF5EA9D6B53582915228602BA6CD713ED0CC60762D917BBD7C5C1B8D03922F8D226 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FBAEDA08A45B8830406CFF4C989F5A0AEBF4802B736FA1654BE1DB67555BF7ABF2FB4E3720402BF4A59A438025455A15 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A4D9F1F0DE9219098D817884852185CD455218630DBB130C3C67E1D148F43FB2BD8AE812BDE022539303BB374F311D7C - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64CA0AF494AA5B1FB9C12E65D48BA2E5D2763CFA6CB99B6473CD23FA74D33572C612A81860327DBAE215B83F75C3A824 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 427FC43D2F12E0099F5323297A255D247AA38FC42E4B48471435D21A4BD7EBCEE7CDB234E2E45347B47BE3E90975C2CD - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8156BE5107696054B469FBB479A0FC46E9085C0AD01C24278C953900F7CB39717C224D92EF5A1F60421CFA077A764C69 - diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.c b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/api.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/encrypt.c b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/encrypt.c deleted file mode 100644 index db50784..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "hyena.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return hyena_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return hyena_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.c b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.c deleted file mode 100644 index db5ba2b..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.c +++ /dev/null @@ -1,293 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "hyena.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const hyena_cipher = { - "HYENA", - HYENA_KEY_SIZE, - HYENA_NONCE_SIZE, - HYENA_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - hyena_aead_encrypt, - hyena_aead_decrypt -}; - -/** - * \brief Doubles a delta value in the F(2^64) field. - * - * \param D The delta value to be doubled. - * - * D = D << 1 if the top-most bit is 0, or D = (D << 1) ^ 0x1B otherwise. - */ -static void hyena_double_delta(unsigned char D[8]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)(D[0])) >> 7); - for (index = 0; index < 7; ++index) - D[index] = (D[index] << 1) | (D[index + 1] >> 7); - D[7] = (D[7] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Triples a delta value in the F(2^64) field. - * - * \param D The delta value to be tripled. - * - * D' = D ^ (D << 1) if the top-most bit is 0, or D' = D ^ (D << 1) ^ 0x1B - * otherwise. - */ -static void hyena_triple_delta(unsigned char D[8]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)(D[0])) >> 7); - for (index = 0; index < 7; ++index) - D[index] ^= (D[index] << 1) | (D[index + 1] >> 7); - D[7] ^= (D[7] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Process the associated data for HYENA. - * - * \param ks Key schedule for the GIFT-128 cipher. - * \param Y Internal hash state of HYENA. - * \param D Internal hash state of HYENA. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void hyena_process_ad - (const gift128n_key_schedule_t *ks, unsigned char Y[16], - unsigned char D[8], const unsigned char *ad, - unsigned long long adlen) -{ - unsigned char feedback[16]; - while (adlen > 16) { - hyena_double_delta(D); - memcpy(feedback, ad, 16); - lw_xor_block(feedback + 8, Y + 8, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - gift128n_encrypt(ks, Y, Y); - ad += 16; - adlen -= 16; - } - if (adlen == 16) { - hyena_triple_delta(D); - memcpy(feedback, ad, 16); - lw_xor_block(feedback + 8, Y + 8, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - } else { - unsigned temp = (unsigned)adlen; - hyena_triple_delta(D); - hyena_triple_delta(D); - memcpy(feedback, ad, temp); - feedback[temp] = 0x01; - memset(feedback + temp + 1, 0, 15 - temp); - if (temp > 8) - lw_xor_block(feedback + 8, Y + 8, temp - 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - } -} - -int hyena_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift128n_key_schedule_t ks; - unsigned char Y[16]; - unsigned char D[8]; - unsigned char feedback[16]; - unsigned index; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + HYENA_TAG_SIZE; - - /* Set up the key schedule and use it to encrypt the nonce */ - gift128n_init(&ks, k); - Y[0] = 0; - if (adlen == 0) - Y[0] |= 0x01; - if (adlen == 0 && mlen == 0) - Y[0] |= 0x02; - Y[1] = 0; - Y[2] = 0; - Y[3] = 0; - memcpy(Y + 4, npub, HYENA_NONCE_SIZE); - gift128n_encrypt(&ks, Y, Y); - memcpy(D, Y + 8, 8); - - /* Process the associated data */ - hyena_process_ad(&ks, Y, D, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > 16) { - gift128n_encrypt(&ks, Y, Y); - hyena_double_delta(D); - memcpy(feedback, m, 16); - lw_xor_block(feedback + 8, Y + 8, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block_2_src(c, m, Y, 16); - lw_xor_block(Y, feedback, 16); - c += 16; - m += 16; - mlen -= 16; - } - gift128n_encrypt(&ks, Y, Y); - if (mlen == 16) { - hyena_triple_delta(D); - memcpy(feedback, m, 16); - lw_xor_block(feedback + 8, Y + 8, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block_2_src(c, m, Y, 16); - lw_xor_block(Y, feedback, 16); - c += 16; - } else { - unsigned temp = (unsigned)mlen; - hyena_triple_delta(D); - hyena_triple_delta(D); - memcpy(feedback, m, temp); - feedback[temp] = 0x01; - memset(feedback + temp + 1, 0, 15 - temp); - if (temp > 8) - lw_xor_block(feedback + 8, Y + 8, temp - 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block_2_src(c, m, Y, temp); - lw_xor_block(Y, feedback, 16); - c += temp; - } - } - - /* Swap the two halves of Y and generate the authentication tag */ - for (index = 0; index < 8; ++index) { - unsigned char temp1 = Y[index]; - unsigned char temp2 = Y[index + 8]; - Y[index] = temp2; - Y[index + 8] = temp1; - } - gift128n_encrypt(&ks, c, Y); - return 0; -} - -int hyena_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift128n_key_schedule_t ks; - unsigned char Y[16]; - unsigned char D[8]; - unsigned char feedback[16]; - unsigned char *mtemp; - unsigned index; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < HYENA_TAG_SIZE) - return -1; - *mlen = clen - HYENA_TAG_SIZE; - - /* Set up the key schedule and use it to encrypt the nonce */ - gift128n_init(&ks, k); - Y[0] = 0; - if (adlen == 0) - Y[0] |= 0x01; - if (adlen == 0 && clen == HYENA_TAG_SIZE) - Y[0] |= 0x02; - Y[1] = 0; - Y[2] = 0; - Y[3] = 0; - memcpy(Y + 4, npub, HYENA_NONCE_SIZE); - gift128n_encrypt(&ks, Y, Y); - memcpy(D, Y + 8, 8); - - /* Process the associated data */ - hyena_process_ad(&ks, Y, D, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= HYENA_TAG_SIZE; - mtemp = m; - if (clen > 0) { - while (clen > 16) { - gift128n_encrypt(&ks, Y, Y); - hyena_double_delta(D); - memcpy(feedback + 8, c + 8, 8); - lw_xor_block_2_src(m, c, Y, 16); - memcpy(feedback, m, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - c += 16; - m += 16; - clen -= 16; - } - gift128n_encrypt(&ks, Y, Y); - if (clen == 16) { - hyena_triple_delta(D); - memcpy(feedback + 8, c + 8, 8); - lw_xor_block_2_src(m, c, Y, 16); - memcpy(feedback, m, 8); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - c += 16; - } else { - unsigned temp = (unsigned)clen; - hyena_triple_delta(D); - hyena_triple_delta(D); - if (temp > 8) { - memcpy(feedback + 8, c + 8, temp - 8); - lw_xor_block_2_src(m, c, Y, temp); - memcpy(feedback, m, 8); - } else { - lw_xor_block_2_src(m, c, Y, temp); - memcpy(feedback, m, temp); - } - feedback[temp] = 0x01; - memset(feedback + temp + 1, 0, 15 - temp); - lw_xor_block(feedback + 8, D, 8); - lw_xor_block(Y, feedback, 16); - c += temp; - } - } - - /* Swap the two halves of Y and check the authentication tag */ - for (index = 0; index < 8; ++index) { - unsigned char temp1 = Y[index]; - unsigned char temp2 = Y[index + 8]; - Y[index] = temp2; - Y[index + 8] = temp1; - } - gift128n_encrypt(&ks, Y, Y); - return aead_check_tag(mtemp, *mlen, Y, c, HYENA_TAG_SIZE); -} diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.h deleted file mode 100644 index ee9bb9c..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/hyena.h +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_HYENA_H -#define LWCRYPTO_HYENA_H - -#include "aead-common.h" - -/** - * \file hyena.h - * \brief HYENA authenticated encryption algorithm. - * - * HYENA is an authenticated encryption algorithm that is built around the - * GIFT-128 block cipher. The algorithm has a 128-bit key, a 96-bit nonce, - * and a 128-bit authentication tag. - * - * References: https://www.isical.ac.in/~lightweight/hyena/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for HYENA. - */ -#define HYENA_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for HYENA. - */ -#define HYENA_TAG_SIZE 16 - -/** - * \brief Size of the nonce for HYENA. - */ -#define HYENA_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the HYENA cipher. - */ -extern aead_cipher_t const hyena_cipher; - -/** - * \brief Encrypts and authenticates a packet with HYENA. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa hyena_aead_decrypt() - */ -int hyena_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with HYENA. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa hyena_aead_encrypt() - */ -int hyena_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128-config.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.c b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-avr.S b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-avr.S deleted file mode 100644 index 2aae304..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-gift128n-avr.S +++ /dev/null @@ -1,4712 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128n_init - .type gift128n_init, @function -gift128n_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ret - .size gift128n_init, .-gift128n_init - - .text -.global gift128n_encrypt - .type gift128n_encrypt, @function -gift128n_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r22,0 - bst r18,1 - bld r4,0 - bst r18,2 - bld r8,0 - bst r18,3 - bld r12,0 - bst r18,4 - bld r22,1 - bst r18,5 - bld r4,1 - bst r18,6 - bld r8,1 - bst r18,7 - bld r12,1 - bst r19,0 - bld r22,2 - bst r19,1 - bld r4,2 - bst r19,2 - bld r8,2 - bst r19,3 - bld r12,2 - bst r19,4 - bld r22,3 - bst r19,5 - bld r4,3 - bst r19,6 - bld r8,3 - bst r19,7 - bld r12,3 - bst r20,0 - bld r22,4 - bst r20,1 - bld r4,4 - bst r20,2 - bld r8,4 - bst r20,3 - bld r12,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r4,5 - bst r20,6 - bld r8,5 - bst r20,7 - bld r12,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r4,6 - bst r21,2 - bld r8,6 - bst r21,3 - bld r12,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r4,7 - bst r21,6 - bld r8,7 - bst r21,7 - bld r12,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r23,0 - bst r18,1 - bld r5,0 - bst r18,2 - bld r9,0 - bst r18,3 - bld r13,0 - bst r18,4 - bld r23,1 - bst r18,5 - bld r5,1 - bst r18,6 - bld r9,1 - bst r18,7 - bld r13,1 - bst r19,0 - bld r23,2 - bst r19,1 - bld r5,2 - bst r19,2 - bld r9,2 - bst r19,3 - bld r13,2 - bst r19,4 - bld r23,3 - bst r19,5 - bld r5,3 - bst r19,6 - bld r9,3 - bst r19,7 - bld r13,3 - bst r20,0 - bld r23,4 - bst r20,1 - bld r5,4 - bst r20,2 - bld r9,4 - bst r20,3 - bld r13,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r5,5 - bst r20,6 - bld r9,5 - bst r20,7 - bld r13,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r5,6 - bst r21,2 - bld r9,6 - bst r21,3 - bld r13,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r5,7 - bst r21,6 - bld r9,7 - bst r21,7 - bld r13,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r2,0 - bst r18,1 - bld r6,0 - bst r18,2 - bld r10,0 - bst r18,3 - bld r14,0 - bst r18,4 - bld r2,1 - bst r18,5 - bld r6,1 - bst r18,6 - bld r10,1 - bst r18,7 - bld r14,1 - bst r19,0 - bld r2,2 - bst r19,1 - bld r6,2 - bst r19,2 - bld r10,2 - bst r19,3 - bld r14,2 - bst r19,4 - bld r2,3 - bst r19,5 - bld r6,3 - bst r19,6 - bld r10,3 - bst r19,7 - bld r14,3 - bst r20,0 - bld r2,4 - bst r20,1 - bld r6,4 - bst r20,2 - bld r10,4 - bst r20,3 - bld r14,4 - bst r20,4 - bld r2,5 - bst r20,5 - bld r6,5 - bst r20,6 - bld r10,5 - bst r20,7 - bld r14,5 - bst r21,0 - bld r2,6 - bst r21,1 - bld r6,6 - bst r21,2 - bld r10,6 - bst r21,3 - bld r14,6 - bst r21,4 - bld r2,7 - bst r21,5 - bld r6,7 - bst r21,6 - bld r10,7 - bst r21,7 - bld r14,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r3,0 - bst r18,1 - bld r7,0 - bst r18,2 - bld r11,0 - bst r18,3 - bld r15,0 - bst r18,4 - bld r3,1 - bst r18,5 - bld r7,1 - bst r18,6 - bld r11,1 - bst r18,7 - bld r15,1 - bst r19,0 - bld r3,2 - bst r19,1 - bld r7,2 - bst r19,2 - bld r11,2 - bst r19,3 - bld r15,2 - bst r19,4 - bld r3,3 - bst r19,5 - bld r7,3 - bst r19,6 - bld r11,3 - bst r19,7 - bld r15,3 - bst r20,0 - bld r3,4 - bst r20,1 - bld r7,4 - bst r20,2 - bld r11,4 - bst r20,3 - bld r15,4 - bst r20,4 - bld r3,5 - bst r20,5 - bld r7,5 - bst r20,6 - bld r11,5 - bst r20,7 - bld r15,5 - bst r21,0 - bld r3,6 - bst r21,1 - bld r7,6 - bst r21,2 - bld r11,6 - bst r21,3 - bld r15,6 - bst r21,4 - bld r3,7 - bst r21,5 - bld r7,7 - bst r21,6 - bld r11,7 - bst r21,7 - bld r15,7 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -302: - rcall 455f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 455f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 455f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 455f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 302b - rjmp 804f -455: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -804: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r18,0 - bst r4,0 - bld r18,1 - bst r8,0 - bld r18,2 - bst r12,0 - bld r18,3 - bst r22,1 - bld r18,4 - bst r4,1 - bld r18,5 - bst r8,1 - bld r18,6 - bst r12,1 - bld r18,7 - bst r22,2 - bld r19,0 - bst r4,2 - bld r19,1 - bst r8,2 - bld r19,2 - bst r12,2 - bld r19,3 - bst r22,3 - bld r19,4 - bst r4,3 - bld r19,5 - bst r8,3 - bld r19,6 - bst r12,3 - bld r19,7 - bst r22,4 - bld r20,0 - bst r4,4 - bld r20,1 - bst r8,4 - bld r20,2 - bst r12,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r4,5 - bld r20,5 - bst r8,5 - bld r20,6 - bst r12,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r4,6 - bld r21,1 - bst r8,6 - bld r21,2 - bst r12,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r4,7 - bld r21,5 - bst r8,7 - bld r21,6 - bst r12,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r23,0 - bld r18,0 - bst r5,0 - bld r18,1 - bst r9,0 - bld r18,2 - bst r13,0 - bld r18,3 - bst r23,1 - bld r18,4 - bst r5,1 - bld r18,5 - bst r9,1 - bld r18,6 - bst r13,1 - bld r18,7 - bst r23,2 - bld r19,0 - bst r5,2 - bld r19,1 - bst r9,2 - bld r19,2 - bst r13,2 - bld r19,3 - bst r23,3 - bld r19,4 - bst r5,3 - bld r19,5 - bst r9,3 - bld r19,6 - bst r13,3 - bld r19,7 - bst r23,4 - bld r20,0 - bst r5,4 - bld r20,1 - bst r9,4 - bld r20,2 - bst r13,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r5,5 - bld r20,5 - bst r9,5 - bld r20,6 - bst r13,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r5,6 - bld r21,1 - bst r9,6 - bld r21,2 - bst r13,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r5,7 - bld r21,5 - bst r9,7 - bld r21,6 - bst r13,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r2,0 - bld r18,0 - bst r6,0 - bld r18,1 - bst r10,0 - bld r18,2 - bst r14,0 - bld r18,3 - bst r2,1 - bld r18,4 - bst r6,1 - bld r18,5 - bst r10,1 - bld r18,6 - bst r14,1 - bld r18,7 - bst r2,2 - bld r19,0 - bst r6,2 - bld r19,1 - bst r10,2 - bld r19,2 - bst r14,2 - bld r19,3 - bst r2,3 - bld r19,4 - bst r6,3 - bld r19,5 - bst r10,3 - bld r19,6 - bst r14,3 - bld r19,7 - bst r2,4 - bld r20,0 - bst r6,4 - bld r20,1 - bst r10,4 - bld r20,2 - bst r14,4 - bld r20,3 - bst r2,5 - bld r20,4 - bst r6,5 - bld r20,5 - bst r10,5 - bld r20,6 - bst r14,5 - bld r20,7 - bst r2,6 - bld r21,0 - bst r6,6 - bld r21,1 - bst r10,6 - bld r21,2 - bst r14,6 - bld r21,3 - bst r2,7 - bld r21,4 - bst r6,7 - bld r21,5 - bst r10,7 - bld r21,6 - bst r14,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r3,0 - bld r18,0 - bst r7,0 - bld r18,1 - bst r11,0 - bld r18,2 - bst r15,0 - bld r18,3 - bst r3,1 - bld r18,4 - bst r7,1 - bld r18,5 - bst r11,1 - bld r18,6 - bst r15,1 - bld r18,7 - bst r3,2 - bld r19,0 - bst r7,2 - bld r19,1 - bst r11,2 - bld r19,2 - bst r15,2 - bld r19,3 - bst r3,3 - bld r19,4 - bst r7,3 - bld r19,5 - bst r11,3 - bld r19,6 - bst r15,3 - bld r19,7 - bst r3,4 - bld r20,0 - bst r7,4 - bld r20,1 - bst r11,4 - bld r20,2 - bst r15,4 - bld r20,3 - bst r3,5 - bld r20,4 - bst r7,5 - bld r20,5 - bst r11,5 - bld r20,6 - bst r15,5 - bld r20,7 - bst r3,6 - bld r21,0 - bst r7,6 - bld r21,1 - bst r11,6 - bld r21,2 - bst r15,6 - bld r21,3 - bst r3,7 - bld r21,4 - bst r7,7 - bld r21,5 - bst r11,7 - bld r21,6 - bst r15,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128n_encrypt, .-gift128n_encrypt - - .text -.global gift128n_decrypt - .type gift128n_decrypt, @function -gift128n_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r22,0 - bst r18,1 - bld r4,0 - bst r18,2 - bld r8,0 - bst r18,3 - bld r12,0 - bst r18,4 - bld r22,1 - bst r18,5 - bld r4,1 - bst r18,6 - bld r8,1 - bst r18,7 - bld r12,1 - bst r19,0 - bld r22,2 - bst r19,1 - bld r4,2 - bst r19,2 - bld r8,2 - bst r19,3 - bld r12,2 - bst r19,4 - bld r22,3 - bst r19,5 - bld r4,3 - bst r19,6 - bld r8,3 - bst r19,7 - bld r12,3 - bst r20,0 - bld r22,4 - bst r20,1 - bld r4,4 - bst r20,2 - bld r8,4 - bst r20,3 - bld r12,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r4,5 - bst r20,6 - bld r8,5 - bst r20,7 - bld r12,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r4,6 - bst r21,2 - bld r8,6 - bst r21,3 - bld r12,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r4,7 - bst r21,6 - bld r8,7 - bst r21,7 - bld r12,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r23,0 - bst r18,1 - bld r5,0 - bst r18,2 - bld r9,0 - bst r18,3 - bld r13,0 - bst r18,4 - bld r23,1 - bst r18,5 - bld r5,1 - bst r18,6 - bld r9,1 - bst r18,7 - bld r13,1 - bst r19,0 - bld r23,2 - bst r19,1 - bld r5,2 - bst r19,2 - bld r9,2 - bst r19,3 - bld r13,2 - bst r19,4 - bld r23,3 - bst r19,5 - bld r5,3 - bst r19,6 - bld r9,3 - bst r19,7 - bld r13,3 - bst r20,0 - bld r23,4 - bst r20,1 - bld r5,4 - bst r20,2 - bld r9,4 - bst r20,3 - bld r13,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r5,5 - bst r20,6 - bld r9,5 - bst r20,7 - bld r13,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r5,6 - bst r21,2 - bld r9,6 - bst r21,3 - bld r13,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r5,7 - bst r21,6 - bld r9,7 - bst r21,7 - bld r13,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r2,0 - bst r18,1 - bld r6,0 - bst r18,2 - bld r10,0 - bst r18,3 - bld r14,0 - bst r18,4 - bld r2,1 - bst r18,5 - bld r6,1 - bst r18,6 - bld r10,1 - bst r18,7 - bld r14,1 - bst r19,0 - bld r2,2 - bst r19,1 - bld r6,2 - bst r19,2 - bld r10,2 - bst r19,3 - bld r14,2 - bst r19,4 - bld r2,3 - bst r19,5 - bld r6,3 - bst r19,6 - bld r10,3 - bst r19,7 - bld r14,3 - bst r20,0 - bld r2,4 - bst r20,1 - bld r6,4 - bst r20,2 - bld r10,4 - bst r20,3 - bld r14,4 - bst r20,4 - bld r2,5 - bst r20,5 - bld r6,5 - bst r20,6 - bld r10,5 - bst r20,7 - bld r14,5 - bst r21,0 - bld r2,6 - bst r21,1 - bld r6,6 - bst r21,2 - bld r10,6 - bst r21,3 - bld r14,6 - bst r21,4 - bld r2,7 - bst r21,5 - bld r6,7 - bst r21,6 - bld r10,7 - bst r21,7 - bld r14,7 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - bst r18,0 - bld r3,0 - bst r18,1 - bld r7,0 - bst r18,2 - bld r11,0 - bst r18,3 - bld r15,0 - bst r18,4 - bld r3,1 - bst r18,5 - bld r7,1 - bst r18,6 - bld r11,1 - bst r18,7 - bld r15,1 - bst r19,0 - bld r3,2 - bst r19,1 - bld r7,2 - bst r19,2 - bld r11,2 - bst r19,3 - bld r15,2 - bst r19,4 - bld r3,3 - bst r19,5 - bld r7,3 - bst r19,6 - bld r11,3 - bst r19,7 - bld r15,3 - bst r20,0 - bld r3,4 - bst r20,1 - bld r7,4 - bst r20,2 - bld r11,4 - bst r20,3 - bld r15,4 - bst r20,4 - bld r3,5 - bst r20,5 - bld r7,5 - bst r20,6 - bld r11,5 - bst r20,7 - bld r15,5 - bst r21,0 - bld r3,6 - bst r21,1 - bld r7,6 - bst r21,2 - bld r11,6 - bst r21,3 - bld r15,6 - bst r21,4 - bld r3,7 - bst r21,5 - bld r7,7 - bst r21,6 - bld r11,7 - bst r21,7 - bld r15,7 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -370: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 522f - cpse r16,r1 - rjmp 370b - rjmp 867f -522: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -867: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r18,0 - bst r4,0 - bld r18,1 - bst r8,0 - bld r18,2 - bst r12,0 - bld r18,3 - bst r22,1 - bld r18,4 - bst r4,1 - bld r18,5 - bst r8,1 - bld r18,6 - bst r12,1 - bld r18,7 - bst r22,2 - bld r19,0 - bst r4,2 - bld r19,1 - bst r8,2 - bld r19,2 - bst r12,2 - bld r19,3 - bst r22,3 - bld r19,4 - bst r4,3 - bld r19,5 - bst r8,3 - bld r19,6 - bst r12,3 - bld r19,7 - bst r22,4 - bld r20,0 - bst r4,4 - bld r20,1 - bst r8,4 - bld r20,2 - bst r12,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r4,5 - bld r20,5 - bst r8,5 - bld r20,6 - bst r12,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r4,6 - bld r21,1 - bst r8,6 - bld r21,2 - bst r12,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r4,7 - bld r21,5 - bst r8,7 - bld r21,6 - bst r12,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r23,0 - bld r18,0 - bst r5,0 - bld r18,1 - bst r9,0 - bld r18,2 - bst r13,0 - bld r18,3 - bst r23,1 - bld r18,4 - bst r5,1 - bld r18,5 - bst r9,1 - bld r18,6 - bst r13,1 - bld r18,7 - bst r23,2 - bld r19,0 - bst r5,2 - bld r19,1 - bst r9,2 - bld r19,2 - bst r13,2 - bld r19,3 - bst r23,3 - bld r19,4 - bst r5,3 - bld r19,5 - bst r9,3 - bld r19,6 - bst r13,3 - bld r19,7 - bst r23,4 - bld r20,0 - bst r5,4 - bld r20,1 - bst r9,4 - bld r20,2 - bst r13,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r5,5 - bld r20,5 - bst r9,5 - bld r20,6 - bst r13,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r5,6 - bld r21,1 - bst r9,6 - bld r21,2 - bst r13,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r5,7 - bld r21,5 - bst r9,7 - bld r21,6 - bst r13,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r2,0 - bld r18,0 - bst r6,0 - bld r18,1 - bst r10,0 - bld r18,2 - bst r14,0 - bld r18,3 - bst r2,1 - bld r18,4 - bst r6,1 - bld r18,5 - bst r10,1 - bld r18,6 - bst r14,1 - bld r18,7 - bst r2,2 - bld r19,0 - bst r6,2 - bld r19,1 - bst r10,2 - bld r19,2 - bst r14,2 - bld r19,3 - bst r2,3 - bld r19,4 - bst r6,3 - bld r19,5 - bst r10,3 - bld r19,6 - bst r14,3 - bld r19,7 - bst r2,4 - bld r20,0 - bst r6,4 - bld r20,1 - bst r10,4 - bld r20,2 - bst r14,4 - bld r20,3 - bst r2,5 - bld r20,4 - bst r6,5 - bld r20,5 - bst r10,5 - bld r20,6 - bst r14,5 - bld r20,7 - bst r2,6 - bld r21,0 - bst r6,6 - bld r21,1 - bst r10,6 - bld r21,2 - bst r14,6 - bld r21,3 - bst r2,7 - bld r21,4 - bst r6,7 - bld r21,5 - bst r10,7 - bld r21,6 - bst r14,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - bst r3,0 - bld r18,0 - bst r7,0 - bld r18,1 - bst r11,0 - bld r18,2 - bst r15,0 - bld r18,3 - bst r3,1 - bld r18,4 - bst r7,1 - bld r18,5 - bst r11,1 - bld r18,6 - bst r15,1 - bld r18,7 - bst r3,2 - bld r19,0 - bst r7,2 - bld r19,1 - bst r11,2 - bld r19,2 - bst r15,2 - bld r19,3 - bst r3,3 - bld r19,4 - bst r7,3 - bld r19,5 - bst r11,3 - bld r19,6 - bst r15,3 - bld r19,7 - bst r3,4 - bld r20,0 - bst r7,4 - bld r20,1 - bst r11,4 - bld r20,2 - bst r15,4 - bld r20,3 - bst r3,5 - bld r20,4 - bst r7,5 - bld r20,5 - bst r11,5 - bld r20,6 - bst r15,5 - bld r20,7 - bst r3,6 - bld r21,0 - bst r7,6 - bld r21,1 - bst r11,6 - bld r21,2 - bst r15,6 - bld r21,3 - bst r3,7 - bld r21,4 - bst r7,7 - bld r21,5 - bst r11,7 - bld r21,6 - bst r15,7 - bld r21,7 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128n_decrypt, .-gift128n_decrypt - - .text -.global gift128t_encrypt - .type gift128t_encrypt, @function -gift128t_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r2,0 - bst r20,1 - bld r6,0 - bst r20,2 - bld r10,0 - bst r20,3 - bld r14,0 - bst r20,4 - bld r2,1 - bst r20,5 - bld r6,1 - bst r20,6 - bld r10,1 - bst r20,7 - bld r14,1 - bst r21,0 - bld r2,2 - bst r21,1 - bld r6,2 - bst r21,2 - bld r10,2 - bst r21,3 - bld r14,2 - bst r21,4 - bld r2,3 - bst r21,5 - bld r6,3 - bst r21,6 - bld r10,3 - bst r21,7 - bld r14,3 - bst r22,0 - bld r2,4 - bst r22,1 - bld r6,4 - bst r22,2 - bld r10,4 - bst r22,3 - bld r14,4 - bst r22,4 - bld r2,5 - bst r22,5 - bld r6,5 - bst r22,6 - bld r10,5 - bst r22,7 - bld r14,5 - bst r23,0 - bld r2,6 - bst r23,1 - bld r6,6 - bst r23,2 - bld r10,6 - bst r23,3 - bld r14,6 - bst r23,4 - bld r2,7 - bst r23,5 - bld r6,7 - bst r23,6 - bld r10,7 - bst r23,7 - bld r14,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r3,0 - bst r20,1 - bld r7,0 - bst r20,2 - bld r11,0 - bst r20,3 - bld r15,0 - bst r20,4 - bld r3,1 - bst r20,5 - bld r7,1 - bst r20,6 - bld r11,1 - bst r20,7 - bld r15,1 - bst r21,0 - bld r3,2 - bst r21,1 - bld r7,2 - bst r21,2 - bld r11,2 - bst r21,3 - bld r15,2 - bst r21,4 - bld r3,3 - bst r21,5 - bld r7,3 - bst r21,6 - bld r11,3 - bst r21,7 - bld r15,3 - bst r22,0 - bld r3,4 - bst r22,1 - bld r7,4 - bst r22,2 - bld r11,4 - bst r22,3 - bld r15,4 - bst r22,4 - bld r3,5 - bst r22,5 - bld r7,5 - bst r22,6 - bld r11,5 - bst r22,7 - bld r15,5 - bst r23,0 - bld r3,6 - bst r23,1 - bld r7,6 - bst r23,2 - bld r11,6 - bst r23,3 - bld r15,6 - bst r23,4 - bld r3,7 - bst r23,5 - bld r7,7 - bst r23,6 - bld r11,7 - bst r23,7 - bld r15,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r4,0 - bst r20,1 - bld r8,0 - bst r20,2 - bld r12,0 - bst r20,3 - bld r24,0 - bst r20,4 - bld r4,1 - bst r20,5 - bld r8,1 - bst r20,6 - bld r12,1 - bst r20,7 - bld r24,1 - bst r21,0 - bld r4,2 - bst r21,1 - bld r8,2 - bst r21,2 - bld r12,2 - bst r21,3 - bld r24,2 - bst r21,4 - bld r4,3 - bst r21,5 - bld r8,3 - bst r21,6 - bld r12,3 - bst r21,7 - bld r24,3 - bst r22,0 - bld r4,4 - bst r22,1 - bld r8,4 - bst r22,2 - bld r12,4 - bst r22,3 - bld r24,4 - bst r22,4 - bld r4,5 - bst r22,5 - bld r8,5 - bst r22,6 - bld r12,5 - bst r22,7 - bld r24,5 - bst r23,0 - bld r4,6 - bst r23,1 - bld r8,6 - bst r23,2 - bld r12,6 - bst r23,3 - bld r24,6 - bst r23,4 - bld r4,7 - bst r23,5 - bld r8,7 - bst r23,6 - bld r12,7 - bst r23,7 - bld r24,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r5,0 - bst r20,1 - bld r9,0 - bst r20,2 - bld r13,0 - bst r20,3 - bld r25,0 - bst r20,4 - bld r5,1 - bst r20,5 - bld r9,1 - bst r20,6 - bld r13,1 - bst r20,7 - bld r25,1 - bst r21,0 - bld r5,2 - bst r21,1 - bld r9,2 - bst r21,2 - bld r13,2 - bst r21,3 - bld r25,2 - bst r21,4 - bld r5,3 - bst r21,5 - bld r9,3 - bst r21,6 - bld r13,3 - bst r21,7 - bld r25,3 - bst r22,0 - bld r5,4 - bst r22,1 - bld r9,4 - bst r22,2 - bld r13,4 - bst r22,3 - bld r25,4 - bst r22,4 - bld r5,5 - bst r22,5 - bld r9,5 - bst r22,6 - bld r13,5 - bst r22,7 - bld r25,5 - bst r23,0 - bld r5,6 - bst r23,1 - bld r9,6 - bst r23,2 - bld r13,6 - bst r23,3 - bld r25,6 - bst r23,4 - bld r5,7 - bst r23,5 - bld r9,7 - bst r23,6 - bld r13,7 - bst r23,7 - bld r25,7 - ld r26,Z - ldd r27,Z+1 - ldd r16,Z+2 - ldd r17,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r16 - std Y+4,r17 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r16,Z+6 - ldd r17,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r16 - std Y+8,r17 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r16,Z+10 - ldd r17,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r16 - std Y+12,r17 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r16,Z+14 - ldd r17,Z+15 - std Y+13,r26 - std Y+14,r27 - std Y+15,r16 - std Y+16,r17 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r19,r1 - mov r26,r1 -307: - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r8,r0 - mov r0,r5 - and r0,r13 - eor r9,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r8 - and r0,r24 - eor r4,r0 - mov r0,r9 - and r0,r25 - eor r5,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - or r0,r8 - eor r12,r0 - mov r0,r5 - or r0,r9 - eor r13,r0 - eor r14,r10 - eor r15,r11 - eor r24,r12 - eor r25,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - com r14 - com r15 - com r24 - com r25 - movw r20,r2 - movw r22,r4 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - mov r0,r8 - and r0,r22 - eor r12,r0 - mov r0,r9 - and r0,r23 - eor r13,r0 - movw r2,r14 - movw r4,r24 - movw r14,r20 - movw r24,r22 - bst r2,1 - bld r0,0 - bst r2,4 - bld r2,1 - bst r4,0 - bld r2,4 - bst r2,2 - bld r4,0 - bst r3,0 - bld r2,2 - bst r2,3 - bld r3,0 - bst r3,4 - bld r2,3 - bst r4,3 - bld r3,4 - bst r3,6 - bld r4,3 - bst r5,3 - bld r3,6 - bst r3,5 - bld r5,3 - bst r4,7 - bld r3,5 - bst r5,6 - bld r4,7 - bst r5,1 - bld r5,6 - bst r2,5 - bld r5,1 - bst r4,4 - bld r2,5 - bst r4,2 - bld r4,4 - bst r3,2 - bld r4,2 - bst r3,3 - bld r3,2 - bst r3,7 - bld r3,3 - bst r5,7 - bld r3,7 - bst r5,5 - bld r5,7 - bst r4,5 - bld r5,5 - bst r4,6 - bld r4,5 - bst r5,2 - bld r4,6 - bst r3,1 - bld r5,2 - bst r2,7 - bld r3,1 - bst r5,4 - bld r2,7 - bst r4,1 - bld r5,4 - bst r2,6 - bld r4,1 - bst r5,0 - bld r2,6 - bst r0,0 - bld r5,0 - bst r6,0 - bld r0,0 - bst r6,1 - bld r6,0 - bst r6,5 - bld r6,1 - bst r8,5 - bld r6,5 - bst r8,7 - bld r8,5 - bst r9,7 - bld r8,7 - bst r9,6 - bld r9,7 - bst r9,2 - bld r9,6 - bst r7,2 - bld r9,2 - bst r7,0 - bld r7,2 - bst r0,0 - bld r7,0 - bst r6,2 - bld r0,0 - bst r7,1 - bld r6,2 - bst r6,4 - bld r7,1 - bst r8,1 - bld r6,4 - bst r6,7 - bld r8,1 - bst r9,5 - bld r6,7 - bst r8,6 - bld r9,5 - bst r9,3 - bld r8,6 - bst r7,6 - bld r9,3 - bst r9,0 - bld r7,6 - bst r0,0 - bld r9,0 - bst r6,3 - bld r0,0 - bst r7,5 - bld r6,3 - bst r8,4 - bld r7,5 - bst r8,3 - bld r8,4 - bst r7,7 - bld r8,3 - bst r9,4 - bld r7,7 - bst r8,2 - bld r9,4 - bst r7,3 - bld r8,2 - bst r7,4 - bld r7,3 - bst r8,0 - bld r7,4 - bst r0,0 - bld r8,0 - bst r6,6 - bld r0,0 - bst r9,1 - bld r6,6 - bst r0,0 - bld r9,1 - bst r10,0 - bld r0,0 - bst r10,2 - bld r10,0 - bst r11,2 - bld r10,2 - bst r11,1 - bld r11,2 - bst r10,5 - bld r11,1 - bst r12,6 - bld r10,5 - bst r13,0 - bld r12,6 - bst r10,3 - bld r13,0 - bst r11,6 - bld r10,3 - bst r13,1 - bld r11,6 - bst r10,7 - bld r13,1 - bst r13,6 - bld r10,7 - bst r13,3 - bld r13,6 - bst r11,7 - bld r13,3 - bst r13,5 - bld r11,7 - bst r12,7 - bld r13,5 - bst r13,4 - bld r12,7 - bst r12,3 - bld r13,4 - bst r11,4 - bld r12,3 - bst r12,1 - bld r11,4 - bst r10,4 - bld r12,1 - bst r12,2 - bld r10,4 - bst r11,0 - bld r12,2 - bst r10,1 - bld r11,0 - bst r10,6 - bld r10,1 - bst r13,2 - bld r10,6 - bst r11,3 - bld r13,2 - bst r11,5 - bld r11,3 - bst r12,5 - bld r11,5 - bst r12,4 - bld r12,5 - bst r12,0 - bld r12,4 - bst r0,0 - bld r12,0 - bst r14,0 - bld r0,0 - bst r14,3 - bld r14,0 - bst r15,7 - bld r14,3 - bst r25,6 - bld r15,7 - bst r25,0 - bld r25,6 - bst r0,0 - bld r25,0 - bst r14,1 - bld r0,0 - bst r14,7 - bld r14,1 - bst r25,7 - bld r14,7 - bst r25,4 - bld r25,7 - bst r24,0 - bld r25,4 - bst r0,0 - bld r24,0 - bst r14,2 - bld r0,0 - bst r15,3 - bld r14,2 - bst r15,6 - bld r15,3 - bst r25,2 - bld r15,6 - bst r15,0 - bld r25,2 - bst r0,0 - bld r15,0 - bst r14,4 - bld r0,0 - bst r24,3 - bld r14,4 - bst r15,5 - bld r24,3 - bst r24,6 - bld r15,5 - bst r25,1 - bld r24,6 - bst r0,0 - bld r25,1 - bst r14,5 - bld r0,0 - bst r24,7 - bld r14,5 - bst r25,5 - bld r24,7 - bst r24,4 - bld r25,5 - bst r24,1 - bld r24,4 - bst r0,0 - bld r24,1 - bst r14,6 - bld r0,0 - bst r25,3 - bld r14,6 - bst r15,4 - bld r25,3 - bst r24,2 - bld r15,4 - bst r15,1 - bld r24,2 - bst r0,0 - bld r15,1 - ldd r0,Y+5 - eor r10,r0 - ldd r0,Y+6 - eor r11,r0 - ldd r0,Y+7 - eor r12,r0 - ldd r0,Y+8 - eor r13,r0 - ldd r20,Y+13 - ldd r21,Y+14 - ldd r22,Y+15 - ldd r23,Y+16 - eor r6,r20 - eor r7,r21 - eor r8,r22 - eor r9,r23 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - lsl r20 - rol r21 - adc r20,r1 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - ldd r0,Y+1 - std Y+1,r20 - ldd r20,Y+5 - std Y+5,r0 - ldd r0,Y+9 - std Y+9,r20 - std Y+13,r0 - ldd r0,Y+2 - std Y+2,r21 - ldd r21,Y+6 - std Y+6,r0 - ldd r0,Y+10 - std Y+10,r21 - std Y+14,r0 - ldd r0,Y+3 - std Y+3,r22 - ldd r22,Y+7 - std Y+7,r0 - ldd r0,Y+11 - std Y+11,r22 - std Y+15,r0 - ldd r0,Y+4 - std Y+4,r23 - ldd r23,Y+8 - std Y+8,r0 - ldd r0,Y+12 - std Y+12,r23 - std Y+16,r0 - ldi r20,128 - eor r25,r20 - mov r30,r19 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - eor r14,r20 - inc r19 - cpi r19,40 - breq 727f - inc r26 - ldi r27,5 - cpse r26,r27 - rjmp 307b - mov r26,r1 - eor r2,r18 - eor r3,r18 - eor r4,r18 - eor r5,r18 - rjmp 307b -727: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r2,0 - bld r20,0 - bst r6,0 - bld r20,1 - bst r10,0 - bld r20,2 - bst r14,0 - bld r20,3 - bst r2,1 - bld r20,4 - bst r6,1 - bld r20,5 - bst r10,1 - bld r20,6 - bst r14,1 - bld r20,7 - bst r2,2 - bld r21,0 - bst r6,2 - bld r21,1 - bst r10,2 - bld r21,2 - bst r14,2 - bld r21,3 - bst r2,3 - bld r21,4 - bst r6,3 - bld r21,5 - bst r10,3 - bld r21,6 - bst r14,3 - bld r21,7 - bst r2,4 - bld r22,0 - bst r6,4 - bld r22,1 - bst r10,4 - bld r22,2 - bst r14,4 - bld r22,3 - bst r2,5 - bld r22,4 - bst r6,5 - bld r22,5 - bst r10,5 - bld r22,6 - bst r14,5 - bld r22,7 - bst r2,6 - bld r23,0 - bst r6,6 - bld r23,1 - bst r10,6 - bld r23,2 - bst r14,6 - bld r23,3 - bst r2,7 - bld r23,4 - bst r6,7 - bld r23,5 - bst r10,7 - bld r23,6 - bst r14,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r3,0 - bld r20,0 - bst r7,0 - bld r20,1 - bst r11,0 - bld r20,2 - bst r15,0 - bld r20,3 - bst r3,1 - bld r20,4 - bst r7,1 - bld r20,5 - bst r11,1 - bld r20,6 - bst r15,1 - bld r20,7 - bst r3,2 - bld r21,0 - bst r7,2 - bld r21,1 - bst r11,2 - bld r21,2 - bst r15,2 - bld r21,3 - bst r3,3 - bld r21,4 - bst r7,3 - bld r21,5 - bst r11,3 - bld r21,6 - bst r15,3 - bld r21,7 - bst r3,4 - bld r22,0 - bst r7,4 - bld r22,1 - bst r11,4 - bld r22,2 - bst r15,4 - bld r22,3 - bst r3,5 - bld r22,4 - bst r7,5 - bld r22,5 - bst r11,5 - bld r22,6 - bst r15,5 - bld r22,7 - bst r3,6 - bld r23,0 - bst r7,6 - bld r23,1 - bst r11,6 - bld r23,2 - bst r15,6 - bld r23,3 - bst r3,7 - bld r23,4 - bst r7,7 - bld r23,5 - bst r11,7 - bld r23,6 - bst r15,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r4,0 - bld r20,0 - bst r8,0 - bld r20,1 - bst r12,0 - bld r20,2 - bst r24,0 - bld r20,3 - bst r4,1 - bld r20,4 - bst r8,1 - bld r20,5 - bst r12,1 - bld r20,6 - bst r24,1 - bld r20,7 - bst r4,2 - bld r21,0 - bst r8,2 - bld r21,1 - bst r12,2 - bld r21,2 - bst r24,2 - bld r21,3 - bst r4,3 - bld r21,4 - bst r8,3 - bld r21,5 - bst r12,3 - bld r21,6 - bst r24,3 - bld r21,7 - bst r4,4 - bld r22,0 - bst r8,4 - bld r22,1 - bst r12,4 - bld r22,2 - bst r24,4 - bld r22,3 - bst r4,5 - bld r22,4 - bst r8,5 - bld r22,5 - bst r12,5 - bld r22,6 - bst r24,5 - bld r22,7 - bst r4,6 - bld r23,0 - bst r8,6 - bld r23,1 - bst r12,6 - bld r23,2 - bst r24,6 - bld r23,3 - bst r4,7 - bld r23,4 - bst r8,7 - bld r23,5 - bst r12,7 - bld r23,6 - bst r24,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r5,0 - bld r20,0 - bst r9,0 - bld r20,1 - bst r13,0 - bld r20,2 - bst r25,0 - bld r20,3 - bst r5,1 - bld r20,4 - bst r9,1 - bld r20,5 - bst r13,1 - bld r20,6 - bst r25,1 - bld r20,7 - bst r5,2 - bld r21,0 - bst r9,2 - bld r21,1 - bst r13,2 - bld r21,2 - bst r25,2 - bld r21,3 - bst r5,3 - bld r21,4 - bst r9,3 - bld r21,5 - bst r13,3 - bld r21,6 - bst r25,3 - bld r21,7 - bst r5,4 - bld r22,0 - bst r9,4 - bld r22,1 - bst r13,4 - bld r22,2 - bst r25,4 - bld r22,3 - bst r5,5 - bld r22,4 - bst r9,5 - bld r22,5 - bst r13,5 - bld r22,6 - bst r25,5 - bld r22,7 - bst r5,6 - bld r23,0 - bst r9,6 - bld r23,1 - bst r13,6 - bld r23,2 - bst r25,6 - bld r23,3 - bst r5,7 - bld r23,4 - bst r9,7 - bld r23,5 - bst r13,7 - bld r23,6 - bst r25,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128t_encrypt, .-gift128t_encrypt - - .text -.global gift128t_decrypt - .type gift128t_decrypt, @function -gift128t_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r2,0 - bst r20,1 - bld r6,0 - bst r20,2 - bld r10,0 - bst r20,3 - bld r14,0 - bst r20,4 - bld r2,1 - bst r20,5 - bld r6,1 - bst r20,6 - bld r10,1 - bst r20,7 - bld r14,1 - bst r21,0 - bld r2,2 - bst r21,1 - bld r6,2 - bst r21,2 - bld r10,2 - bst r21,3 - bld r14,2 - bst r21,4 - bld r2,3 - bst r21,5 - bld r6,3 - bst r21,6 - bld r10,3 - bst r21,7 - bld r14,3 - bst r22,0 - bld r2,4 - bst r22,1 - bld r6,4 - bst r22,2 - bld r10,4 - bst r22,3 - bld r14,4 - bst r22,4 - bld r2,5 - bst r22,5 - bld r6,5 - bst r22,6 - bld r10,5 - bst r22,7 - bld r14,5 - bst r23,0 - bld r2,6 - bst r23,1 - bld r6,6 - bst r23,2 - bld r10,6 - bst r23,3 - bld r14,6 - bst r23,4 - bld r2,7 - bst r23,5 - bld r6,7 - bst r23,6 - bld r10,7 - bst r23,7 - bld r14,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r3,0 - bst r20,1 - bld r7,0 - bst r20,2 - bld r11,0 - bst r20,3 - bld r15,0 - bst r20,4 - bld r3,1 - bst r20,5 - bld r7,1 - bst r20,6 - bld r11,1 - bst r20,7 - bld r15,1 - bst r21,0 - bld r3,2 - bst r21,1 - bld r7,2 - bst r21,2 - bld r11,2 - bst r21,3 - bld r15,2 - bst r21,4 - bld r3,3 - bst r21,5 - bld r7,3 - bst r21,6 - bld r11,3 - bst r21,7 - bld r15,3 - bst r22,0 - bld r3,4 - bst r22,1 - bld r7,4 - bst r22,2 - bld r11,4 - bst r22,3 - bld r15,4 - bst r22,4 - bld r3,5 - bst r22,5 - bld r7,5 - bst r22,6 - bld r11,5 - bst r22,7 - bld r15,5 - bst r23,0 - bld r3,6 - bst r23,1 - bld r7,6 - bst r23,2 - bld r11,6 - bst r23,3 - bld r15,6 - bst r23,4 - bld r3,7 - bst r23,5 - bld r7,7 - bst r23,6 - bld r11,7 - bst r23,7 - bld r15,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r4,0 - bst r20,1 - bld r8,0 - bst r20,2 - bld r12,0 - bst r20,3 - bld r24,0 - bst r20,4 - bld r4,1 - bst r20,5 - bld r8,1 - bst r20,6 - bld r12,1 - bst r20,7 - bld r24,1 - bst r21,0 - bld r4,2 - bst r21,1 - bld r8,2 - bst r21,2 - bld r12,2 - bst r21,3 - bld r24,2 - bst r21,4 - bld r4,3 - bst r21,5 - bld r8,3 - bst r21,6 - bld r12,3 - bst r21,7 - bld r24,3 - bst r22,0 - bld r4,4 - bst r22,1 - bld r8,4 - bst r22,2 - bld r12,4 - bst r22,3 - bld r24,4 - bst r22,4 - bld r4,5 - bst r22,5 - bld r8,5 - bst r22,6 - bld r12,5 - bst r22,7 - bld r24,5 - bst r23,0 - bld r4,6 - bst r23,1 - bld r8,6 - bst r23,2 - bld r12,6 - bst r23,3 - bld r24,6 - bst r23,4 - bld r4,7 - bst r23,5 - bld r8,7 - bst r23,6 - bld r12,7 - bst r23,7 - bld r24,7 - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - bst r20,0 - bld r5,0 - bst r20,1 - bld r9,0 - bst r20,2 - bld r13,0 - bst r20,3 - bld r25,0 - bst r20,4 - bld r5,1 - bst r20,5 - bld r9,1 - bst r20,6 - bld r13,1 - bst r20,7 - bld r25,1 - bst r21,0 - bld r5,2 - bst r21,1 - bld r9,2 - bst r21,2 - bld r13,2 - bst r21,3 - bld r25,2 - bst r21,4 - bld r5,3 - bst r21,5 - bld r9,3 - bst r21,6 - bld r13,3 - bst r21,7 - bld r25,3 - bst r22,0 - bld r5,4 - bst r22,1 - bld r9,4 - bst r22,2 - bld r13,4 - bst r22,3 - bld r25,4 - bst r22,4 - bld r5,5 - bst r22,5 - bld r9,5 - bst r22,6 - bld r13,5 - bst r22,7 - bld r25,5 - bst r23,0 - bld r5,6 - bst r23,1 - bld r9,6 - bst r23,2 - bld r13,6 - bst r23,3 - bld r25,6 - bst r23,4 - bld r5,7 - bst r23,5 - bld r9,7 - bst r23,6 - bld r13,7 - bst r23,7 - bld r25,7 - ld r26,Z - ldd r27,Z+1 - ldd r16,Z+2 - ldd r17,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r16 - std Y+4,r17 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r16,Z+6 - ldd r17,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r16 - std Y+8,r17 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r16,Z+10 - ldd r17,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r16 - std Y+12,r17 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r16,Z+14 - ldd r17,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - lsr r17 - ror r16 - ror r0 - or r17,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r16 - std Y+16,r17 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r19,40 - mov r26,r1 -375: - ldd r0,Y+13 - ldd r20,Y+9 - std Y+9,r0 - ldd r0,Y+5 - std Y+5,r20 - ldd r20,Y+1 - std Y+1,r0 - ldd r0,Y+14 - ldd r21,Y+10 - std Y+10,r0 - ldd r0,Y+6 - std Y+6,r21 - ldd r21,Y+2 - std Y+2,r0 - ldd r0,Y+15 - ldd r22,Y+11 - std Y+11,r0 - ldd r0,Y+7 - std Y+7,r22 - ldd r22,Y+3 - std Y+3,r0 - ldd r0,Y+16 - ldd r23,Y+12 - std Y+12,r0 - ldd r0,Y+8 - std Y+8,r23 - ldd r23,Y+4 - std Y+4,r0 - mov r0,r1 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - lsr r21 - ror r20 - ror r0 - or r21,r0 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - std Y+13,r20 - std Y+14,r21 - std Y+15,r22 - std Y+16,r23 - eor r6,r20 - eor r7,r21 - eor r8,r22 - eor r9,r23 - ldd r0,Y+5 - eor r10,r0 - ldd r0,Y+6 - eor r11,r0 - ldd r0,Y+7 - eor r12,r0 - ldd r0,Y+8 - eor r13,r0 - ldi r20,128 - eor r25,r20 - dec r19 - mov r30,r19 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - eor r14,r20 - bst r2,1 - bld r0,0 - bst r5,0 - bld r2,1 - bst r2,6 - bld r5,0 - bst r4,1 - bld r2,6 - bst r5,4 - bld r4,1 - bst r2,7 - bld r5,4 - bst r3,1 - bld r2,7 - bst r5,2 - bld r3,1 - bst r4,6 - bld r5,2 - bst r4,5 - bld r4,6 - bst r5,5 - bld r4,5 - bst r5,7 - bld r5,5 - bst r3,7 - bld r5,7 - bst r3,3 - bld r3,7 - bst r3,2 - bld r3,3 - bst r4,2 - bld r3,2 - bst r4,4 - bld r4,2 - bst r2,5 - bld r4,4 - bst r5,1 - bld r2,5 - bst r5,6 - bld r5,1 - bst r4,7 - bld r5,6 - bst r3,5 - bld r4,7 - bst r5,3 - bld r3,5 - bst r3,6 - bld r5,3 - bst r4,3 - bld r3,6 - bst r3,4 - bld r4,3 - bst r2,3 - bld r3,4 - bst r3,0 - bld r2,3 - bst r2,2 - bld r3,0 - bst r4,0 - bld r2,2 - bst r2,4 - bld r4,0 - bst r0,0 - bld r2,4 - bst r6,0 - bld r0,0 - bst r7,0 - bld r6,0 - bst r7,2 - bld r7,0 - bst r9,2 - bld r7,2 - bst r9,6 - bld r9,2 - bst r9,7 - bld r9,6 - bst r8,7 - bld r9,7 - bst r8,5 - bld r8,7 - bst r6,5 - bld r8,5 - bst r6,1 - bld r6,5 - bst r0,0 - bld r6,1 - bst r6,2 - bld r0,0 - bst r9,0 - bld r6,2 - bst r7,6 - bld r9,0 - bst r9,3 - bld r7,6 - bst r8,6 - bld r9,3 - bst r9,5 - bld r8,6 - bst r6,7 - bld r9,5 - bst r8,1 - bld r6,7 - bst r6,4 - bld r8,1 - bst r7,1 - bld r6,4 - bst r0,0 - bld r7,1 - bst r6,3 - bld r0,0 - bst r8,0 - bld r6,3 - bst r7,4 - bld r8,0 - bst r7,3 - bld r7,4 - bst r8,2 - bld r7,3 - bst r9,4 - bld r8,2 - bst r7,7 - bld r9,4 - bst r8,3 - bld r7,7 - bst r8,4 - bld r8,3 - bst r7,5 - bld r8,4 - bst r0,0 - bld r7,5 - bst r6,6 - bld r0,0 - bst r9,1 - bld r6,6 - bst r0,0 - bld r9,1 - bst r10,0 - bld r0,0 - bst r12,0 - bld r10,0 - bst r12,4 - bld r12,0 - bst r12,5 - bld r12,4 - bst r11,5 - bld r12,5 - bst r11,3 - bld r11,5 - bst r13,2 - bld r11,3 - bst r10,6 - bld r13,2 - bst r10,1 - bld r10,6 - bst r11,0 - bld r10,1 - bst r12,2 - bld r11,0 - bst r10,4 - bld r12,2 - bst r12,1 - bld r10,4 - bst r11,4 - bld r12,1 - bst r12,3 - bld r11,4 - bst r13,4 - bld r12,3 - bst r12,7 - bld r13,4 - bst r13,5 - bld r12,7 - bst r11,7 - bld r13,5 - bst r13,3 - bld r11,7 - bst r13,6 - bld r13,3 - bst r10,7 - bld r13,6 - bst r13,1 - bld r10,7 - bst r11,6 - bld r13,1 - bst r10,3 - bld r11,6 - bst r13,0 - bld r10,3 - bst r12,6 - bld r13,0 - bst r10,5 - bld r12,6 - bst r11,1 - bld r10,5 - bst r11,2 - bld r11,1 - bst r10,2 - bld r11,2 - bst r0,0 - bld r10,2 - bst r14,0 - bld r0,0 - bst r25,0 - bld r14,0 - bst r25,6 - bld r25,0 - bst r15,7 - bld r25,6 - bst r14,3 - bld r15,7 - bst r0,0 - bld r14,3 - bst r14,1 - bld r0,0 - bst r24,0 - bld r14,1 - bst r25,4 - bld r24,0 - bst r25,7 - bld r25,4 - bst r14,7 - bld r25,7 - bst r0,0 - bld r14,7 - bst r14,2 - bld r0,0 - bst r15,0 - bld r14,2 - bst r25,2 - bld r15,0 - bst r15,6 - bld r25,2 - bst r15,3 - bld r15,6 - bst r0,0 - bld r15,3 - bst r14,4 - bld r0,0 - bst r25,1 - bld r14,4 - bst r24,6 - bld r25,1 - bst r15,5 - bld r24,6 - bst r24,3 - bld r15,5 - bst r0,0 - bld r24,3 - bst r14,5 - bld r0,0 - bst r24,1 - bld r14,5 - bst r24,4 - bld r24,1 - bst r25,5 - bld r24,4 - bst r24,7 - bld r25,5 - bst r0,0 - bld r24,7 - bst r14,6 - bld r0,0 - bst r15,1 - bld r14,6 - bst r24,2 - bld r15,1 - bst r15,4 - bld r24,2 - bst r25,3 - bld r15,4 - bst r0,0 - bld r25,3 - movw r20,r14 - movw r22,r24 - movw r14,r2 - movw r24,r4 - movw r2,r20 - movw r4,r22 - and r20,r6 - and r21,r7 - and r22,r8 - and r23,r9 - eor r10,r20 - eor r11,r21 - eor r12,r22 - eor r13,r23 - com r14 - com r15 - com r24 - com r25 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r14,r10 - eor r15,r11 - eor r24,r12 - eor r25,r13 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - or r0,r8 - eor r12,r0 - mov r0,r5 - or r0,r9 - eor r13,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r8 - and r0,r24 - eor r4,r0 - mov r0,r9 - and r0,r25 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r8,r0 - mov r0,r5 - and r0,r13 - eor r9,r0 - cp r19,r1 - breq 791f - inc r26 - ldi r27,5 - cpse r26,r27 - rjmp 375b - mov r26,r1 - eor r2,r18 - eor r3,r18 - eor r4,r18 - eor r5,r18 - rjmp 375b -791: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - bst r2,0 - bld r20,0 - bst r6,0 - bld r20,1 - bst r10,0 - bld r20,2 - bst r14,0 - bld r20,3 - bst r2,1 - bld r20,4 - bst r6,1 - bld r20,5 - bst r10,1 - bld r20,6 - bst r14,1 - bld r20,7 - bst r2,2 - bld r21,0 - bst r6,2 - bld r21,1 - bst r10,2 - bld r21,2 - bst r14,2 - bld r21,3 - bst r2,3 - bld r21,4 - bst r6,3 - bld r21,5 - bst r10,3 - bld r21,6 - bst r14,3 - bld r21,7 - bst r2,4 - bld r22,0 - bst r6,4 - bld r22,1 - bst r10,4 - bld r22,2 - bst r14,4 - bld r22,3 - bst r2,5 - bld r22,4 - bst r6,5 - bld r22,5 - bst r10,5 - bld r22,6 - bst r14,5 - bld r22,7 - bst r2,6 - bld r23,0 - bst r6,6 - bld r23,1 - bst r10,6 - bld r23,2 - bst r14,6 - bld r23,3 - bst r2,7 - bld r23,4 - bst r6,7 - bld r23,5 - bst r10,7 - bld r23,6 - bst r14,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r3,0 - bld r20,0 - bst r7,0 - bld r20,1 - bst r11,0 - bld r20,2 - bst r15,0 - bld r20,3 - bst r3,1 - bld r20,4 - bst r7,1 - bld r20,5 - bst r11,1 - bld r20,6 - bst r15,1 - bld r20,7 - bst r3,2 - bld r21,0 - bst r7,2 - bld r21,1 - bst r11,2 - bld r21,2 - bst r15,2 - bld r21,3 - bst r3,3 - bld r21,4 - bst r7,3 - bld r21,5 - bst r11,3 - bld r21,6 - bst r15,3 - bld r21,7 - bst r3,4 - bld r22,0 - bst r7,4 - bld r22,1 - bst r11,4 - bld r22,2 - bst r15,4 - bld r22,3 - bst r3,5 - bld r22,4 - bst r7,5 - bld r22,5 - bst r11,5 - bld r22,6 - bst r15,5 - bld r22,7 - bst r3,6 - bld r23,0 - bst r7,6 - bld r23,1 - bst r11,6 - bld r23,2 - bst r15,6 - bld r23,3 - bst r3,7 - bld r23,4 - bst r7,7 - bld r23,5 - bst r11,7 - bld r23,6 - bst r15,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r4,0 - bld r20,0 - bst r8,0 - bld r20,1 - bst r12,0 - bld r20,2 - bst r24,0 - bld r20,3 - bst r4,1 - bld r20,4 - bst r8,1 - bld r20,5 - bst r12,1 - bld r20,6 - bst r24,1 - bld r20,7 - bst r4,2 - bld r21,0 - bst r8,2 - bld r21,1 - bst r12,2 - bld r21,2 - bst r24,2 - bld r21,3 - bst r4,3 - bld r21,4 - bst r8,3 - bld r21,5 - bst r12,3 - bld r21,6 - bst r24,3 - bld r21,7 - bst r4,4 - bld r22,0 - bst r8,4 - bld r22,1 - bst r12,4 - bld r22,2 - bst r24,4 - bld r22,3 - bst r4,5 - bld r22,4 - bst r8,5 - bld r22,5 - bst r12,5 - bld r22,6 - bst r24,5 - bld r22,7 - bst r4,6 - bld r23,0 - bst r8,6 - bld r23,1 - bst r12,6 - bld r23,2 - bst r24,6 - bld r23,3 - bst r4,7 - bld r23,4 - bst r8,7 - bld r23,5 - bst r12,7 - bld r23,6 - bst r24,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - bst r5,0 - bld r20,0 - bst r9,0 - bld r20,1 - bst r13,0 - bld r20,2 - bst r25,0 - bld r20,3 - bst r5,1 - bld r20,4 - bst r9,1 - bld r20,5 - bst r13,1 - bld r20,6 - bst r25,1 - bld r20,7 - bst r5,2 - bld r21,0 - bst r9,2 - bld r21,1 - bst r13,2 - bld r21,2 - bst r25,2 - bld r21,3 - bst r5,3 - bld r21,4 - bst r9,3 - bld r21,5 - bst r13,3 - bld r21,6 - bst r25,3 - bld r21,7 - bst r5,4 - bld r22,0 - bst r9,4 - bld r22,1 - bst r13,4 - bld r22,2 - bst r25,4 - bld r22,3 - bst r5,5 - bld r22,4 - bst r9,5 - bld r22,5 - bst r13,5 - bld r22,6 - bst r25,5 - bld r22,7 - bst r5,6 - bld r23,0 - bst r9,6 - bld r23,1 - bst r13,6 - bld r23,2 - bst r25,6 - bld r23,3 - bst r5,7 - bld r23,4 - bst r9,7 - bld r23,5 - bst r13,7 - bld r23,6 - bst r25,7 - bld r23,7 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128t_decrypt, .-gift128t_decrypt - -#endif diff --git a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-util.h b/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/hyena/Implementations/crypto_aead/hyenav2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.c b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/api.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/encrypt.c b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/encrypt.c deleted file mode 100644 index 18697ad..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "isap.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_ascon_128a_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_ascon_128a_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon-avr.S deleted file mode 100644 index e8a4fb4..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon-avr.S +++ /dev/null @@ -1,778 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global ascon_permute - .type ascon_permute, @function -ascon_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r18,15 - sub r18,r22 - swap r18 - or r22,r18 - ldd r3,Z+16 - ldd r2,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 -20: - eor r18,r22 - ldd r23,Z+7 - ldd r12,Z+15 - ldd r13,Z+31 - eor r23,r4 - eor r4,r13 - eor r18,r12 - mov r14,r23 - mov r15,r12 - mov r24,r18 - mov r25,r13 - mov r16,r4 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r18 - and r24,r13 - and r25,r4 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r18,r25 - eor r13,r16 - eor r4,r14 - eor r12,r23 - eor r23,r4 - eor r13,r18 - com r18 - std Z+7,r23 - std Z+15,r12 - std Z+31,r13 - std Z+39,r4 - ldd r23,Z+6 - ldd r12,Z+14 - ldd r13,Z+30 - eor r23,r5 - eor r5,r13 - eor r19,r12 - mov r14,r23 - mov r15,r12 - mov r24,r19 - mov r25,r13 - mov r16,r5 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r19 - and r24,r13 - and r25,r5 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r19,r25 - eor r13,r16 - eor r5,r14 - eor r12,r23 - eor r23,r5 - eor r13,r19 - com r19 - std Z+6,r23 - std Z+14,r12 - std Z+30,r13 - std Z+38,r5 - ldd r23,Z+5 - ldd r12,Z+13 - ldd r13,Z+29 - eor r23,r6 - eor r6,r13 - eor r20,r12 - mov r14,r23 - mov r15,r12 - mov r24,r20 - mov r25,r13 - mov r16,r6 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r20 - and r24,r13 - and r25,r6 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r20,r25 - eor r13,r16 - eor r6,r14 - eor r12,r23 - eor r23,r6 - eor r13,r20 - com r20 - std Z+5,r23 - std Z+13,r12 - std Z+29,r13 - std Z+37,r6 - ldd r23,Z+4 - ldd r12,Z+12 - ldd r13,Z+28 - eor r23,r7 - eor r7,r13 - eor r21,r12 - mov r14,r23 - mov r15,r12 - mov r24,r21 - mov r25,r13 - mov r16,r7 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r21 - and r24,r13 - and r25,r7 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r21,r25 - eor r13,r16 - eor r7,r14 - eor r12,r23 - eor r23,r7 - eor r13,r21 - com r21 - std Z+4,r23 - std Z+12,r12 - std Z+28,r13 - std Z+36,r7 - ldd r23,Z+3 - ldd r12,Z+11 - ldd r13,Z+27 - eor r23,r8 - eor r8,r13 - eor r26,r12 - mov r14,r23 - mov r15,r12 - mov r24,r26 - mov r25,r13 - mov r16,r8 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r26 - and r24,r13 - and r25,r8 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r26,r25 - eor r13,r16 - eor r8,r14 - eor r12,r23 - eor r23,r8 - eor r13,r26 - com r26 - std Z+3,r23 - std Z+11,r12 - std Z+27,r13 - std Z+35,r8 - ldd r23,Z+2 - ldd r12,Z+10 - ldd r13,Z+26 - eor r23,r9 - eor r9,r13 - eor r27,r12 - mov r14,r23 - mov r15,r12 - mov r24,r27 - mov r25,r13 - mov r16,r9 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r27 - and r24,r13 - and r25,r9 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r27,r25 - eor r13,r16 - eor r9,r14 - eor r12,r23 - eor r23,r9 - eor r13,r27 - com r27 - std Z+2,r23 - std Z+10,r12 - std Z+26,r13 - std Z+34,r9 - ldd r23,Z+1 - ldd r12,Z+9 - ldd r13,Z+25 - eor r23,r10 - eor r10,r13 - eor r2,r12 - mov r14,r23 - mov r15,r12 - mov r24,r2 - mov r25,r13 - mov r16,r10 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r2 - and r24,r13 - and r25,r10 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r2,r25 - eor r13,r16 - eor r10,r14 - eor r12,r23 - eor r23,r10 - eor r13,r2 - com r2 - std Z+1,r23 - std Z+9,r12 - std Z+25,r13 - std Z+33,r10 - ld r23,Z - ldd r12,Z+8 - ldd r13,Z+24 - eor r23,r11 - eor r11,r13 - eor r3,r12 - mov r14,r23 - mov r15,r12 - mov r24,r3 - mov r25,r13 - mov r16,r11 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r3 - and r24,r13 - and r25,r11 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r3,r25 - eor r13,r16 - eor r11,r14 - eor r12,r23 - eor r23,r11 - eor r13,r3 - com r3 - st Z,r23 - std Z+8,r12 - std Z+24,r13 - std Z+32,r11 - ld r11,Z - ldd r10,Z+1 - ldd r9,Z+2 - ldd r8,Z+3 - ldd r7,Z+4 - ldd r6,Z+5 - ldd r5,Z+6 - ldd r4,Z+7 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r14 - mov r14,r24 - mov r24,r16 - mov r16,r0 - mov r0,r13 - mov r13,r15 - mov r15,r25 - mov r25,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r4 - mov r0,r5 - push r6 - mov r4,r7 - mov r5,r8 - mov r6,r9 - mov r7,r10 - mov r8,r11 - pop r11 - mov r10,r0 - mov r9,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - st Z,r11 - std Z+1,r10 - std Z+2,r9 - std Z+3,r8 - std Z+4,r7 - std Z+5,r6 - std Z+6,r5 - std Z+7,r4 - ldd r11,Z+8 - ldd r10,Z+9 - ldd r9,Z+10 - ldd r8,Z+11 - ldd r7,Z+12 - ldd r6,Z+13 - ldd r5,Z+14 - ldd r4,Z+15 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - lsl r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r4,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+8,r11 - std Z+9,r10 - std Z+10,r9 - std Z+11,r8 - std Z+12,r7 - std Z+13,r6 - std Z+14,r5 - std Z+15,r4 - movw r12,r18 - movw r14,r20 - movw r24,r26 - movw r16,r2 - bst r12,0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - bld r17,7 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - eor r24,r26 - eor r25,r27 - eor r16,r2 - eor r17,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r26 - mov r26,r27 - mov r27,r2 - mov r2,r3 - mov r3,r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - eor r26,r24 - eor r27,r25 - eor r2,r16 - eor r3,r17 - ldd r11,Z+24 - ldd r10,Z+25 - ldd r9,Z+26 - ldd r8,Z+27 - ldd r7,Z+28 - ldd r6,Z+29 - ldd r5,Z+30 - ldd r4,Z+31 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r0,r4 - mov r4,r6 - mov r6,r8 - mov r8,r10 - mov r10,r0 - mov r0,r5 - mov r5,r7 - mov r7,r9 - mov r9,r11 - mov r11,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+24,r11 - std Z+25,r10 - std Z+26,r9 - std Z+27,r8 - std Z+28,r7 - std Z+29,r6 - std Z+30,r5 - std Z+31,r4 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - subi r22,15 - ldi r25,60 - cpse r22,r25 - rjmp 20b - std Z+16,r3 - std Z+17,r2 - std Z+18,r27 - std Z+19,r26 - std Z+20,r21 - std Z+21,r20 - std Z+22,r19 - std Z+23,r18 - std Z+32,r11 - std Z+33,r10 - std Z+34,r9 - std Z+35,r8 - std Z+36,r7 - std Z+37,r6 - std Z+38,r5 - std Z+39,r4 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size ascon_permute, .-ascon_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.h deleted file mode 100644 index d3fa3ca..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-ascon.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H - -#include "internal-util.h" - -/** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. - * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Structure of the internal state of the ASCON permutation. - */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; - -/** - * \brief Permutes the ASCON state. - * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. - * - * The input and output \a state will be in big-endian byte order. - */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-isap.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-isap.h deleted file mode 100644 index ba99f2a..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-isap.h +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ISAP variant. - * - * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 - * ISAP_RATE Number of bytes in the rate for hashing and encryption. - * ISAP_sH Number of rounds for hashing. - * ISAP_sE Number of rounds for encryption. - * ISAP_sB Number of rounds for key bit absorption. - * ISAP_sK Number of rounds for keying. - * ISAP_STATE Type for the permuation state; e.g. ascon_state_t - * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". - */ -#if defined(ISAP_ALG_NAME) - -#define ISAP_CONCAT_INNER(name,suffix) name##suffix -#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) - -/* IV string for initialising the associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) - [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { - 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for authenticating associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for encrypting payload data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/** - * \brief Re-keys the ISAP permutation state. - * - * \param state The permutation state to be re-keyed. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param iv Points to the initialization vector for this re-keying operation. - * \param data Points to the data to be absorbed to perform the re-keying. - * \param data_len Length of the data to be absorbed. - * - * The output key will be left in the leading bytes of \a state. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, - const unsigned char *data, unsigned data_len) -{ - unsigned bit, num_bits; - - /* Initialize the state with the key and IV */ - memcpy(state->B, k, ISAP_KEY_SIZE); - memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); - ISAP_PERMUTE(state, ISAP_sK); - - /* Absorb all of the bits of the data buffer one by one */ - num_bits = data_len * 8 - 1; - for (bit = 0; bit < num_bits; ++bit) { - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sB); - } - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sK); -} - -/** - * \brief Encrypts (or decrypts) a message payload with ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param c Buffer to receive the output ciphertext. - * \param m Buffer to receive the input plaintext. - * \param mlen Length of the input plaintext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Set up the re-keyed encryption key and nonce in the state */ - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); - memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, - npub, ISAP_NONCE_SIZE); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= ISAP_RATE) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, ISAP_RATE); - c += ISAP_RATE; - m += ISAP_RATE; - mlen -= ISAP_RATE; - } - if (mlen > 0) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); - } -} - -/** - * \brief Authenticates the associated data and ciphertext using ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param ad Buffer containing the associated data. - * \param adlen Length of the associated data. - * \param c Buffer containing the ciphertext. - * \param clen Length of the ciphertext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *c, unsigned long long clen, - unsigned char *tag) -{ - unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; - unsigned temp; - - /* Absorb the associated data */ - memcpy(state->B, npub, ISAP_NONCE_SIZE); - memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), - sizeof(state->B) - ISAP_NONCE_SIZE); - ISAP_PERMUTE(state, ISAP_sH); - while (adlen >= ISAP_RATE) { - lw_xor_block(state->B, ad, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - ad += ISAP_RATE; - adlen -= ISAP_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ - - /* Absorb the ciphertext */ - while (clen >= ISAP_RATE) { - lw_xor_block(state->B, c, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - c += ISAP_RATE; - clen -= ISAP_RATE; - } - temp = (unsigned)clen; - lw_xor_block(state->B, c, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - - /* Re-key the state and generate the authentication tag */ - memcpy(tag, state->B, ISAP_TAG_SIZE); - memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); - memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); - ISAP_PERMUTE(state, ISAP_sH); - memcpy(tag, state->B, ISAP_TAG_SIZE); -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ISAP_TAG_SIZE; - - /* Encrypt the plaintext to produce the ciphertext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (&state, k, npub, ad, adlen, c, mlen, c + mlen); - return 0; -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - unsigned char tag[ISAP_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ISAP_TAG_SIZE) - return -1; - *mlen = clen - ISAP_TAG_SIZE; - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); - - /* Decrypt the ciphertext to produce the plaintext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); -} - -#endif /* ISAP_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ISAP algorithm */ -#undef ISAP_ALG_NAME -#undef ISAP_RATE -#undef ISAP_sH -#undef ISAP_sE -#undef ISAP_sB -#undef ISAP_sK -#undef ISAP_STATE -#undef ISAP_PERMUTE -#undef ISAP_CONCAT_INNER -#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak-avr.S deleted file mode 100644 index e50ccaf..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak-avr.S +++ /dev/null @@ -1,1552 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global keccakp_200_permute - .type keccakp_200_permute, @function -keccakp_200_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r26,Z+6 - ldd r27,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r4,Z+12 - ldd r5,Z+13 - ldd r6,Z+14 - ldd r7,Z+15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - ldd r24,Z+24 - push r31 - push r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,130 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - mov r30,r1 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,129 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - ldi r30,136 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,10 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,137 - eor r18,r30 - rcall 82f - ldi r30,3 - eor r18,r30 - rcall 82f - ldi r30,2 - eor r18,r30 - rcall 82f - ldi r30,128 - eor r18,r30 - rjmp 420f -82: - mov r30,r18 - eor r30,r23 - eor r30,r2 - eor r30,r7 - eor r30,r12 - mov r31,r19 - eor r31,r26 - eor r31,r3 - eor r31,r8 - eor r31,r13 - mov r25,r20 - eor r25,r27 - eor r25,r4 - eor r25,r9 - eor r25,r14 - mov r16,r21 - eor r16,r28 - eor r16,r5 - eor r16,r10 - eor r16,r15 - mov r17,r22 - eor r17,r29 - eor r17,r6 - eor r17,r11 - eor r17,r24 - mov r0,r31 - lsl r0 - adc r0,r1 - eor r0,r17 - eor r18,r0 - eor r23,r0 - eor r2,r0 - eor r7,r0 - eor r12,r0 - mov r0,r25 - lsl r0 - adc r0,r1 - eor r0,r30 - eor r19,r0 - eor r26,r0 - eor r3,r0 - eor r8,r0 - eor r13,r0 - mov r0,r16 - lsl r0 - adc r0,r1 - eor r0,r31 - eor r20,r0 - eor r27,r0 - eor r4,r0 - eor r9,r0 - eor r14,r0 - mov r0,r17 - lsl r0 - adc r0,r1 - eor r0,r25 - eor r21,r0 - eor r28,r0 - eor r5,r0 - eor r10,r0 - eor r15,r0 - mov r0,r30 - lsl r0 - adc r0,r1 - eor r0,r16 - eor r22,r0 - eor r29,r0 - eor r6,r0 - eor r11,r0 - eor r24,r0 - mov r30,r19 - swap r26 - mov r19,r26 - swap r29 - mov r26,r29 - mov r0,r1 - lsr r14 - ror r0 - lsr r14 - ror r0 - lsr r14 - ror r0 - or r14,r0 - mov r29,r14 - bst r6,0 - lsr r6 - bld r6,7 - mov r14,r6 - lsl r12 - adc r12,r1 - lsl r12 - adc r12,r1 - mov r6,r12 - mov r0,r1 - lsr r20 - ror r0 - lsr r20 - ror r0 - or r20,r0 - mov r12,r20 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - mov r20,r4 - lsl r5 - adc r5,r1 - mov r4,r5 - mov r5,r11 - mov r11,r15 - lsl r7 - adc r7,r1 - mov r15,r7 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - mov r7,r22 - mov r0,r1 - lsr r24 - ror r0 - lsr r24 - ror r0 - or r24,r0 - mov r22,r24 - lsl r13 - adc r13,r1 - lsl r13 - adc r13,r1 - mov r24,r13 - bst r28,0 - lsr r28 - bld r28,7 - mov r13,r28 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r28,r8 - swap r23 - mov r8,r23 - swap r21 - mov r23,r21 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r21,r10 - bst r9,0 - lsr r9 - bld r9,7 - mov r10,r9 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - mov r9,r3 - mov r0,r1 - lsr r27 - ror r0 - lsr r27 - ror r0 - or r27,r0 - mov r3,r27 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - mov r27,r2 - lsl r30 - adc r30,r1 - mov r2,r30 - mov r30,r18 - mov r31,r19 - mov r25,r20 - mov r16,r21 - mov r17,r22 - mov r18,r25 - mov r0,r31 - com r0 - and r18,r0 - eor r18,r30 - mov r19,r16 - mov r0,r25 - com r0 - and r19,r0 - eor r19,r31 - mov r20,r17 - mov r0,r16 - com r0 - and r20,r0 - eor r20,r25 - mov r21,r30 - mov r0,r17 - com r0 - and r21,r0 - eor r21,r16 - mov r22,r31 - mov r0,r30 - com r0 - and r22,r0 - eor r22,r17 - mov r30,r23 - mov r31,r26 - mov r25,r27 - mov r16,r28 - mov r17,r29 - mov r23,r25 - mov r0,r31 - com r0 - and r23,r0 - eor r23,r30 - mov r26,r16 - mov r0,r25 - com r0 - and r26,r0 - eor r26,r31 - mov r27,r17 - mov r0,r16 - com r0 - and r27,r0 - eor r27,r25 - mov r28,r30 - mov r0,r17 - com r0 - and r28,r0 - eor r28,r16 - mov r29,r31 - mov r0,r30 - com r0 - and r29,r0 - eor r29,r17 - mov r30,r2 - mov r31,r3 - mov r25,r4 - mov r16,r5 - mov r17,r6 - mov r2,r25 - mov r0,r31 - com r0 - and r2,r0 - eor r2,r30 - mov r3,r16 - mov r0,r25 - com r0 - and r3,r0 - eor r3,r31 - mov r4,r17 - mov r0,r16 - com r0 - and r4,r0 - eor r4,r25 - mov r5,r30 - mov r0,r17 - com r0 - and r5,r0 - eor r5,r16 - mov r6,r31 - mov r0,r30 - com r0 - and r6,r0 - eor r6,r17 - mov r30,r7 - mov r31,r8 - mov r25,r9 - mov r16,r10 - mov r17,r11 - mov r7,r25 - mov r0,r31 - com r0 - and r7,r0 - eor r7,r30 - mov r8,r16 - mov r0,r25 - com r0 - and r8,r0 - eor r8,r31 - mov r9,r17 - mov r0,r16 - com r0 - and r9,r0 - eor r9,r25 - mov r10,r30 - mov r0,r17 - com r0 - and r10,r0 - eor r10,r16 - mov r11,r31 - mov r0,r30 - com r0 - and r11,r0 - eor r11,r17 - mov r30,r12 - mov r31,r13 - mov r25,r14 - mov r16,r15 - mov r17,r24 - mov r12,r25 - mov r0,r31 - com r0 - and r12,r0 - eor r12,r30 - mov r13,r16 - mov r0,r25 - com r0 - and r13,r0 - eor r13,r31 - mov r14,r17 - mov r0,r16 - com r0 - and r14,r0 - eor r14,r25 - mov r15,r30 - mov r0,r17 - com r0 - and r15,r0 - eor r15,r16 - mov r24,r31 - mov r0,r30 - com r0 - and r24,r0 - eor r24,r17 - ret -420: - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r22 - std Z+5,r23 - std Z+6,r26 - std Z+7,r27 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r4 - std Z+13,r5 - std Z+14,r6 - std Z+15,r7 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - std Z+24,r24 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size keccakp_200_permute, .-keccakp_200_permute - - .text -.global keccakp_400_permute - .type keccakp_400_permute, @function -keccakp_400_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - movw r30,r24 -.L__stack_usage = 17 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - ldd r10,Z+4 - ldd r11,Z+5 - ldd r12,Z+6 - ldd r13,Z+7 - ldd r14,Z+8 - ldd r15,Z+9 - cpi r22,20 - brcs 15f - rcall 153f - ldi r23,1 - eor r6,r23 -15: - cpi r22,19 - brcs 23f - rcall 153f - ldi r23,130 - eor r6,r23 - ldi r17,128 - eor r7,r17 -23: - cpi r22,18 - brcs 31f - rcall 153f - ldi r23,138 - eor r6,r23 - ldi r17,128 - eor r7,r17 -31: - cpi r22,17 - brcs 37f - rcall 153f - ldi r23,128 - eor r7,r23 -37: - cpi r22,16 - brcs 45f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -45: - cpi r22,15 - brcs 51f - rcall 153f - ldi r23,1 - eor r6,r23 -51: - cpi r22,14 - brcs 59f - rcall 153f - ldi r23,129 - eor r6,r23 - ldi r17,128 - eor r7,r17 -59: - cpi r22,13 - brcs 67f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -67: - cpi r22,12 - brcs 73f - rcall 153f - ldi r23,138 - eor r6,r23 -73: - cpi r22,11 - brcs 79f - rcall 153f - ldi r23,136 - eor r6,r23 -79: - cpi r22,10 - brcs 87f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -87: - cpi r22,9 - brcs 93f - rcall 153f - ldi r23,10 - eor r6,r23 -93: - cpi r22,8 - brcs 101f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -101: - cpi r22,7 - brcs 107f - rcall 153f - ldi r23,139 - eor r6,r23 -107: - cpi r22,6 - brcs 115f - rcall 153f - ldi r23,137 - eor r6,r23 - ldi r17,128 - eor r7,r17 -115: - cpi r22,5 - brcs 123f - rcall 153f - ldi r23,3 - eor r6,r23 - ldi r17,128 - eor r7,r17 -123: - cpi r22,4 - brcs 131f - rcall 153f - ldi r23,2 - eor r6,r23 - ldi r17,128 - eor r7,r17 -131: - cpi r22,3 - brcs 137f - rcall 153f - ldi r23,128 - eor r6,r23 -137: - cpi r22,2 - brcs 145f - rcall 153f - ldi r23,10 - eor r6,r23 - ldi r17,128 - eor r7,r17 -145: - cpi r22,1 - brcs 151f - rcall 153f - ldi r23,10 - eor r6,r23 -151: - rjmp 1004f -153: - movw r18,r6 - ldd r0,Z+10 - eor r18,r0 - ldd r0,Z+11 - eor r19,r0 - ldd r0,Z+20 - eor r18,r0 - ldd r0,Z+21 - eor r19,r0 - ldd r0,Z+30 - eor r18,r0 - ldd r0,Z+31 - eor r19,r0 - ldd r0,Z+40 - eor r18,r0 - ldd r0,Z+41 - eor r19,r0 - movw r20,r8 - ldd r0,Z+12 - eor r20,r0 - ldd r0,Z+13 - eor r21,r0 - ldd r0,Z+22 - eor r20,r0 - ldd r0,Z+23 - eor r21,r0 - ldd r0,Z+32 - eor r20,r0 - ldd r0,Z+33 - eor r21,r0 - ldd r0,Z+42 - eor r20,r0 - ldd r0,Z+43 - eor r21,r0 - movw r26,r10 - ldd r0,Z+14 - eor r26,r0 - ldd r0,Z+15 - eor r27,r0 - ldd r0,Z+24 - eor r26,r0 - ldd r0,Z+25 - eor r27,r0 - ldd r0,Z+34 - eor r26,r0 - ldd r0,Z+35 - eor r27,r0 - ldd r0,Z+44 - eor r26,r0 - ldd r0,Z+45 - eor r27,r0 - movw r2,r12 - ldd r0,Z+16 - eor r2,r0 - ldd r0,Z+17 - eor r3,r0 - ldd r0,Z+26 - eor r2,r0 - ldd r0,Z+27 - eor r3,r0 - ldd r0,Z+36 - eor r2,r0 - ldd r0,Z+37 - eor r3,r0 - ldd r0,Z+46 - eor r2,r0 - ldd r0,Z+47 - eor r3,r0 - movw r4,r14 - ldd r0,Z+18 - eor r4,r0 - ldd r0,Z+19 - eor r5,r0 - ldd r0,Z+28 - eor r4,r0 - ldd r0,Z+29 - eor r5,r0 - ldd r0,Z+38 - eor r4,r0 - ldd r0,Z+39 - eor r5,r0 - ldd r0,Z+48 - eor r4,r0 - ldd r0,Z+49 - eor r5,r0 - movw r24,r20 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r4 - eor r25,r5 - eor r6,r24 - eor r7,r25 - ldd r0,Z+10 - eor r0,r24 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r25 - std Z+11,r0 - ldd r0,Z+20 - eor r0,r24 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r25 - std Z+21,r0 - ldd r0,Z+30 - eor r0,r24 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r25 - std Z+31,r0 - ldd r0,Z+40 - eor r0,r24 - std Z+40,r0 - ldd r0,Z+41 - eor r0,r25 - std Z+41,r0 - movw r24,r26 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r18 - eor r25,r19 - eor r8,r24 - eor r9,r25 - ldd r0,Z+12 - eor r0,r24 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r25 - std Z+13,r0 - ldd r0,Z+22 - eor r0,r24 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r25 - std Z+23,r0 - ldd r0,Z+32 - eor r0,r24 - std Z+32,r0 - ldd r0,Z+33 - eor r0,r25 - std Z+33,r0 - ldd r0,Z+42 - eor r0,r24 - std Z+42,r0 - ldd r0,Z+43 - eor r0,r25 - std Z+43,r0 - movw r24,r2 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r20 - eor r25,r21 - eor r10,r24 - eor r11,r25 - ldd r0,Z+14 - eor r0,r24 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r25 - std Z+15,r0 - ldd r0,Z+24 - eor r0,r24 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r25 - std Z+25,r0 - ldd r0,Z+34 - eor r0,r24 - std Z+34,r0 - ldd r0,Z+35 - eor r0,r25 - std Z+35,r0 - ldd r0,Z+44 - eor r0,r24 - std Z+44,r0 - ldd r0,Z+45 - eor r0,r25 - std Z+45,r0 - movw r24,r4 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r26 - eor r25,r27 - eor r12,r24 - eor r13,r25 - ldd r0,Z+16 - eor r0,r24 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r25 - std Z+17,r0 - ldd r0,Z+26 - eor r0,r24 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r25 - std Z+27,r0 - ldd r0,Z+36 - eor r0,r24 - std Z+36,r0 - ldd r0,Z+37 - eor r0,r25 - std Z+37,r0 - ldd r0,Z+46 - eor r0,r24 - std Z+46,r0 - ldd r0,Z+47 - eor r0,r25 - std Z+47,r0 - movw r24,r18 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r2 - eor r25,r3 - eor r14,r24 - eor r15,r25 - ldd r0,Z+18 - eor r0,r24 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r25 - std Z+19,r0 - ldd r0,Z+28 - eor r0,r24 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r25 - std Z+29,r0 - ldd r0,Z+38 - eor r0,r24 - std Z+38,r0 - ldd r0,Z+39 - eor r0,r25 - std Z+39,r0 - ldd r0,Z+48 - eor r0,r24 - std Z+48,r0 - ldd r0,Z+49 - eor r0,r25 - std Z+49,r0 - movw r24,r8 - ldd r8,Z+12 - ldd r9,Z+13 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldd r18,Z+18 - ldd r19,Z+19 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+12,r18 - std Z+13,r19 - ldd r18,Z+44 - ldd r19,Z+45 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+18,r18 - std Z+19,r19 - ldd r18,Z+28 - ldd r19,Z+29 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+44,r18 - std Z+45,r19 - ldd r18,Z+40 - ldd r19,Z+41 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+28,r18 - std Z+29,r19 - movw r18,r10 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+40,r18 - std Z+41,r19 - ldd r10,Z+24 - ldd r11,Z+25 - mov r0,r11 - mov r11,r10 - mov r10,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldd r18,Z+26 - ldd r19,Z+27 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+24,r18 - std Z+25,r19 - ldd r18,Z+38 - ldd r19,Z+39 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+26,r18 - std Z+27,r19 - ldd r18,Z+46 - ldd r19,Z+47 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+38,r18 - std Z+39,r19 - ldd r18,Z+30 - ldd r19,Z+31 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+46,r18 - std Z+47,r19 - movw r18,r14 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+30,r18 - std Z+31,r19 - ldd r14,Z+48 - ldd r15,Z+49 - mov r0,r1 - lsr r15 - ror r14 - ror r0 - lsr r15 - ror r14 - ror r0 - or r15,r0 - ldd r18,Z+42 - ldd r19,Z+43 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+48,r18 - std Z+49,r19 - ldd r18,Z+16 - ldd r19,Z+17 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+42,r18 - std Z+43,r19 - ldd r18,Z+32 - ldd r19,Z+33 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+16,r18 - std Z+17,r19 - ldd r18,Z+10 - ldd r19,Z+11 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+32,r18 - std Z+33,r19 - movw r18,r12 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+10,r18 - std Z+11,r19 - ldd r12,Z+36 - ldd r13,Z+37 - mov r0,r13 - mov r13,r12 - mov r12,r0 - mov r0,r1 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - or r13,r0 - ldd r18,Z+34 - ldd r19,Z+35 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+36,r18 - std Z+37,r19 - ldd r18,Z+22 - ldd r19,Z+23 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+34,r18 - std Z+35,r19 - ldd r18,Z+14 - ldd r19,Z+15 - mov r0,r19 - mov r19,r18 - mov r18,r0 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+22,r18 - std Z+23,r19 - ldd r18,Z+20 - ldd r19,Z+21 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+14,r18 - std Z+15,r19 - lsl r24 - rol r25 - adc r24,r1 - std Z+20,r24 - std Z+21,r25 - movw r18,r6 - movw r20,r8 - movw r26,r10 - movw r2,r12 - movw r4,r14 - movw r6,r26 - mov r0,r20 - com r0 - and r6,r0 - mov r0,r21 - com r0 - and r7,r0 - eor r6,r18 - eor r7,r19 - movw r8,r2 - mov r0,r26 - com r0 - and r8,r0 - mov r0,r27 - com r0 - and r9,r0 - eor r8,r20 - eor r9,r21 - movw r10,r4 - mov r0,r2 - com r0 - and r10,r0 - mov r0,r3 - com r0 - and r11,r0 - eor r10,r26 - eor r11,r27 - movw r12,r18 - mov r0,r4 - com r0 - and r12,r0 - mov r0,r5 - com r0 - and r13,r0 - eor r12,r2 - eor r13,r3 - movw r14,r20 - mov r0,r18 - com r0 - and r14,r0 - mov r0,r19 - com r0 - and r15,r0 - eor r14,r4 - eor r15,r5 - ldd r18,Z+10 - ldd r19,Z+11 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r26,Z+14 - ldd r27,Z+15 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+10,r24 - std Z+11,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+12,r24 - std Z+13,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+14,r24 - std Z+15,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+16,r24 - std Z+17,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+18,r24 - std Z+19,r25 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+20,r24 - std Z+21,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+22,r24 - std Z+23,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+24,r24 - std Z+25,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+26,r24 - std Z+27,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+28,r24 - std Z+29,r25 - ldd r18,Z+30 - ldd r19,Z+31 - ldd r20,Z+32 - ldd r21,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+30,r24 - std Z+31,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+32,r24 - std Z+33,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+34,r24 - std Z+35,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+36,r24 - std Z+37,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+38,r24 - std Z+39,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - ldd r26,Z+44 - ldd r27,Z+45 - ldd r2,Z+46 - ldd r3,Z+47 - ldd r4,Z+48 - ldd r5,Z+49 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+40,r24 - std Z+41,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+42,r24 - std Z+43,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+44,r24 - std Z+45,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+46,r24 - std Z+47,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+48,r24 - std Z+49,r25 - ret -1004: - st Z,r6 - std Z+1,r7 - std Z+2,r8 - std Z+3,r9 - std Z+4,r10 - std Z+5,r11 - std Z+6,r12 - std Z+7,r13 - std Z+8,r14 - std Z+9,r15 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size keccakp_400_permute, .-keccakp_400_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.h deleted file mode 100644 index 2ffef42..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-keccak.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H - -#include "internal-util.h" - -/** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. - */ -#define KECCAKP_400_STATE_SIZE 50 - -/** - * \brief Structure of the internal state of the Keccak-p[200] permutation. - */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; - -/** - * \brief Structure of the internal state of the Keccak-p[400] permutation. - */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; - -/** - * \brief Permutes the Keccak-p[200] state. - * - * \param state The Keccak-p[200] state to be permuted. - */ -void keccakp_200_permute(keccakp_200_state_t *state); - -/** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. - * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). - */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-util.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.c b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.c deleted file mode 100644 index 26d50a3..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "isap.h" -#include "internal-keccak.h" -#include "internal-ascon.h" -#include - -aead_cipher_t const isap_keccak_128a_cipher = { - "ISAP-K-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128a_aead_encrypt, - isap_keccak_128a_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128a_cipher = { - "ISAP-A-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128a_aead_encrypt, - isap_ascon_128a_aead_decrypt -}; - -aead_cipher_t const isap_keccak_128_cipher = { - "ISAP-K-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128_aead_encrypt, - isap_keccak_128_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128_cipher = { - "ISAP-A-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128_aead_encrypt, - isap_ascon_128_aead_decrypt -}; - -/* ISAP-K-128A */ -#define ISAP_ALG_NAME isap_keccak_128a -#define ISAP_RATE (144 / 8) -#define ISAP_sH 16 -#define ISAP_sE 8 -#define ISAP_sB 1 -#define ISAP_sK 8 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128A */ -#define ISAP_ALG_NAME isap_ascon_128a -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 6 -#define ISAP_sB 1 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" - -/* ISAP-K-128 */ -#define ISAP_ALG_NAME isap_keccak_128 -#define ISAP_RATE (144 / 8) -#define ISAP_sH 20 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128 */ -#define ISAP_ALG_NAME isap_ascon_128 -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.h b/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.h deleted file mode 100644 index ddf8203..0000000 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys-avr/isap.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ISAP_H -#define LWCRYPTO_ISAP_H - -#include "aead-common.h" - -/** - * \file isap.h - * \brief ISAP authenticated encryption algorithm. - * - * ISAP is a family of authenticated encryption algorithms that are built - * around the Keccak-p[400] or ASCON permutations. There are four algorithms - * in the family, each of which have a 128-bit key, a 128-bit nonce, and a - * 128-bit tag: - * - * \li ISAP-K-128A based around the Keccak-p[400] permutation with a - * reduced number of rounds. This is the primary member in the family. - * \li ISAP-A-128A based around the ASCON permutation with a reduced - * number of rounds. - * \li ISAP-K-128 based around the Keccak-p[400] permutation. - * \li ISAP-A-128 based around the ASCON permutation. - * - * ISAP is designed to provide some protection against adversaries - * using differential power analysis to determine the key. The - * downside is that key setup is very slow. - * - * References: https://isap.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all ISAP family members. - */ -#define ISAP_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all ISAP family members. - */ -#define ISAP_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all ISAP family members. - */ -#define ISAP_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the ISAP-K-128A cipher. - */ -extern aead_cipher_t const isap_keccak_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128A cipher. - */ -extern aead_cipher_t const isap_ascon_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-K-128 cipher. - */ -extern aead_cipher_t const isap_keccak_128_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128 cipher. - */ -extern aead_cipher_t const isap_ascon_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128a_aead_decrypt() - */ -int isap_keccak_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128a_aead_encrypt() - */ -int isap_keccak_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128a_aead_decrypt() - */ -int isap_ascon_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128a_aead_encrypt() - */ -int isap_ascon_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128_aead_decrypt() - */ -int isap_keccak_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128_aead_encrypt() - */ -int isap_keccak_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128_aead_decrypt() - */ -int isap_ascon_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128_aead_encrypt() - */ -int isap_ascon_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon-avr.S new file mode 100644 index 0000000..e8a4fb4 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon-avr.S @@ -0,0 +1,778 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global ascon_permute + .type ascon_permute, @function +ascon_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r18,15 + sub r18,r22 + swap r18 + or r22,r18 + ldd r3,Z+16 + ldd r2,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 +20: + eor r18,r22 + ldd r23,Z+7 + ldd r12,Z+15 + ldd r13,Z+31 + eor r23,r4 + eor r4,r13 + eor r18,r12 + mov r14,r23 + mov r15,r12 + mov r24,r18 + mov r25,r13 + mov r16,r4 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r18 + and r24,r13 + and r25,r4 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r18,r25 + eor r13,r16 + eor r4,r14 + eor r12,r23 + eor r23,r4 + eor r13,r18 + com r18 + std Z+7,r23 + std Z+15,r12 + std Z+31,r13 + std Z+39,r4 + ldd r23,Z+6 + ldd r12,Z+14 + ldd r13,Z+30 + eor r23,r5 + eor r5,r13 + eor r19,r12 + mov r14,r23 + mov r15,r12 + mov r24,r19 + mov r25,r13 + mov r16,r5 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r19 + and r24,r13 + and r25,r5 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r19,r25 + eor r13,r16 + eor r5,r14 + eor r12,r23 + eor r23,r5 + eor r13,r19 + com r19 + std Z+6,r23 + std Z+14,r12 + std Z+30,r13 + std Z+38,r5 + ldd r23,Z+5 + ldd r12,Z+13 + ldd r13,Z+29 + eor r23,r6 + eor r6,r13 + eor r20,r12 + mov r14,r23 + mov r15,r12 + mov r24,r20 + mov r25,r13 + mov r16,r6 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r20 + and r24,r13 + and r25,r6 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r20,r25 + eor r13,r16 + eor r6,r14 + eor r12,r23 + eor r23,r6 + eor r13,r20 + com r20 + std Z+5,r23 + std Z+13,r12 + std Z+29,r13 + std Z+37,r6 + ldd r23,Z+4 + ldd r12,Z+12 + ldd r13,Z+28 + eor r23,r7 + eor r7,r13 + eor r21,r12 + mov r14,r23 + mov r15,r12 + mov r24,r21 + mov r25,r13 + mov r16,r7 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r21 + and r24,r13 + and r25,r7 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r21,r25 + eor r13,r16 + eor r7,r14 + eor r12,r23 + eor r23,r7 + eor r13,r21 + com r21 + std Z+4,r23 + std Z+12,r12 + std Z+28,r13 + std Z+36,r7 + ldd r23,Z+3 + ldd r12,Z+11 + ldd r13,Z+27 + eor r23,r8 + eor r8,r13 + eor r26,r12 + mov r14,r23 + mov r15,r12 + mov r24,r26 + mov r25,r13 + mov r16,r8 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r26 + and r24,r13 + and r25,r8 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r26,r25 + eor r13,r16 + eor r8,r14 + eor r12,r23 + eor r23,r8 + eor r13,r26 + com r26 + std Z+3,r23 + std Z+11,r12 + std Z+27,r13 + std Z+35,r8 + ldd r23,Z+2 + ldd r12,Z+10 + ldd r13,Z+26 + eor r23,r9 + eor r9,r13 + eor r27,r12 + mov r14,r23 + mov r15,r12 + mov r24,r27 + mov r25,r13 + mov r16,r9 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r27 + and r24,r13 + and r25,r9 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r27,r25 + eor r13,r16 + eor r9,r14 + eor r12,r23 + eor r23,r9 + eor r13,r27 + com r27 + std Z+2,r23 + std Z+10,r12 + std Z+26,r13 + std Z+34,r9 + ldd r23,Z+1 + ldd r12,Z+9 + ldd r13,Z+25 + eor r23,r10 + eor r10,r13 + eor r2,r12 + mov r14,r23 + mov r15,r12 + mov r24,r2 + mov r25,r13 + mov r16,r10 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r2 + and r24,r13 + and r25,r10 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r2,r25 + eor r13,r16 + eor r10,r14 + eor r12,r23 + eor r23,r10 + eor r13,r2 + com r2 + std Z+1,r23 + std Z+9,r12 + std Z+25,r13 + std Z+33,r10 + ld r23,Z + ldd r12,Z+8 + ldd r13,Z+24 + eor r23,r11 + eor r11,r13 + eor r3,r12 + mov r14,r23 + mov r15,r12 + mov r24,r3 + mov r25,r13 + mov r16,r11 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r3 + and r24,r13 + and r25,r11 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r3,r25 + eor r13,r16 + eor r11,r14 + eor r12,r23 + eor r23,r11 + eor r13,r3 + com r3 + st Z,r23 + std Z+8,r12 + std Z+24,r13 + std Z+32,r11 + ld r11,Z + ldd r10,Z+1 + ldd r9,Z+2 + ldd r8,Z+3 + ldd r7,Z+4 + ldd r6,Z+5 + ldd r5,Z+6 + ldd r4,Z+7 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r14 + mov r14,r24 + mov r24,r16 + mov r16,r0 + mov r0,r13 + mov r13,r15 + mov r15,r25 + mov r25,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r4 + mov r0,r5 + push r6 + mov r4,r7 + mov r5,r8 + mov r6,r9 + mov r7,r10 + mov r8,r11 + pop r11 + mov r10,r0 + mov r9,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + st Z,r11 + std Z+1,r10 + std Z+2,r9 + std Z+3,r8 + std Z+4,r7 + std Z+5,r6 + std Z+6,r5 + std Z+7,r4 + ldd r11,Z+8 + ldd r10,Z+9 + ldd r9,Z+10 + ldd r8,Z+11 + ldd r7,Z+12 + ldd r6,Z+13 + ldd r5,Z+14 + ldd r4,Z+15 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + lsl r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r4,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+8,r11 + std Z+9,r10 + std Z+10,r9 + std Z+11,r8 + std Z+12,r7 + std Z+13,r6 + std Z+14,r5 + std Z+15,r4 + movw r12,r18 + movw r14,r20 + movw r24,r26 + movw r16,r2 + bst r12,0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + bld r17,7 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + eor r24,r26 + eor r25,r27 + eor r16,r2 + eor r17,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r26 + mov r26,r27 + mov r27,r2 + mov r2,r3 + mov r3,r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + eor r26,r24 + eor r27,r25 + eor r2,r16 + eor r3,r17 + ldd r11,Z+24 + ldd r10,Z+25 + ldd r9,Z+26 + ldd r8,Z+27 + ldd r7,Z+28 + ldd r6,Z+29 + ldd r5,Z+30 + ldd r4,Z+31 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r0,r4 + mov r4,r6 + mov r6,r8 + mov r8,r10 + mov r10,r0 + mov r0,r5 + mov r5,r7 + mov r7,r9 + mov r9,r11 + mov r11,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+24,r11 + std Z+25,r10 + std Z+26,r9 + std Z+27,r8 + std Z+28,r7 + std Z+29,r6 + std Z+30,r5 + std Z+31,r4 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + subi r22,15 + ldi r25,60 + cpse r22,r25 + rjmp 20b + std Z+16,r3 + std Z+17,r2 + std Z+18,r27 + std Z+19,r26 + std Z+20,r21 + std Z+21,r20 + std Z+22,r19 + std Z+23,r18 + std Z+32,r11 + std Z+33,r10 + std Z+34,r9 + std Z+35,r8 + std Z+36,r7 + std Z+37,r6 + std Z+38,r5 + std Z+39,r4 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size ascon_permute, .-ascon_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak-avr.S new file mode 100644 index 0000000..e50ccaf --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak-avr.S @@ -0,0 +1,1552 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global keccakp_200_permute + .type keccakp_200_permute, @function +keccakp_200_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r26,Z+6 + ldd r27,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r4,Z+12 + ldd r5,Z+13 + ldd r6,Z+14 + ldd r7,Z+15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + ldd r24,Z+24 + push r31 + push r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,130 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + mov r30,r1 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,129 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + ldi r30,136 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,10 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,137 + eor r18,r30 + rcall 82f + ldi r30,3 + eor r18,r30 + rcall 82f + ldi r30,2 + eor r18,r30 + rcall 82f + ldi r30,128 + eor r18,r30 + rjmp 420f +82: + mov r30,r18 + eor r30,r23 + eor r30,r2 + eor r30,r7 + eor r30,r12 + mov r31,r19 + eor r31,r26 + eor r31,r3 + eor r31,r8 + eor r31,r13 + mov r25,r20 + eor r25,r27 + eor r25,r4 + eor r25,r9 + eor r25,r14 + mov r16,r21 + eor r16,r28 + eor r16,r5 + eor r16,r10 + eor r16,r15 + mov r17,r22 + eor r17,r29 + eor r17,r6 + eor r17,r11 + eor r17,r24 + mov r0,r31 + lsl r0 + adc r0,r1 + eor r0,r17 + eor r18,r0 + eor r23,r0 + eor r2,r0 + eor r7,r0 + eor r12,r0 + mov r0,r25 + lsl r0 + adc r0,r1 + eor r0,r30 + eor r19,r0 + eor r26,r0 + eor r3,r0 + eor r8,r0 + eor r13,r0 + mov r0,r16 + lsl r0 + adc r0,r1 + eor r0,r31 + eor r20,r0 + eor r27,r0 + eor r4,r0 + eor r9,r0 + eor r14,r0 + mov r0,r17 + lsl r0 + adc r0,r1 + eor r0,r25 + eor r21,r0 + eor r28,r0 + eor r5,r0 + eor r10,r0 + eor r15,r0 + mov r0,r30 + lsl r0 + adc r0,r1 + eor r0,r16 + eor r22,r0 + eor r29,r0 + eor r6,r0 + eor r11,r0 + eor r24,r0 + mov r30,r19 + swap r26 + mov r19,r26 + swap r29 + mov r26,r29 + mov r0,r1 + lsr r14 + ror r0 + lsr r14 + ror r0 + lsr r14 + ror r0 + or r14,r0 + mov r29,r14 + bst r6,0 + lsr r6 + bld r6,7 + mov r14,r6 + lsl r12 + adc r12,r1 + lsl r12 + adc r12,r1 + mov r6,r12 + mov r0,r1 + lsr r20 + ror r0 + lsr r20 + ror r0 + or r20,r0 + mov r12,r20 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + mov r20,r4 + lsl r5 + adc r5,r1 + mov r4,r5 + mov r5,r11 + mov r11,r15 + lsl r7 + adc r7,r1 + mov r15,r7 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + mov r7,r22 + mov r0,r1 + lsr r24 + ror r0 + lsr r24 + ror r0 + or r24,r0 + mov r22,r24 + lsl r13 + adc r13,r1 + lsl r13 + adc r13,r1 + mov r24,r13 + bst r28,0 + lsr r28 + bld r28,7 + mov r13,r28 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r28,r8 + swap r23 + mov r8,r23 + swap r21 + mov r23,r21 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r21,r10 + bst r9,0 + lsr r9 + bld r9,7 + mov r10,r9 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + mov r9,r3 + mov r0,r1 + lsr r27 + ror r0 + lsr r27 + ror r0 + or r27,r0 + mov r3,r27 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + mov r27,r2 + lsl r30 + adc r30,r1 + mov r2,r30 + mov r30,r18 + mov r31,r19 + mov r25,r20 + mov r16,r21 + mov r17,r22 + mov r18,r25 + mov r0,r31 + com r0 + and r18,r0 + eor r18,r30 + mov r19,r16 + mov r0,r25 + com r0 + and r19,r0 + eor r19,r31 + mov r20,r17 + mov r0,r16 + com r0 + and r20,r0 + eor r20,r25 + mov r21,r30 + mov r0,r17 + com r0 + and r21,r0 + eor r21,r16 + mov r22,r31 + mov r0,r30 + com r0 + and r22,r0 + eor r22,r17 + mov r30,r23 + mov r31,r26 + mov r25,r27 + mov r16,r28 + mov r17,r29 + mov r23,r25 + mov r0,r31 + com r0 + and r23,r0 + eor r23,r30 + mov r26,r16 + mov r0,r25 + com r0 + and r26,r0 + eor r26,r31 + mov r27,r17 + mov r0,r16 + com r0 + and r27,r0 + eor r27,r25 + mov r28,r30 + mov r0,r17 + com r0 + and r28,r0 + eor r28,r16 + mov r29,r31 + mov r0,r30 + com r0 + and r29,r0 + eor r29,r17 + mov r30,r2 + mov r31,r3 + mov r25,r4 + mov r16,r5 + mov r17,r6 + mov r2,r25 + mov r0,r31 + com r0 + and r2,r0 + eor r2,r30 + mov r3,r16 + mov r0,r25 + com r0 + and r3,r0 + eor r3,r31 + mov r4,r17 + mov r0,r16 + com r0 + and r4,r0 + eor r4,r25 + mov r5,r30 + mov r0,r17 + com r0 + and r5,r0 + eor r5,r16 + mov r6,r31 + mov r0,r30 + com r0 + and r6,r0 + eor r6,r17 + mov r30,r7 + mov r31,r8 + mov r25,r9 + mov r16,r10 + mov r17,r11 + mov r7,r25 + mov r0,r31 + com r0 + and r7,r0 + eor r7,r30 + mov r8,r16 + mov r0,r25 + com r0 + and r8,r0 + eor r8,r31 + mov r9,r17 + mov r0,r16 + com r0 + and r9,r0 + eor r9,r25 + mov r10,r30 + mov r0,r17 + com r0 + and r10,r0 + eor r10,r16 + mov r11,r31 + mov r0,r30 + com r0 + and r11,r0 + eor r11,r17 + mov r30,r12 + mov r31,r13 + mov r25,r14 + mov r16,r15 + mov r17,r24 + mov r12,r25 + mov r0,r31 + com r0 + and r12,r0 + eor r12,r30 + mov r13,r16 + mov r0,r25 + com r0 + and r13,r0 + eor r13,r31 + mov r14,r17 + mov r0,r16 + com r0 + and r14,r0 + eor r14,r25 + mov r15,r30 + mov r0,r17 + com r0 + and r15,r0 + eor r15,r16 + mov r24,r31 + mov r0,r30 + com r0 + and r24,r0 + eor r24,r17 + ret +420: + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r22 + std Z+5,r23 + std Z+6,r26 + std Z+7,r27 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r4 + std Z+13,r5 + std Z+14,r6 + std Z+15,r7 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + std Z+24,r24 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size keccakp_200_permute, .-keccakp_200_permute + + .text +.global keccakp_400_permute + .type keccakp_400_permute, @function +keccakp_400_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + movw r30,r24 +.L__stack_usage = 17 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + ldd r10,Z+4 + ldd r11,Z+5 + ldd r12,Z+6 + ldd r13,Z+7 + ldd r14,Z+8 + ldd r15,Z+9 + cpi r22,20 + brcs 15f + rcall 153f + ldi r23,1 + eor r6,r23 +15: + cpi r22,19 + brcs 23f + rcall 153f + ldi r23,130 + eor r6,r23 + ldi r17,128 + eor r7,r17 +23: + cpi r22,18 + brcs 31f + rcall 153f + ldi r23,138 + eor r6,r23 + ldi r17,128 + eor r7,r17 +31: + cpi r22,17 + brcs 37f + rcall 153f + ldi r23,128 + eor r7,r23 +37: + cpi r22,16 + brcs 45f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +45: + cpi r22,15 + brcs 51f + rcall 153f + ldi r23,1 + eor r6,r23 +51: + cpi r22,14 + brcs 59f + rcall 153f + ldi r23,129 + eor r6,r23 + ldi r17,128 + eor r7,r17 +59: + cpi r22,13 + brcs 67f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +67: + cpi r22,12 + brcs 73f + rcall 153f + ldi r23,138 + eor r6,r23 +73: + cpi r22,11 + brcs 79f + rcall 153f + ldi r23,136 + eor r6,r23 +79: + cpi r22,10 + brcs 87f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +87: + cpi r22,9 + brcs 93f + rcall 153f + ldi r23,10 + eor r6,r23 +93: + cpi r22,8 + brcs 101f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +101: + cpi r22,7 + brcs 107f + rcall 153f + ldi r23,139 + eor r6,r23 +107: + cpi r22,6 + brcs 115f + rcall 153f + ldi r23,137 + eor r6,r23 + ldi r17,128 + eor r7,r17 +115: + cpi r22,5 + brcs 123f + rcall 153f + ldi r23,3 + eor r6,r23 + ldi r17,128 + eor r7,r17 +123: + cpi r22,4 + brcs 131f + rcall 153f + ldi r23,2 + eor r6,r23 + ldi r17,128 + eor r7,r17 +131: + cpi r22,3 + brcs 137f + rcall 153f + ldi r23,128 + eor r6,r23 +137: + cpi r22,2 + brcs 145f + rcall 153f + ldi r23,10 + eor r6,r23 + ldi r17,128 + eor r7,r17 +145: + cpi r22,1 + brcs 151f + rcall 153f + ldi r23,10 + eor r6,r23 +151: + rjmp 1004f +153: + movw r18,r6 + ldd r0,Z+10 + eor r18,r0 + ldd r0,Z+11 + eor r19,r0 + ldd r0,Z+20 + eor r18,r0 + ldd r0,Z+21 + eor r19,r0 + ldd r0,Z+30 + eor r18,r0 + ldd r0,Z+31 + eor r19,r0 + ldd r0,Z+40 + eor r18,r0 + ldd r0,Z+41 + eor r19,r0 + movw r20,r8 + ldd r0,Z+12 + eor r20,r0 + ldd r0,Z+13 + eor r21,r0 + ldd r0,Z+22 + eor r20,r0 + ldd r0,Z+23 + eor r21,r0 + ldd r0,Z+32 + eor r20,r0 + ldd r0,Z+33 + eor r21,r0 + ldd r0,Z+42 + eor r20,r0 + ldd r0,Z+43 + eor r21,r0 + movw r26,r10 + ldd r0,Z+14 + eor r26,r0 + ldd r0,Z+15 + eor r27,r0 + ldd r0,Z+24 + eor r26,r0 + ldd r0,Z+25 + eor r27,r0 + ldd r0,Z+34 + eor r26,r0 + ldd r0,Z+35 + eor r27,r0 + ldd r0,Z+44 + eor r26,r0 + ldd r0,Z+45 + eor r27,r0 + movw r2,r12 + ldd r0,Z+16 + eor r2,r0 + ldd r0,Z+17 + eor r3,r0 + ldd r0,Z+26 + eor r2,r0 + ldd r0,Z+27 + eor r3,r0 + ldd r0,Z+36 + eor r2,r0 + ldd r0,Z+37 + eor r3,r0 + ldd r0,Z+46 + eor r2,r0 + ldd r0,Z+47 + eor r3,r0 + movw r4,r14 + ldd r0,Z+18 + eor r4,r0 + ldd r0,Z+19 + eor r5,r0 + ldd r0,Z+28 + eor r4,r0 + ldd r0,Z+29 + eor r5,r0 + ldd r0,Z+38 + eor r4,r0 + ldd r0,Z+39 + eor r5,r0 + ldd r0,Z+48 + eor r4,r0 + ldd r0,Z+49 + eor r5,r0 + movw r24,r20 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r4 + eor r25,r5 + eor r6,r24 + eor r7,r25 + ldd r0,Z+10 + eor r0,r24 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r25 + std Z+11,r0 + ldd r0,Z+20 + eor r0,r24 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r25 + std Z+21,r0 + ldd r0,Z+30 + eor r0,r24 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r25 + std Z+31,r0 + ldd r0,Z+40 + eor r0,r24 + std Z+40,r0 + ldd r0,Z+41 + eor r0,r25 + std Z+41,r0 + movw r24,r26 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r18 + eor r25,r19 + eor r8,r24 + eor r9,r25 + ldd r0,Z+12 + eor r0,r24 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r25 + std Z+13,r0 + ldd r0,Z+22 + eor r0,r24 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r25 + std Z+23,r0 + ldd r0,Z+32 + eor r0,r24 + std Z+32,r0 + ldd r0,Z+33 + eor r0,r25 + std Z+33,r0 + ldd r0,Z+42 + eor r0,r24 + std Z+42,r0 + ldd r0,Z+43 + eor r0,r25 + std Z+43,r0 + movw r24,r2 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r20 + eor r25,r21 + eor r10,r24 + eor r11,r25 + ldd r0,Z+14 + eor r0,r24 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r25 + std Z+15,r0 + ldd r0,Z+24 + eor r0,r24 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r25 + std Z+25,r0 + ldd r0,Z+34 + eor r0,r24 + std Z+34,r0 + ldd r0,Z+35 + eor r0,r25 + std Z+35,r0 + ldd r0,Z+44 + eor r0,r24 + std Z+44,r0 + ldd r0,Z+45 + eor r0,r25 + std Z+45,r0 + movw r24,r4 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r26 + eor r25,r27 + eor r12,r24 + eor r13,r25 + ldd r0,Z+16 + eor r0,r24 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r25 + std Z+17,r0 + ldd r0,Z+26 + eor r0,r24 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r25 + std Z+27,r0 + ldd r0,Z+36 + eor r0,r24 + std Z+36,r0 + ldd r0,Z+37 + eor r0,r25 + std Z+37,r0 + ldd r0,Z+46 + eor r0,r24 + std Z+46,r0 + ldd r0,Z+47 + eor r0,r25 + std Z+47,r0 + movw r24,r18 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r2 + eor r25,r3 + eor r14,r24 + eor r15,r25 + ldd r0,Z+18 + eor r0,r24 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r25 + std Z+19,r0 + ldd r0,Z+28 + eor r0,r24 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r25 + std Z+29,r0 + ldd r0,Z+38 + eor r0,r24 + std Z+38,r0 + ldd r0,Z+39 + eor r0,r25 + std Z+39,r0 + ldd r0,Z+48 + eor r0,r24 + std Z+48,r0 + ldd r0,Z+49 + eor r0,r25 + std Z+49,r0 + movw r24,r8 + ldd r8,Z+12 + ldd r9,Z+13 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldd r18,Z+18 + ldd r19,Z+19 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+12,r18 + std Z+13,r19 + ldd r18,Z+44 + ldd r19,Z+45 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+18,r18 + std Z+19,r19 + ldd r18,Z+28 + ldd r19,Z+29 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+44,r18 + std Z+45,r19 + ldd r18,Z+40 + ldd r19,Z+41 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+28,r18 + std Z+29,r19 + movw r18,r10 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+40,r18 + std Z+41,r19 + ldd r10,Z+24 + ldd r11,Z+25 + mov r0,r11 + mov r11,r10 + mov r10,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldd r18,Z+26 + ldd r19,Z+27 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+24,r18 + std Z+25,r19 + ldd r18,Z+38 + ldd r19,Z+39 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+26,r18 + std Z+27,r19 + ldd r18,Z+46 + ldd r19,Z+47 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+38,r18 + std Z+39,r19 + ldd r18,Z+30 + ldd r19,Z+31 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+46,r18 + std Z+47,r19 + movw r18,r14 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+30,r18 + std Z+31,r19 + ldd r14,Z+48 + ldd r15,Z+49 + mov r0,r1 + lsr r15 + ror r14 + ror r0 + lsr r15 + ror r14 + ror r0 + or r15,r0 + ldd r18,Z+42 + ldd r19,Z+43 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+48,r18 + std Z+49,r19 + ldd r18,Z+16 + ldd r19,Z+17 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+42,r18 + std Z+43,r19 + ldd r18,Z+32 + ldd r19,Z+33 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+16,r18 + std Z+17,r19 + ldd r18,Z+10 + ldd r19,Z+11 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+32,r18 + std Z+33,r19 + movw r18,r12 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+10,r18 + std Z+11,r19 + ldd r12,Z+36 + ldd r13,Z+37 + mov r0,r13 + mov r13,r12 + mov r12,r0 + mov r0,r1 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + or r13,r0 + ldd r18,Z+34 + ldd r19,Z+35 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+36,r18 + std Z+37,r19 + ldd r18,Z+22 + ldd r19,Z+23 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+34,r18 + std Z+35,r19 + ldd r18,Z+14 + ldd r19,Z+15 + mov r0,r19 + mov r19,r18 + mov r18,r0 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+22,r18 + std Z+23,r19 + ldd r18,Z+20 + ldd r19,Z+21 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+14,r18 + std Z+15,r19 + lsl r24 + rol r25 + adc r24,r1 + std Z+20,r24 + std Z+21,r25 + movw r18,r6 + movw r20,r8 + movw r26,r10 + movw r2,r12 + movw r4,r14 + movw r6,r26 + mov r0,r20 + com r0 + and r6,r0 + mov r0,r21 + com r0 + and r7,r0 + eor r6,r18 + eor r7,r19 + movw r8,r2 + mov r0,r26 + com r0 + and r8,r0 + mov r0,r27 + com r0 + and r9,r0 + eor r8,r20 + eor r9,r21 + movw r10,r4 + mov r0,r2 + com r0 + and r10,r0 + mov r0,r3 + com r0 + and r11,r0 + eor r10,r26 + eor r11,r27 + movw r12,r18 + mov r0,r4 + com r0 + and r12,r0 + mov r0,r5 + com r0 + and r13,r0 + eor r12,r2 + eor r13,r3 + movw r14,r20 + mov r0,r18 + com r0 + and r14,r0 + mov r0,r19 + com r0 + and r15,r0 + eor r14,r4 + eor r15,r5 + ldd r18,Z+10 + ldd r19,Z+11 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r26,Z+14 + ldd r27,Z+15 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+10,r24 + std Z+11,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+12,r24 + std Z+13,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+14,r24 + std Z+15,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+16,r24 + std Z+17,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+18,r24 + std Z+19,r25 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+20,r24 + std Z+21,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+22,r24 + std Z+23,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+24,r24 + std Z+25,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+26,r24 + std Z+27,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+28,r24 + std Z+29,r25 + ldd r18,Z+30 + ldd r19,Z+31 + ldd r20,Z+32 + ldd r21,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+30,r24 + std Z+31,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+32,r24 + std Z+33,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+34,r24 + std Z+35,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+36,r24 + std Z+37,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+38,r24 + std Z+39,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + ldd r26,Z+44 + ldd r27,Z+45 + ldd r2,Z+46 + ldd r3,Z+47 + ldd r4,Z+48 + ldd r5,Z+49 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+40,r24 + std Z+41,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+42,r24 + std Z+43,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+44,r24 + std Z+45,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+46,r24 + std Z+47,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+48,r24 + std Z+49,r25 + ret +1004: + st Z,r6 + std Z+1,r7 + std Z+2,r8 + std Z+3,r9 + std Z+4,r10 + std Z+5,r11 + std Z+6,r12 + std Z+7,r13 + std Z+8,r14 + std Z+9,r15 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size keccakp_400_permute, .-keccakp_400_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h index e79158c..e30166d 100644 --- a/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h +++ b/isap/Implementations/crypto_aead/isapa128av20/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.c b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/api.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/encrypt.c b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/encrypt.c deleted file mode 100644 index 7b2bc3a..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "isap.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_ascon_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_ascon_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon-avr.S deleted file mode 100644 index e8a4fb4..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon-avr.S +++ /dev/null @@ -1,778 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global ascon_permute - .type ascon_permute, @function -ascon_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r18,15 - sub r18,r22 - swap r18 - or r22,r18 - ldd r3,Z+16 - ldd r2,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 -20: - eor r18,r22 - ldd r23,Z+7 - ldd r12,Z+15 - ldd r13,Z+31 - eor r23,r4 - eor r4,r13 - eor r18,r12 - mov r14,r23 - mov r15,r12 - mov r24,r18 - mov r25,r13 - mov r16,r4 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r18 - and r24,r13 - and r25,r4 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r18,r25 - eor r13,r16 - eor r4,r14 - eor r12,r23 - eor r23,r4 - eor r13,r18 - com r18 - std Z+7,r23 - std Z+15,r12 - std Z+31,r13 - std Z+39,r4 - ldd r23,Z+6 - ldd r12,Z+14 - ldd r13,Z+30 - eor r23,r5 - eor r5,r13 - eor r19,r12 - mov r14,r23 - mov r15,r12 - mov r24,r19 - mov r25,r13 - mov r16,r5 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r19 - and r24,r13 - and r25,r5 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r19,r25 - eor r13,r16 - eor r5,r14 - eor r12,r23 - eor r23,r5 - eor r13,r19 - com r19 - std Z+6,r23 - std Z+14,r12 - std Z+30,r13 - std Z+38,r5 - ldd r23,Z+5 - ldd r12,Z+13 - ldd r13,Z+29 - eor r23,r6 - eor r6,r13 - eor r20,r12 - mov r14,r23 - mov r15,r12 - mov r24,r20 - mov r25,r13 - mov r16,r6 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r20 - and r24,r13 - and r25,r6 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r20,r25 - eor r13,r16 - eor r6,r14 - eor r12,r23 - eor r23,r6 - eor r13,r20 - com r20 - std Z+5,r23 - std Z+13,r12 - std Z+29,r13 - std Z+37,r6 - ldd r23,Z+4 - ldd r12,Z+12 - ldd r13,Z+28 - eor r23,r7 - eor r7,r13 - eor r21,r12 - mov r14,r23 - mov r15,r12 - mov r24,r21 - mov r25,r13 - mov r16,r7 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r21 - and r24,r13 - and r25,r7 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r21,r25 - eor r13,r16 - eor r7,r14 - eor r12,r23 - eor r23,r7 - eor r13,r21 - com r21 - std Z+4,r23 - std Z+12,r12 - std Z+28,r13 - std Z+36,r7 - ldd r23,Z+3 - ldd r12,Z+11 - ldd r13,Z+27 - eor r23,r8 - eor r8,r13 - eor r26,r12 - mov r14,r23 - mov r15,r12 - mov r24,r26 - mov r25,r13 - mov r16,r8 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r26 - and r24,r13 - and r25,r8 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r26,r25 - eor r13,r16 - eor r8,r14 - eor r12,r23 - eor r23,r8 - eor r13,r26 - com r26 - std Z+3,r23 - std Z+11,r12 - std Z+27,r13 - std Z+35,r8 - ldd r23,Z+2 - ldd r12,Z+10 - ldd r13,Z+26 - eor r23,r9 - eor r9,r13 - eor r27,r12 - mov r14,r23 - mov r15,r12 - mov r24,r27 - mov r25,r13 - mov r16,r9 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r27 - and r24,r13 - and r25,r9 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r27,r25 - eor r13,r16 - eor r9,r14 - eor r12,r23 - eor r23,r9 - eor r13,r27 - com r27 - std Z+2,r23 - std Z+10,r12 - std Z+26,r13 - std Z+34,r9 - ldd r23,Z+1 - ldd r12,Z+9 - ldd r13,Z+25 - eor r23,r10 - eor r10,r13 - eor r2,r12 - mov r14,r23 - mov r15,r12 - mov r24,r2 - mov r25,r13 - mov r16,r10 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r2 - and r24,r13 - and r25,r10 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r2,r25 - eor r13,r16 - eor r10,r14 - eor r12,r23 - eor r23,r10 - eor r13,r2 - com r2 - std Z+1,r23 - std Z+9,r12 - std Z+25,r13 - std Z+33,r10 - ld r23,Z - ldd r12,Z+8 - ldd r13,Z+24 - eor r23,r11 - eor r11,r13 - eor r3,r12 - mov r14,r23 - mov r15,r12 - mov r24,r3 - mov r25,r13 - mov r16,r11 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r3 - and r24,r13 - and r25,r11 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r3,r25 - eor r13,r16 - eor r11,r14 - eor r12,r23 - eor r23,r11 - eor r13,r3 - com r3 - st Z,r23 - std Z+8,r12 - std Z+24,r13 - std Z+32,r11 - ld r11,Z - ldd r10,Z+1 - ldd r9,Z+2 - ldd r8,Z+3 - ldd r7,Z+4 - ldd r6,Z+5 - ldd r5,Z+6 - ldd r4,Z+7 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r14 - mov r14,r24 - mov r24,r16 - mov r16,r0 - mov r0,r13 - mov r13,r15 - mov r15,r25 - mov r25,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r4 - mov r0,r5 - push r6 - mov r4,r7 - mov r5,r8 - mov r6,r9 - mov r7,r10 - mov r8,r11 - pop r11 - mov r10,r0 - mov r9,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - st Z,r11 - std Z+1,r10 - std Z+2,r9 - std Z+3,r8 - std Z+4,r7 - std Z+5,r6 - std Z+6,r5 - std Z+7,r4 - ldd r11,Z+8 - ldd r10,Z+9 - ldd r9,Z+10 - ldd r8,Z+11 - ldd r7,Z+12 - ldd r6,Z+13 - ldd r5,Z+14 - ldd r4,Z+15 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - lsl r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r4,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+8,r11 - std Z+9,r10 - std Z+10,r9 - std Z+11,r8 - std Z+12,r7 - std Z+13,r6 - std Z+14,r5 - std Z+15,r4 - movw r12,r18 - movw r14,r20 - movw r24,r26 - movw r16,r2 - bst r12,0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - bld r17,7 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - eor r24,r26 - eor r25,r27 - eor r16,r2 - eor r17,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r26 - mov r26,r27 - mov r27,r2 - mov r2,r3 - mov r3,r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - eor r26,r24 - eor r27,r25 - eor r2,r16 - eor r3,r17 - ldd r11,Z+24 - ldd r10,Z+25 - ldd r9,Z+26 - ldd r8,Z+27 - ldd r7,Z+28 - ldd r6,Z+29 - ldd r5,Z+30 - ldd r4,Z+31 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r0,r4 - mov r4,r6 - mov r6,r8 - mov r8,r10 - mov r10,r0 - mov r0,r5 - mov r5,r7 - mov r7,r9 - mov r9,r11 - mov r11,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+24,r11 - std Z+25,r10 - std Z+26,r9 - std Z+27,r8 - std Z+28,r7 - std Z+29,r6 - std Z+30,r5 - std Z+31,r4 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - subi r22,15 - ldi r25,60 - cpse r22,r25 - rjmp 20b - std Z+16,r3 - std Z+17,r2 - std Z+18,r27 - std Z+19,r26 - std Z+20,r21 - std Z+21,r20 - std Z+22,r19 - std Z+23,r18 - std Z+32,r11 - std Z+33,r10 - std Z+34,r9 - std Z+35,r8 - std Z+36,r7 - std Z+37,r6 - std Z+38,r5 - std Z+39,r4 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size ascon_permute, .-ascon_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.h deleted file mode 100644 index d3fa3ca..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-ascon.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H - -#include "internal-util.h" - -/** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. - * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Structure of the internal state of the ASCON permutation. - */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; - -/** - * \brief Permutes the ASCON state. - * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. - * - * The input and output \a state will be in big-endian byte order. - */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-isap.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-isap.h deleted file mode 100644 index ba99f2a..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-isap.h +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ISAP variant. - * - * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 - * ISAP_RATE Number of bytes in the rate for hashing and encryption. - * ISAP_sH Number of rounds for hashing. - * ISAP_sE Number of rounds for encryption. - * ISAP_sB Number of rounds for key bit absorption. - * ISAP_sK Number of rounds for keying. - * ISAP_STATE Type for the permuation state; e.g. ascon_state_t - * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". - */ -#if defined(ISAP_ALG_NAME) - -#define ISAP_CONCAT_INNER(name,suffix) name##suffix -#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) - -/* IV string for initialising the associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) - [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { - 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for authenticating associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for encrypting payload data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/** - * \brief Re-keys the ISAP permutation state. - * - * \param state The permutation state to be re-keyed. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param iv Points to the initialization vector for this re-keying operation. - * \param data Points to the data to be absorbed to perform the re-keying. - * \param data_len Length of the data to be absorbed. - * - * The output key will be left in the leading bytes of \a state. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, - const unsigned char *data, unsigned data_len) -{ - unsigned bit, num_bits; - - /* Initialize the state with the key and IV */ - memcpy(state->B, k, ISAP_KEY_SIZE); - memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); - ISAP_PERMUTE(state, ISAP_sK); - - /* Absorb all of the bits of the data buffer one by one */ - num_bits = data_len * 8 - 1; - for (bit = 0; bit < num_bits; ++bit) { - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sB); - } - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sK); -} - -/** - * \brief Encrypts (or decrypts) a message payload with ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param c Buffer to receive the output ciphertext. - * \param m Buffer to receive the input plaintext. - * \param mlen Length of the input plaintext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Set up the re-keyed encryption key and nonce in the state */ - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); - memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, - npub, ISAP_NONCE_SIZE); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= ISAP_RATE) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, ISAP_RATE); - c += ISAP_RATE; - m += ISAP_RATE; - mlen -= ISAP_RATE; - } - if (mlen > 0) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); - } -} - -/** - * \brief Authenticates the associated data and ciphertext using ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param ad Buffer containing the associated data. - * \param adlen Length of the associated data. - * \param c Buffer containing the ciphertext. - * \param clen Length of the ciphertext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *c, unsigned long long clen, - unsigned char *tag) -{ - unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; - unsigned temp; - - /* Absorb the associated data */ - memcpy(state->B, npub, ISAP_NONCE_SIZE); - memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), - sizeof(state->B) - ISAP_NONCE_SIZE); - ISAP_PERMUTE(state, ISAP_sH); - while (adlen >= ISAP_RATE) { - lw_xor_block(state->B, ad, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - ad += ISAP_RATE; - adlen -= ISAP_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ - - /* Absorb the ciphertext */ - while (clen >= ISAP_RATE) { - lw_xor_block(state->B, c, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - c += ISAP_RATE; - clen -= ISAP_RATE; - } - temp = (unsigned)clen; - lw_xor_block(state->B, c, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - - /* Re-key the state and generate the authentication tag */ - memcpy(tag, state->B, ISAP_TAG_SIZE); - memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); - memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); - ISAP_PERMUTE(state, ISAP_sH); - memcpy(tag, state->B, ISAP_TAG_SIZE); -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ISAP_TAG_SIZE; - - /* Encrypt the plaintext to produce the ciphertext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (&state, k, npub, ad, adlen, c, mlen, c + mlen); - return 0; -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - unsigned char tag[ISAP_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ISAP_TAG_SIZE) - return -1; - *mlen = clen - ISAP_TAG_SIZE; - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); - - /* Decrypt the ciphertext to produce the plaintext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); -} - -#endif /* ISAP_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ISAP algorithm */ -#undef ISAP_ALG_NAME -#undef ISAP_RATE -#undef ISAP_sH -#undef ISAP_sE -#undef ISAP_sB -#undef ISAP_sK -#undef ISAP_STATE -#undef ISAP_PERMUTE -#undef ISAP_CONCAT_INNER -#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak-avr.S deleted file mode 100644 index e50ccaf..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak-avr.S +++ /dev/null @@ -1,1552 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global keccakp_200_permute - .type keccakp_200_permute, @function -keccakp_200_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r26,Z+6 - ldd r27,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r4,Z+12 - ldd r5,Z+13 - ldd r6,Z+14 - ldd r7,Z+15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - ldd r24,Z+24 - push r31 - push r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,130 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - mov r30,r1 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,129 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - ldi r30,136 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,10 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,137 - eor r18,r30 - rcall 82f - ldi r30,3 - eor r18,r30 - rcall 82f - ldi r30,2 - eor r18,r30 - rcall 82f - ldi r30,128 - eor r18,r30 - rjmp 420f -82: - mov r30,r18 - eor r30,r23 - eor r30,r2 - eor r30,r7 - eor r30,r12 - mov r31,r19 - eor r31,r26 - eor r31,r3 - eor r31,r8 - eor r31,r13 - mov r25,r20 - eor r25,r27 - eor r25,r4 - eor r25,r9 - eor r25,r14 - mov r16,r21 - eor r16,r28 - eor r16,r5 - eor r16,r10 - eor r16,r15 - mov r17,r22 - eor r17,r29 - eor r17,r6 - eor r17,r11 - eor r17,r24 - mov r0,r31 - lsl r0 - adc r0,r1 - eor r0,r17 - eor r18,r0 - eor r23,r0 - eor r2,r0 - eor r7,r0 - eor r12,r0 - mov r0,r25 - lsl r0 - adc r0,r1 - eor r0,r30 - eor r19,r0 - eor r26,r0 - eor r3,r0 - eor r8,r0 - eor r13,r0 - mov r0,r16 - lsl r0 - adc r0,r1 - eor r0,r31 - eor r20,r0 - eor r27,r0 - eor r4,r0 - eor r9,r0 - eor r14,r0 - mov r0,r17 - lsl r0 - adc r0,r1 - eor r0,r25 - eor r21,r0 - eor r28,r0 - eor r5,r0 - eor r10,r0 - eor r15,r0 - mov r0,r30 - lsl r0 - adc r0,r1 - eor r0,r16 - eor r22,r0 - eor r29,r0 - eor r6,r0 - eor r11,r0 - eor r24,r0 - mov r30,r19 - swap r26 - mov r19,r26 - swap r29 - mov r26,r29 - mov r0,r1 - lsr r14 - ror r0 - lsr r14 - ror r0 - lsr r14 - ror r0 - or r14,r0 - mov r29,r14 - bst r6,0 - lsr r6 - bld r6,7 - mov r14,r6 - lsl r12 - adc r12,r1 - lsl r12 - adc r12,r1 - mov r6,r12 - mov r0,r1 - lsr r20 - ror r0 - lsr r20 - ror r0 - or r20,r0 - mov r12,r20 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - mov r20,r4 - lsl r5 - adc r5,r1 - mov r4,r5 - mov r5,r11 - mov r11,r15 - lsl r7 - adc r7,r1 - mov r15,r7 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - mov r7,r22 - mov r0,r1 - lsr r24 - ror r0 - lsr r24 - ror r0 - or r24,r0 - mov r22,r24 - lsl r13 - adc r13,r1 - lsl r13 - adc r13,r1 - mov r24,r13 - bst r28,0 - lsr r28 - bld r28,7 - mov r13,r28 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r28,r8 - swap r23 - mov r8,r23 - swap r21 - mov r23,r21 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r21,r10 - bst r9,0 - lsr r9 - bld r9,7 - mov r10,r9 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - mov r9,r3 - mov r0,r1 - lsr r27 - ror r0 - lsr r27 - ror r0 - or r27,r0 - mov r3,r27 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - mov r27,r2 - lsl r30 - adc r30,r1 - mov r2,r30 - mov r30,r18 - mov r31,r19 - mov r25,r20 - mov r16,r21 - mov r17,r22 - mov r18,r25 - mov r0,r31 - com r0 - and r18,r0 - eor r18,r30 - mov r19,r16 - mov r0,r25 - com r0 - and r19,r0 - eor r19,r31 - mov r20,r17 - mov r0,r16 - com r0 - and r20,r0 - eor r20,r25 - mov r21,r30 - mov r0,r17 - com r0 - and r21,r0 - eor r21,r16 - mov r22,r31 - mov r0,r30 - com r0 - and r22,r0 - eor r22,r17 - mov r30,r23 - mov r31,r26 - mov r25,r27 - mov r16,r28 - mov r17,r29 - mov r23,r25 - mov r0,r31 - com r0 - and r23,r0 - eor r23,r30 - mov r26,r16 - mov r0,r25 - com r0 - and r26,r0 - eor r26,r31 - mov r27,r17 - mov r0,r16 - com r0 - and r27,r0 - eor r27,r25 - mov r28,r30 - mov r0,r17 - com r0 - and r28,r0 - eor r28,r16 - mov r29,r31 - mov r0,r30 - com r0 - and r29,r0 - eor r29,r17 - mov r30,r2 - mov r31,r3 - mov r25,r4 - mov r16,r5 - mov r17,r6 - mov r2,r25 - mov r0,r31 - com r0 - and r2,r0 - eor r2,r30 - mov r3,r16 - mov r0,r25 - com r0 - and r3,r0 - eor r3,r31 - mov r4,r17 - mov r0,r16 - com r0 - and r4,r0 - eor r4,r25 - mov r5,r30 - mov r0,r17 - com r0 - and r5,r0 - eor r5,r16 - mov r6,r31 - mov r0,r30 - com r0 - and r6,r0 - eor r6,r17 - mov r30,r7 - mov r31,r8 - mov r25,r9 - mov r16,r10 - mov r17,r11 - mov r7,r25 - mov r0,r31 - com r0 - and r7,r0 - eor r7,r30 - mov r8,r16 - mov r0,r25 - com r0 - and r8,r0 - eor r8,r31 - mov r9,r17 - mov r0,r16 - com r0 - and r9,r0 - eor r9,r25 - mov r10,r30 - mov r0,r17 - com r0 - and r10,r0 - eor r10,r16 - mov r11,r31 - mov r0,r30 - com r0 - and r11,r0 - eor r11,r17 - mov r30,r12 - mov r31,r13 - mov r25,r14 - mov r16,r15 - mov r17,r24 - mov r12,r25 - mov r0,r31 - com r0 - and r12,r0 - eor r12,r30 - mov r13,r16 - mov r0,r25 - com r0 - and r13,r0 - eor r13,r31 - mov r14,r17 - mov r0,r16 - com r0 - and r14,r0 - eor r14,r25 - mov r15,r30 - mov r0,r17 - com r0 - and r15,r0 - eor r15,r16 - mov r24,r31 - mov r0,r30 - com r0 - and r24,r0 - eor r24,r17 - ret -420: - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r22 - std Z+5,r23 - std Z+6,r26 - std Z+7,r27 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r4 - std Z+13,r5 - std Z+14,r6 - std Z+15,r7 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - std Z+24,r24 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size keccakp_200_permute, .-keccakp_200_permute - - .text -.global keccakp_400_permute - .type keccakp_400_permute, @function -keccakp_400_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - movw r30,r24 -.L__stack_usage = 17 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - ldd r10,Z+4 - ldd r11,Z+5 - ldd r12,Z+6 - ldd r13,Z+7 - ldd r14,Z+8 - ldd r15,Z+9 - cpi r22,20 - brcs 15f - rcall 153f - ldi r23,1 - eor r6,r23 -15: - cpi r22,19 - brcs 23f - rcall 153f - ldi r23,130 - eor r6,r23 - ldi r17,128 - eor r7,r17 -23: - cpi r22,18 - brcs 31f - rcall 153f - ldi r23,138 - eor r6,r23 - ldi r17,128 - eor r7,r17 -31: - cpi r22,17 - brcs 37f - rcall 153f - ldi r23,128 - eor r7,r23 -37: - cpi r22,16 - brcs 45f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -45: - cpi r22,15 - brcs 51f - rcall 153f - ldi r23,1 - eor r6,r23 -51: - cpi r22,14 - brcs 59f - rcall 153f - ldi r23,129 - eor r6,r23 - ldi r17,128 - eor r7,r17 -59: - cpi r22,13 - brcs 67f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -67: - cpi r22,12 - brcs 73f - rcall 153f - ldi r23,138 - eor r6,r23 -73: - cpi r22,11 - brcs 79f - rcall 153f - ldi r23,136 - eor r6,r23 -79: - cpi r22,10 - brcs 87f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -87: - cpi r22,9 - brcs 93f - rcall 153f - ldi r23,10 - eor r6,r23 -93: - cpi r22,8 - brcs 101f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -101: - cpi r22,7 - brcs 107f - rcall 153f - ldi r23,139 - eor r6,r23 -107: - cpi r22,6 - brcs 115f - rcall 153f - ldi r23,137 - eor r6,r23 - ldi r17,128 - eor r7,r17 -115: - cpi r22,5 - brcs 123f - rcall 153f - ldi r23,3 - eor r6,r23 - ldi r17,128 - eor r7,r17 -123: - cpi r22,4 - brcs 131f - rcall 153f - ldi r23,2 - eor r6,r23 - ldi r17,128 - eor r7,r17 -131: - cpi r22,3 - brcs 137f - rcall 153f - ldi r23,128 - eor r6,r23 -137: - cpi r22,2 - brcs 145f - rcall 153f - ldi r23,10 - eor r6,r23 - ldi r17,128 - eor r7,r17 -145: - cpi r22,1 - brcs 151f - rcall 153f - ldi r23,10 - eor r6,r23 -151: - rjmp 1004f -153: - movw r18,r6 - ldd r0,Z+10 - eor r18,r0 - ldd r0,Z+11 - eor r19,r0 - ldd r0,Z+20 - eor r18,r0 - ldd r0,Z+21 - eor r19,r0 - ldd r0,Z+30 - eor r18,r0 - ldd r0,Z+31 - eor r19,r0 - ldd r0,Z+40 - eor r18,r0 - ldd r0,Z+41 - eor r19,r0 - movw r20,r8 - ldd r0,Z+12 - eor r20,r0 - ldd r0,Z+13 - eor r21,r0 - ldd r0,Z+22 - eor r20,r0 - ldd r0,Z+23 - eor r21,r0 - ldd r0,Z+32 - eor r20,r0 - ldd r0,Z+33 - eor r21,r0 - ldd r0,Z+42 - eor r20,r0 - ldd r0,Z+43 - eor r21,r0 - movw r26,r10 - ldd r0,Z+14 - eor r26,r0 - ldd r0,Z+15 - eor r27,r0 - ldd r0,Z+24 - eor r26,r0 - ldd r0,Z+25 - eor r27,r0 - ldd r0,Z+34 - eor r26,r0 - ldd r0,Z+35 - eor r27,r0 - ldd r0,Z+44 - eor r26,r0 - ldd r0,Z+45 - eor r27,r0 - movw r2,r12 - ldd r0,Z+16 - eor r2,r0 - ldd r0,Z+17 - eor r3,r0 - ldd r0,Z+26 - eor r2,r0 - ldd r0,Z+27 - eor r3,r0 - ldd r0,Z+36 - eor r2,r0 - ldd r0,Z+37 - eor r3,r0 - ldd r0,Z+46 - eor r2,r0 - ldd r0,Z+47 - eor r3,r0 - movw r4,r14 - ldd r0,Z+18 - eor r4,r0 - ldd r0,Z+19 - eor r5,r0 - ldd r0,Z+28 - eor r4,r0 - ldd r0,Z+29 - eor r5,r0 - ldd r0,Z+38 - eor r4,r0 - ldd r0,Z+39 - eor r5,r0 - ldd r0,Z+48 - eor r4,r0 - ldd r0,Z+49 - eor r5,r0 - movw r24,r20 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r4 - eor r25,r5 - eor r6,r24 - eor r7,r25 - ldd r0,Z+10 - eor r0,r24 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r25 - std Z+11,r0 - ldd r0,Z+20 - eor r0,r24 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r25 - std Z+21,r0 - ldd r0,Z+30 - eor r0,r24 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r25 - std Z+31,r0 - ldd r0,Z+40 - eor r0,r24 - std Z+40,r0 - ldd r0,Z+41 - eor r0,r25 - std Z+41,r0 - movw r24,r26 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r18 - eor r25,r19 - eor r8,r24 - eor r9,r25 - ldd r0,Z+12 - eor r0,r24 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r25 - std Z+13,r0 - ldd r0,Z+22 - eor r0,r24 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r25 - std Z+23,r0 - ldd r0,Z+32 - eor r0,r24 - std Z+32,r0 - ldd r0,Z+33 - eor r0,r25 - std Z+33,r0 - ldd r0,Z+42 - eor r0,r24 - std Z+42,r0 - ldd r0,Z+43 - eor r0,r25 - std Z+43,r0 - movw r24,r2 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r20 - eor r25,r21 - eor r10,r24 - eor r11,r25 - ldd r0,Z+14 - eor r0,r24 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r25 - std Z+15,r0 - ldd r0,Z+24 - eor r0,r24 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r25 - std Z+25,r0 - ldd r0,Z+34 - eor r0,r24 - std Z+34,r0 - ldd r0,Z+35 - eor r0,r25 - std Z+35,r0 - ldd r0,Z+44 - eor r0,r24 - std Z+44,r0 - ldd r0,Z+45 - eor r0,r25 - std Z+45,r0 - movw r24,r4 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r26 - eor r25,r27 - eor r12,r24 - eor r13,r25 - ldd r0,Z+16 - eor r0,r24 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r25 - std Z+17,r0 - ldd r0,Z+26 - eor r0,r24 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r25 - std Z+27,r0 - ldd r0,Z+36 - eor r0,r24 - std Z+36,r0 - ldd r0,Z+37 - eor r0,r25 - std Z+37,r0 - ldd r0,Z+46 - eor r0,r24 - std Z+46,r0 - ldd r0,Z+47 - eor r0,r25 - std Z+47,r0 - movw r24,r18 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r2 - eor r25,r3 - eor r14,r24 - eor r15,r25 - ldd r0,Z+18 - eor r0,r24 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r25 - std Z+19,r0 - ldd r0,Z+28 - eor r0,r24 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r25 - std Z+29,r0 - ldd r0,Z+38 - eor r0,r24 - std Z+38,r0 - ldd r0,Z+39 - eor r0,r25 - std Z+39,r0 - ldd r0,Z+48 - eor r0,r24 - std Z+48,r0 - ldd r0,Z+49 - eor r0,r25 - std Z+49,r0 - movw r24,r8 - ldd r8,Z+12 - ldd r9,Z+13 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldd r18,Z+18 - ldd r19,Z+19 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+12,r18 - std Z+13,r19 - ldd r18,Z+44 - ldd r19,Z+45 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+18,r18 - std Z+19,r19 - ldd r18,Z+28 - ldd r19,Z+29 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+44,r18 - std Z+45,r19 - ldd r18,Z+40 - ldd r19,Z+41 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+28,r18 - std Z+29,r19 - movw r18,r10 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+40,r18 - std Z+41,r19 - ldd r10,Z+24 - ldd r11,Z+25 - mov r0,r11 - mov r11,r10 - mov r10,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldd r18,Z+26 - ldd r19,Z+27 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+24,r18 - std Z+25,r19 - ldd r18,Z+38 - ldd r19,Z+39 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+26,r18 - std Z+27,r19 - ldd r18,Z+46 - ldd r19,Z+47 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+38,r18 - std Z+39,r19 - ldd r18,Z+30 - ldd r19,Z+31 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+46,r18 - std Z+47,r19 - movw r18,r14 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+30,r18 - std Z+31,r19 - ldd r14,Z+48 - ldd r15,Z+49 - mov r0,r1 - lsr r15 - ror r14 - ror r0 - lsr r15 - ror r14 - ror r0 - or r15,r0 - ldd r18,Z+42 - ldd r19,Z+43 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+48,r18 - std Z+49,r19 - ldd r18,Z+16 - ldd r19,Z+17 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+42,r18 - std Z+43,r19 - ldd r18,Z+32 - ldd r19,Z+33 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+16,r18 - std Z+17,r19 - ldd r18,Z+10 - ldd r19,Z+11 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+32,r18 - std Z+33,r19 - movw r18,r12 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+10,r18 - std Z+11,r19 - ldd r12,Z+36 - ldd r13,Z+37 - mov r0,r13 - mov r13,r12 - mov r12,r0 - mov r0,r1 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - or r13,r0 - ldd r18,Z+34 - ldd r19,Z+35 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+36,r18 - std Z+37,r19 - ldd r18,Z+22 - ldd r19,Z+23 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+34,r18 - std Z+35,r19 - ldd r18,Z+14 - ldd r19,Z+15 - mov r0,r19 - mov r19,r18 - mov r18,r0 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+22,r18 - std Z+23,r19 - ldd r18,Z+20 - ldd r19,Z+21 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+14,r18 - std Z+15,r19 - lsl r24 - rol r25 - adc r24,r1 - std Z+20,r24 - std Z+21,r25 - movw r18,r6 - movw r20,r8 - movw r26,r10 - movw r2,r12 - movw r4,r14 - movw r6,r26 - mov r0,r20 - com r0 - and r6,r0 - mov r0,r21 - com r0 - and r7,r0 - eor r6,r18 - eor r7,r19 - movw r8,r2 - mov r0,r26 - com r0 - and r8,r0 - mov r0,r27 - com r0 - and r9,r0 - eor r8,r20 - eor r9,r21 - movw r10,r4 - mov r0,r2 - com r0 - and r10,r0 - mov r0,r3 - com r0 - and r11,r0 - eor r10,r26 - eor r11,r27 - movw r12,r18 - mov r0,r4 - com r0 - and r12,r0 - mov r0,r5 - com r0 - and r13,r0 - eor r12,r2 - eor r13,r3 - movw r14,r20 - mov r0,r18 - com r0 - and r14,r0 - mov r0,r19 - com r0 - and r15,r0 - eor r14,r4 - eor r15,r5 - ldd r18,Z+10 - ldd r19,Z+11 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r26,Z+14 - ldd r27,Z+15 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+10,r24 - std Z+11,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+12,r24 - std Z+13,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+14,r24 - std Z+15,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+16,r24 - std Z+17,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+18,r24 - std Z+19,r25 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+20,r24 - std Z+21,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+22,r24 - std Z+23,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+24,r24 - std Z+25,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+26,r24 - std Z+27,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+28,r24 - std Z+29,r25 - ldd r18,Z+30 - ldd r19,Z+31 - ldd r20,Z+32 - ldd r21,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+30,r24 - std Z+31,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+32,r24 - std Z+33,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+34,r24 - std Z+35,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+36,r24 - std Z+37,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+38,r24 - std Z+39,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - ldd r26,Z+44 - ldd r27,Z+45 - ldd r2,Z+46 - ldd r3,Z+47 - ldd r4,Z+48 - ldd r5,Z+49 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+40,r24 - std Z+41,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+42,r24 - std Z+43,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+44,r24 - std Z+45,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+46,r24 - std Z+47,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+48,r24 - std Z+49,r25 - ret -1004: - st Z,r6 - std Z+1,r7 - std Z+2,r8 - std Z+3,r9 - std Z+4,r10 - std Z+5,r11 - std Z+6,r12 - std Z+7,r13 - std Z+8,r14 - std Z+9,r15 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size keccakp_400_permute, .-keccakp_400_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.h deleted file mode 100644 index 2ffef42..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-keccak.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H - -#include "internal-util.h" - -/** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. - */ -#define KECCAKP_400_STATE_SIZE 50 - -/** - * \brief Structure of the internal state of the Keccak-p[200] permutation. - */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; - -/** - * \brief Structure of the internal state of the Keccak-p[400] permutation. - */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; - -/** - * \brief Permutes the Keccak-p[200] state. - * - * \param state The Keccak-p[200] state to be permuted. - */ -void keccakp_200_permute(keccakp_200_state_t *state); - -/** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. - * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). - */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-util.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.c b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.c deleted file mode 100644 index 26d50a3..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "isap.h" -#include "internal-keccak.h" -#include "internal-ascon.h" -#include - -aead_cipher_t const isap_keccak_128a_cipher = { - "ISAP-K-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128a_aead_encrypt, - isap_keccak_128a_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128a_cipher = { - "ISAP-A-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128a_aead_encrypt, - isap_ascon_128a_aead_decrypt -}; - -aead_cipher_t const isap_keccak_128_cipher = { - "ISAP-K-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128_aead_encrypt, - isap_keccak_128_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128_cipher = { - "ISAP-A-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128_aead_encrypt, - isap_ascon_128_aead_decrypt -}; - -/* ISAP-K-128A */ -#define ISAP_ALG_NAME isap_keccak_128a -#define ISAP_RATE (144 / 8) -#define ISAP_sH 16 -#define ISAP_sE 8 -#define ISAP_sB 1 -#define ISAP_sK 8 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128A */ -#define ISAP_ALG_NAME isap_ascon_128a -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 6 -#define ISAP_sB 1 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" - -/* ISAP-K-128 */ -#define ISAP_ALG_NAME isap_keccak_128 -#define ISAP_RATE (144 / 8) -#define ISAP_sH 20 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128 */ -#define ISAP_ALG_NAME isap_ascon_128 -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.h b/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.h deleted file mode 100644 index ddf8203..0000000 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys-avr/isap.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ISAP_H -#define LWCRYPTO_ISAP_H - -#include "aead-common.h" - -/** - * \file isap.h - * \brief ISAP authenticated encryption algorithm. - * - * ISAP is a family of authenticated encryption algorithms that are built - * around the Keccak-p[400] or ASCON permutations. There are four algorithms - * in the family, each of which have a 128-bit key, a 128-bit nonce, and a - * 128-bit tag: - * - * \li ISAP-K-128A based around the Keccak-p[400] permutation with a - * reduced number of rounds. This is the primary member in the family. - * \li ISAP-A-128A based around the ASCON permutation with a reduced - * number of rounds. - * \li ISAP-K-128 based around the Keccak-p[400] permutation. - * \li ISAP-A-128 based around the ASCON permutation. - * - * ISAP is designed to provide some protection against adversaries - * using differential power analysis to determine the key. The - * downside is that key setup is very slow. - * - * References: https://isap.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all ISAP family members. - */ -#define ISAP_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all ISAP family members. - */ -#define ISAP_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all ISAP family members. - */ -#define ISAP_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the ISAP-K-128A cipher. - */ -extern aead_cipher_t const isap_keccak_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128A cipher. - */ -extern aead_cipher_t const isap_ascon_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-K-128 cipher. - */ -extern aead_cipher_t const isap_keccak_128_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128 cipher. - */ -extern aead_cipher_t const isap_ascon_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128a_aead_decrypt() - */ -int isap_keccak_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128a_aead_encrypt() - */ -int isap_keccak_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128a_aead_decrypt() - */ -int isap_ascon_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128a_aead_encrypt() - */ -int isap_ascon_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128_aead_decrypt() - */ -int isap_keccak_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128_aead_encrypt() - */ -int isap_keccak_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128_aead_decrypt() - */ -int isap_ascon_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128_aead_encrypt() - */ -int isap_ascon_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon-avr.S new file mode 100644 index 0000000..e8a4fb4 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon-avr.S @@ -0,0 +1,778 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global ascon_permute + .type ascon_permute, @function +ascon_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r18,15 + sub r18,r22 + swap r18 + or r22,r18 + ldd r3,Z+16 + ldd r2,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 +20: + eor r18,r22 + ldd r23,Z+7 + ldd r12,Z+15 + ldd r13,Z+31 + eor r23,r4 + eor r4,r13 + eor r18,r12 + mov r14,r23 + mov r15,r12 + mov r24,r18 + mov r25,r13 + mov r16,r4 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r18 + and r24,r13 + and r25,r4 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r18,r25 + eor r13,r16 + eor r4,r14 + eor r12,r23 + eor r23,r4 + eor r13,r18 + com r18 + std Z+7,r23 + std Z+15,r12 + std Z+31,r13 + std Z+39,r4 + ldd r23,Z+6 + ldd r12,Z+14 + ldd r13,Z+30 + eor r23,r5 + eor r5,r13 + eor r19,r12 + mov r14,r23 + mov r15,r12 + mov r24,r19 + mov r25,r13 + mov r16,r5 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r19 + and r24,r13 + and r25,r5 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r19,r25 + eor r13,r16 + eor r5,r14 + eor r12,r23 + eor r23,r5 + eor r13,r19 + com r19 + std Z+6,r23 + std Z+14,r12 + std Z+30,r13 + std Z+38,r5 + ldd r23,Z+5 + ldd r12,Z+13 + ldd r13,Z+29 + eor r23,r6 + eor r6,r13 + eor r20,r12 + mov r14,r23 + mov r15,r12 + mov r24,r20 + mov r25,r13 + mov r16,r6 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r20 + and r24,r13 + and r25,r6 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r20,r25 + eor r13,r16 + eor r6,r14 + eor r12,r23 + eor r23,r6 + eor r13,r20 + com r20 + std Z+5,r23 + std Z+13,r12 + std Z+29,r13 + std Z+37,r6 + ldd r23,Z+4 + ldd r12,Z+12 + ldd r13,Z+28 + eor r23,r7 + eor r7,r13 + eor r21,r12 + mov r14,r23 + mov r15,r12 + mov r24,r21 + mov r25,r13 + mov r16,r7 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r21 + and r24,r13 + and r25,r7 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r21,r25 + eor r13,r16 + eor r7,r14 + eor r12,r23 + eor r23,r7 + eor r13,r21 + com r21 + std Z+4,r23 + std Z+12,r12 + std Z+28,r13 + std Z+36,r7 + ldd r23,Z+3 + ldd r12,Z+11 + ldd r13,Z+27 + eor r23,r8 + eor r8,r13 + eor r26,r12 + mov r14,r23 + mov r15,r12 + mov r24,r26 + mov r25,r13 + mov r16,r8 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r26 + and r24,r13 + and r25,r8 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r26,r25 + eor r13,r16 + eor r8,r14 + eor r12,r23 + eor r23,r8 + eor r13,r26 + com r26 + std Z+3,r23 + std Z+11,r12 + std Z+27,r13 + std Z+35,r8 + ldd r23,Z+2 + ldd r12,Z+10 + ldd r13,Z+26 + eor r23,r9 + eor r9,r13 + eor r27,r12 + mov r14,r23 + mov r15,r12 + mov r24,r27 + mov r25,r13 + mov r16,r9 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r27 + and r24,r13 + and r25,r9 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r27,r25 + eor r13,r16 + eor r9,r14 + eor r12,r23 + eor r23,r9 + eor r13,r27 + com r27 + std Z+2,r23 + std Z+10,r12 + std Z+26,r13 + std Z+34,r9 + ldd r23,Z+1 + ldd r12,Z+9 + ldd r13,Z+25 + eor r23,r10 + eor r10,r13 + eor r2,r12 + mov r14,r23 + mov r15,r12 + mov r24,r2 + mov r25,r13 + mov r16,r10 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r2 + and r24,r13 + and r25,r10 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r2,r25 + eor r13,r16 + eor r10,r14 + eor r12,r23 + eor r23,r10 + eor r13,r2 + com r2 + std Z+1,r23 + std Z+9,r12 + std Z+25,r13 + std Z+33,r10 + ld r23,Z + ldd r12,Z+8 + ldd r13,Z+24 + eor r23,r11 + eor r11,r13 + eor r3,r12 + mov r14,r23 + mov r15,r12 + mov r24,r3 + mov r25,r13 + mov r16,r11 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r3 + and r24,r13 + and r25,r11 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r3,r25 + eor r13,r16 + eor r11,r14 + eor r12,r23 + eor r23,r11 + eor r13,r3 + com r3 + st Z,r23 + std Z+8,r12 + std Z+24,r13 + std Z+32,r11 + ld r11,Z + ldd r10,Z+1 + ldd r9,Z+2 + ldd r8,Z+3 + ldd r7,Z+4 + ldd r6,Z+5 + ldd r5,Z+6 + ldd r4,Z+7 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r14 + mov r14,r24 + mov r24,r16 + mov r16,r0 + mov r0,r13 + mov r13,r15 + mov r15,r25 + mov r25,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r4 + mov r0,r5 + push r6 + mov r4,r7 + mov r5,r8 + mov r6,r9 + mov r7,r10 + mov r8,r11 + pop r11 + mov r10,r0 + mov r9,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + st Z,r11 + std Z+1,r10 + std Z+2,r9 + std Z+3,r8 + std Z+4,r7 + std Z+5,r6 + std Z+6,r5 + std Z+7,r4 + ldd r11,Z+8 + ldd r10,Z+9 + ldd r9,Z+10 + ldd r8,Z+11 + ldd r7,Z+12 + ldd r6,Z+13 + ldd r5,Z+14 + ldd r4,Z+15 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + lsl r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r4,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+8,r11 + std Z+9,r10 + std Z+10,r9 + std Z+11,r8 + std Z+12,r7 + std Z+13,r6 + std Z+14,r5 + std Z+15,r4 + movw r12,r18 + movw r14,r20 + movw r24,r26 + movw r16,r2 + bst r12,0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + bld r17,7 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + eor r24,r26 + eor r25,r27 + eor r16,r2 + eor r17,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r26 + mov r26,r27 + mov r27,r2 + mov r2,r3 + mov r3,r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + eor r26,r24 + eor r27,r25 + eor r2,r16 + eor r3,r17 + ldd r11,Z+24 + ldd r10,Z+25 + ldd r9,Z+26 + ldd r8,Z+27 + ldd r7,Z+28 + ldd r6,Z+29 + ldd r5,Z+30 + ldd r4,Z+31 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r0,r4 + mov r4,r6 + mov r6,r8 + mov r8,r10 + mov r10,r0 + mov r0,r5 + mov r5,r7 + mov r7,r9 + mov r9,r11 + mov r11,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+24,r11 + std Z+25,r10 + std Z+26,r9 + std Z+27,r8 + std Z+28,r7 + std Z+29,r6 + std Z+30,r5 + std Z+31,r4 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + subi r22,15 + ldi r25,60 + cpse r22,r25 + rjmp 20b + std Z+16,r3 + std Z+17,r2 + std Z+18,r27 + std Z+19,r26 + std Z+20,r21 + std Z+21,r20 + std Z+22,r19 + std Z+23,r18 + std Z+32,r11 + std Z+33,r10 + std Z+34,r9 + std Z+35,r8 + std Z+36,r7 + std Z+37,r6 + std Z+38,r5 + std Z+39,r4 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size ascon_permute, .-ascon_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak-avr.S new file mode 100644 index 0000000..e50ccaf --- /dev/null +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak-avr.S @@ -0,0 +1,1552 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global keccakp_200_permute + .type keccakp_200_permute, @function +keccakp_200_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r26,Z+6 + ldd r27,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r4,Z+12 + ldd r5,Z+13 + ldd r6,Z+14 + ldd r7,Z+15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + ldd r24,Z+24 + push r31 + push r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,130 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + mov r30,r1 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,129 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + ldi r30,136 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,10 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,137 + eor r18,r30 + rcall 82f + ldi r30,3 + eor r18,r30 + rcall 82f + ldi r30,2 + eor r18,r30 + rcall 82f + ldi r30,128 + eor r18,r30 + rjmp 420f +82: + mov r30,r18 + eor r30,r23 + eor r30,r2 + eor r30,r7 + eor r30,r12 + mov r31,r19 + eor r31,r26 + eor r31,r3 + eor r31,r8 + eor r31,r13 + mov r25,r20 + eor r25,r27 + eor r25,r4 + eor r25,r9 + eor r25,r14 + mov r16,r21 + eor r16,r28 + eor r16,r5 + eor r16,r10 + eor r16,r15 + mov r17,r22 + eor r17,r29 + eor r17,r6 + eor r17,r11 + eor r17,r24 + mov r0,r31 + lsl r0 + adc r0,r1 + eor r0,r17 + eor r18,r0 + eor r23,r0 + eor r2,r0 + eor r7,r0 + eor r12,r0 + mov r0,r25 + lsl r0 + adc r0,r1 + eor r0,r30 + eor r19,r0 + eor r26,r0 + eor r3,r0 + eor r8,r0 + eor r13,r0 + mov r0,r16 + lsl r0 + adc r0,r1 + eor r0,r31 + eor r20,r0 + eor r27,r0 + eor r4,r0 + eor r9,r0 + eor r14,r0 + mov r0,r17 + lsl r0 + adc r0,r1 + eor r0,r25 + eor r21,r0 + eor r28,r0 + eor r5,r0 + eor r10,r0 + eor r15,r0 + mov r0,r30 + lsl r0 + adc r0,r1 + eor r0,r16 + eor r22,r0 + eor r29,r0 + eor r6,r0 + eor r11,r0 + eor r24,r0 + mov r30,r19 + swap r26 + mov r19,r26 + swap r29 + mov r26,r29 + mov r0,r1 + lsr r14 + ror r0 + lsr r14 + ror r0 + lsr r14 + ror r0 + or r14,r0 + mov r29,r14 + bst r6,0 + lsr r6 + bld r6,7 + mov r14,r6 + lsl r12 + adc r12,r1 + lsl r12 + adc r12,r1 + mov r6,r12 + mov r0,r1 + lsr r20 + ror r0 + lsr r20 + ror r0 + or r20,r0 + mov r12,r20 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + mov r20,r4 + lsl r5 + adc r5,r1 + mov r4,r5 + mov r5,r11 + mov r11,r15 + lsl r7 + adc r7,r1 + mov r15,r7 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + mov r7,r22 + mov r0,r1 + lsr r24 + ror r0 + lsr r24 + ror r0 + or r24,r0 + mov r22,r24 + lsl r13 + adc r13,r1 + lsl r13 + adc r13,r1 + mov r24,r13 + bst r28,0 + lsr r28 + bld r28,7 + mov r13,r28 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r28,r8 + swap r23 + mov r8,r23 + swap r21 + mov r23,r21 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r21,r10 + bst r9,0 + lsr r9 + bld r9,7 + mov r10,r9 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + mov r9,r3 + mov r0,r1 + lsr r27 + ror r0 + lsr r27 + ror r0 + or r27,r0 + mov r3,r27 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + mov r27,r2 + lsl r30 + adc r30,r1 + mov r2,r30 + mov r30,r18 + mov r31,r19 + mov r25,r20 + mov r16,r21 + mov r17,r22 + mov r18,r25 + mov r0,r31 + com r0 + and r18,r0 + eor r18,r30 + mov r19,r16 + mov r0,r25 + com r0 + and r19,r0 + eor r19,r31 + mov r20,r17 + mov r0,r16 + com r0 + and r20,r0 + eor r20,r25 + mov r21,r30 + mov r0,r17 + com r0 + and r21,r0 + eor r21,r16 + mov r22,r31 + mov r0,r30 + com r0 + and r22,r0 + eor r22,r17 + mov r30,r23 + mov r31,r26 + mov r25,r27 + mov r16,r28 + mov r17,r29 + mov r23,r25 + mov r0,r31 + com r0 + and r23,r0 + eor r23,r30 + mov r26,r16 + mov r0,r25 + com r0 + and r26,r0 + eor r26,r31 + mov r27,r17 + mov r0,r16 + com r0 + and r27,r0 + eor r27,r25 + mov r28,r30 + mov r0,r17 + com r0 + and r28,r0 + eor r28,r16 + mov r29,r31 + mov r0,r30 + com r0 + and r29,r0 + eor r29,r17 + mov r30,r2 + mov r31,r3 + mov r25,r4 + mov r16,r5 + mov r17,r6 + mov r2,r25 + mov r0,r31 + com r0 + and r2,r0 + eor r2,r30 + mov r3,r16 + mov r0,r25 + com r0 + and r3,r0 + eor r3,r31 + mov r4,r17 + mov r0,r16 + com r0 + and r4,r0 + eor r4,r25 + mov r5,r30 + mov r0,r17 + com r0 + and r5,r0 + eor r5,r16 + mov r6,r31 + mov r0,r30 + com r0 + and r6,r0 + eor r6,r17 + mov r30,r7 + mov r31,r8 + mov r25,r9 + mov r16,r10 + mov r17,r11 + mov r7,r25 + mov r0,r31 + com r0 + and r7,r0 + eor r7,r30 + mov r8,r16 + mov r0,r25 + com r0 + and r8,r0 + eor r8,r31 + mov r9,r17 + mov r0,r16 + com r0 + and r9,r0 + eor r9,r25 + mov r10,r30 + mov r0,r17 + com r0 + and r10,r0 + eor r10,r16 + mov r11,r31 + mov r0,r30 + com r0 + and r11,r0 + eor r11,r17 + mov r30,r12 + mov r31,r13 + mov r25,r14 + mov r16,r15 + mov r17,r24 + mov r12,r25 + mov r0,r31 + com r0 + and r12,r0 + eor r12,r30 + mov r13,r16 + mov r0,r25 + com r0 + and r13,r0 + eor r13,r31 + mov r14,r17 + mov r0,r16 + com r0 + and r14,r0 + eor r14,r25 + mov r15,r30 + mov r0,r17 + com r0 + and r15,r0 + eor r15,r16 + mov r24,r31 + mov r0,r30 + com r0 + and r24,r0 + eor r24,r17 + ret +420: + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r22 + std Z+5,r23 + std Z+6,r26 + std Z+7,r27 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r4 + std Z+13,r5 + std Z+14,r6 + std Z+15,r7 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + std Z+24,r24 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size keccakp_200_permute, .-keccakp_200_permute + + .text +.global keccakp_400_permute + .type keccakp_400_permute, @function +keccakp_400_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + movw r30,r24 +.L__stack_usage = 17 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + ldd r10,Z+4 + ldd r11,Z+5 + ldd r12,Z+6 + ldd r13,Z+7 + ldd r14,Z+8 + ldd r15,Z+9 + cpi r22,20 + brcs 15f + rcall 153f + ldi r23,1 + eor r6,r23 +15: + cpi r22,19 + brcs 23f + rcall 153f + ldi r23,130 + eor r6,r23 + ldi r17,128 + eor r7,r17 +23: + cpi r22,18 + brcs 31f + rcall 153f + ldi r23,138 + eor r6,r23 + ldi r17,128 + eor r7,r17 +31: + cpi r22,17 + brcs 37f + rcall 153f + ldi r23,128 + eor r7,r23 +37: + cpi r22,16 + brcs 45f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +45: + cpi r22,15 + brcs 51f + rcall 153f + ldi r23,1 + eor r6,r23 +51: + cpi r22,14 + brcs 59f + rcall 153f + ldi r23,129 + eor r6,r23 + ldi r17,128 + eor r7,r17 +59: + cpi r22,13 + brcs 67f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +67: + cpi r22,12 + brcs 73f + rcall 153f + ldi r23,138 + eor r6,r23 +73: + cpi r22,11 + brcs 79f + rcall 153f + ldi r23,136 + eor r6,r23 +79: + cpi r22,10 + brcs 87f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +87: + cpi r22,9 + brcs 93f + rcall 153f + ldi r23,10 + eor r6,r23 +93: + cpi r22,8 + brcs 101f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +101: + cpi r22,7 + brcs 107f + rcall 153f + ldi r23,139 + eor r6,r23 +107: + cpi r22,6 + brcs 115f + rcall 153f + ldi r23,137 + eor r6,r23 + ldi r17,128 + eor r7,r17 +115: + cpi r22,5 + brcs 123f + rcall 153f + ldi r23,3 + eor r6,r23 + ldi r17,128 + eor r7,r17 +123: + cpi r22,4 + brcs 131f + rcall 153f + ldi r23,2 + eor r6,r23 + ldi r17,128 + eor r7,r17 +131: + cpi r22,3 + brcs 137f + rcall 153f + ldi r23,128 + eor r6,r23 +137: + cpi r22,2 + brcs 145f + rcall 153f + ldi r23,10 + eor r6,r23 + ldi r17,128 + eor r7,r17 +145: + cpi r22,1 + brcs 151f + rcall 153f + ldi r23,10 + eor r6,r23 +151: + rjmp 1004f +153: + movw r18,r6 + ldd r0,Z+10 + eor r18,r0 + ldd r0,Z+11 + eor r19,r0 + ldd r0,Z+20 + eor r18,r0 + ldd r0,Z+21 + eor r19,r0 + ldd r0,Z+30 + eor r18,r0 + ldd r0,Z+31 + eor r19,r0 + ldd r0,Z+40 + eor r18,r0 + ldd r0,Z+41 + eor r19,r0 + movw r20,r8 + ldd r0,Z+12 + eor r20,r0 + ldd r0,Z+13 + eor r21,r0 + ldd r0,Z+22 + eor r20,r0 + ldd r0,Z+23 + eor r21,r0 + ldd r0,Z+32 + eor r20,r0 + ldd r0,Z+33 + eor r21,r0 + ldd r0,Z+42 + eor r20,r0 + ldd r0,Z+43 + eor r21,r0 + movw r26,r10 + ldd r0,Z+14 + eor r26,r0 + ldd r0,Z+15 + eor r27,r0 + ldd r0,Z+24 + eor r26,r0 + ldd r0,Z+25 + eor r27,r0 + ldd r0,Z+34 + eor r26,r0 + ldd r0,Z+35 + eor r27,r0 + ldd r0,Z+44 + eor r26,r0 + ldd r0,Z+45 + eor r27,r0 + movw r2,r12 + ldd r0,Z+16 + eor r2,r0 + ldd r0,Z+17 + eor r3,r0 + ldd r0,Z+26 + eor r2,r0 + ldd r0,Z+27 + eor r3,r0 + ldd r0,Z+36 + eor r2,r0 + ldd r0,Z+37 + eor r3,r0 + ldd r0,Z+46 + eor r2,r0 + ldd r0,Z+47 + eor r3,r0 + movw r4,r14 + ldd r0,Z+18 + eor r4,r0 + ldd r0,Z+19 + eor r5,r0 + ldd r0,Z+28 + eor r4,r0 + ldd r0,Z+29 + eor r5,r0 + ldd r0,Z+38 + eor r4,r0 + ldd r0,Z+39 + eor r5,r0 + ldd r0,Z+48 + eor r4,r0 + ldd r0,Z+49 + eor r5,r0 + movw r24,r20 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r4 + eor r25,r5 + eor r6,r24 + eor r7,r25 + ldd r0,Z+10 + eor r0,r24 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r25 + std Z+11,r0 + ldd r0,Z+20 + eor r0,r24 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r25 + std Z+21,r0 + ldd r0,Z+30 + eor r0,r24 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r25 + std Z+31,r0 + ldd r0,Z+40 + eor r0,r24 + std Z+40,r0 + ldd r0,Z+41 + eor r0,r25 + std Z+41,r0 + movw r24,r26 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r18 + eor r25,r19 + eor r8,r24 + eor r9,r25 + ldd r0,Z+12 + eor r0,r24 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r25 + std Z+13,r0 + ldd r0,Z+22 + eor r0,r24 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r25 + std Z+23,r0 + ldd r0,Z+32 + eor r0,r24 + std Z+32,r0 + ldd r0,Z+33 + eor r0,r25 + std Z+33,r0 + ldd r0,Z+42 + eor r0,r24 + std Z+42,r0 + ldd r0,Z+43 + eor r0,r25 + std Z+43,r0 + movw r24,r2 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r20 + eor r25,r21 + eor r10,r24 + eor r11,r25 + ldd r0,Z+14 + eor r0,r24 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r25 + std Z+15,r0 + ldd r0,Z+24 + eor r0,r24 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r25 + std Z+25,r0 + ldd r0,Z+34 + eor r0,r24 + std Z+34,r0 + ldd r0,Z+35 + eor r0,r25 + std Z+35,r0 + ldd r0,Z+44 + eor r0,r24 + std Z+44,r0 + ldd r0,Z+45 + eor r0,r25 + std Z+45,r0 + movw r24,r4 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r26 + eor r25,r27 + eor r12,r24 + eor r13,r25 + ldd r0,Z+16 + eor r0,r24 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r25 + std Z+17,r0 + ldd r0,Z+26 + eor r0,r24 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r25 + std Z+27,r0 + ldd r0,Z+36 + eor r0,r24 + std Z+36,r0 + ldd r0,Z+37 + eor r0,r25 + std Z+37,r0 + ldd r0,Z+46 + eor r0,r24 + std Z+46,r0 + ldd r0,Z+47 + eor r0,r25 + std Z+47,r0 + movw r24,r18 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r2 + eor r25,r3 + eor r14,r24 + eor r15,r25 + ldd r0,Z+18 + eor r0,r24 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r25 + std Z+19,r0 + ldd r0,Z+28 + eor r0,r24 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r25 + std Z+29,r0 + ldd r0,Z+38 + eor r0,r24 + std Z+38,r0 + ldd r0,Z+39 + eor r0,r25 + std Z+39,r0 + ldd r0,Z+48 + eor r0,r24 + std Z+48,r0 + ldd r0,Z+49 + eor r0,r25 + std Z+49,r0 + movw r24,r8 + ldd r8,Z+12 + ldd r9,Z+13 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldd r18,Z+18 + ldd r19,Z+19 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+12,r18 + std Z+13,r19 + ldd r18,Z+44 + ldd r19,Z+45 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+18,r18 + std Z+19,r19 + ldd r18,Z+28 + ldd r19,Z+29 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+44,r18 + std Z+45,r19 + ldd r18,Z+40 + ldd r19,Z+41 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+28,r18 + std Z+29,r19 + movw r18,r10 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+40,r18 + std Z+41,r19 + ldd r10,Z+24 + ldd r11,Z+25 + mov r0,r11 + mov r11,r10 + mov r10,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldd r18,Z+26 + ldd r19,Z+27 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+24,r18 + std Z+25,r19 + ldd r18,Z+38 + ldd r19,Z+39 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+26,r18 + std Z+27,r19 + ldd r18,Z+46 + ldd r19,Z+47 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+38,r18 + std Z+39,r19 + ldd r18,Z+30 + ldd r19,Z+31 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+46,r18 + std Z+47,r19 + movw r18,r14 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+30,r18 + std Z+31,r19 + ldd r14,Z+48 + ldd r15,Z+49 + mov r0,r1 + lsr r15 + ror r14 + ror r0 + lsr r15 + ror r14 + ror r0 + or r15,r0 + ldd r18,Z+42 + ldd r19,Z+43 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+48,r18 + std Z+49,r19 + ldd r18,Z+16 + ldd r19,Z+17 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+42,r18 + std Z+43,r19 + ldd r18,Z+32 + ldd r19,Z+33 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+16,r18 + std Z+17,r19 + ldd r18,Z+10 + ldd r19,Z+11 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+32,r18 + std Z+33,r19 + movw r18,r12 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+10,r18 + std Z+11,r19 + ldd r12,Z+36 + ldd r13,Z+37 + mov r0,r13 + mov r13,r12 + mov r12,r0 + mov r0,r1 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + or r13,r0 + ldd r18,Z+34 + ldd r19,Z+35 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+36,r18 + std Z+37,r19 + ldd r18,Z+22 + ldd r19,Z+23 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+34,r18 + std Z+35,r19 + ldd r18,Z+14 + ldd r19,Z+15 + mov r0,r19 + mov r19,r18 + mov r18,r0 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+22,r18 + std Z+23,r19 + ldd r18,Z+20 + ldd r19,Z+21 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+14,r18 + std Z+15,r19 + lsl r24 + rol r25 + adc r24,r1 + std Z+20,r24 + std Z+21,r25 + movw r18,r6 + movw r20,r8 + movw r26,r10 + movw r2,r12 + movw r4,r14 + movw r6,r26 + mov r0,r20 + com r0 + and r6,r0 + mov r0,r21 + com r0 + and r7,r0 + eor r6,r18 + eor r7,r19 + movw r8,r2 + mov r0,r26 + com r0 + and r8,r0 + mov r0,r27 + com r0 + and r9,r0 + eor r8,r20 + eor r9,r21 + movw r10,r4 + mov r0,r2 + com r0 + and r10,r0 + mov r0,r3 + com r0 + and r11,r0 + eor r10,r26 + eor r11,r27 + movw r12,r18 + mov r0,r4 + com r0 + and r12,r0 + mov r0,r5 + com r0 + and r13,r0 + eor r12,r2 + eor r13,r3 + movw r14,r20 + mov r0,r18 + com r0 + and r14,r0 + mov r0,r19 + com r0 + and r15,r0 + eor r14,r4 + eor r15,r5 + ldd r18,Z+10 + ldd r19,Z+11 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r26,Z+14 + ldd r27,Z+15 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+10,r24 + std Z+11,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+12,r24 + std Z+13,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+14,r24 + std Z+15,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+16,r24 + std Z+17,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+18,r24 + std Z+19,r25 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+20,r24 + std Z+21,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+22,r24 + std Z+23,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+24,r24 + std Z+25,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+26,r24 + std Z+27,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+28,r24 + std Z+29,r25 + ldd r18,Z+30 + ldd r19,Z+31 + ldd r20,Z+32 + ldd r21,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+30,r24 + std Z+31,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+32,r24 + std Z+33,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+34,r24 + std Z+35,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+36,r24 + std Z+37,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+38,r24 + std Z+39,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + ldd r26,Z+44 + ldd r27,Z+45 + ldd r2,Z+46 + ldd r3,Z+47 + ldd r4,Z+48 + ldd r5,Z+49 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+40,r24 + std Z+41,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+42,r24 + std Z+43,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+44,r24 + std Z+45,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+46,r24 + std Z+47,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+48,r24 + std Z+49,r25 + ret +1004: + st Z,r6 + std Z+1,r7 + std Z+2,r8 + std Z+3,r9 + std Z+4,r10 + std Z+5,r11 + std Z+6,r12 + std Z+7,r13 + std Z+8,r14 + std Z+9,r15 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size keccakp_400_permute, .-keccakp_400_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h index e79158c..e30166d 100644 --- a/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h +++ b/isap/Implementations/crypto_aead/isapa128v20/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.c b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/api.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/encrypt.c b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/encrypt.c deleted file mode 100644 index c54de88..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "isap.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_keccak_128a_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_keccak_128a_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon-avr.S deleted file mode 100644 index e8a4fb4..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon-avr.S +++ /dev/null @@ -1,778 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global ascon_permute - .type ascon_permute, @function -ascon_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r18,15 - sub r18,r22 - swap r18 - or r22,r18 - ldd r3,Z+16 - ldd r2,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 -20: - eor r18,r22 - ldd r23,Z+7 - ldd r12,Z+15 - ldd r13,Z+31 - eor r23,r4 - eor r4,r13 - eor r18,r12 - mov r14,r23 - mov r15,r12 - mov r24,r18 - mov r25,r13 - mov r16,r4 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r18 - and r24,r13 - and r25,r4 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r18,r25 - eor r13,r16 - eor r4,r14 - eor r12,r23 - eor r23,r4 - eor r13,r18 - com r18 - std Z+7,r23 - std Z+15,r12 - std Z+31,r13 - std Z+39,r4 - ldd r23,Z+6 - ldd r12,Z+14 - ldd r13,Z+30 - eor r23,r5 - eor r5,r13 - eor r19,r12 - mov r14,r23 - mov r15,r12 - mov r24,r19 - mov r25,r13 - mov r16,r5 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r19 - and r24,r13 - and r25,r5 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r19,r25 - eor r13,r16 - eor r5,r14 - eor r12,r23 - eor r23,r5 - eor r13,r19 - com r19 - std Z+6,r23 - std Z+14,r12 - std Z+30,r13 - std Z+38,r5 - ldd r23,Z+5 - ldd r12,Z+13 - ldd r13,Z+29 - eor r23,r6 - eor r6,r13 - eor r20,r12 - mov r14,r23 - mov r15,r12 - mov r24,r20 - mov r25,r13 - mov r16,r6 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r20 - and r24,r13 - and r25,r6 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r20,r25 - eor r13,r16 - eor r6,r14 - eor r12,r23 - eor r23,r6 - eor r13,r20 - com r20 - std Z+5,r23 - std Z+13,r12 - std Z+29,r13 - std Z+37,r6 - ldd r23,Z+4 - ldd r12,Z+12 - ldd r13,Z+28 - eor r23,r7 - eor r7,r13 - eor r21,r12 - mov r14,r23 - mov r15,r12 - mov r24,r21 - mov r25,r13 - mov r16,r7 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r21 - and r24,r13 - and r25,r7 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r21,r25 - eor r13,r16 - eor r7,r14 - eor r12,r23 - eor r23,r7 - eor r13,r21 - com r21 - std Z+4,r23 - std Z+12,r12 - std Z+28,r13 - std Z+36,r7 - ldd r23,Z+3 - ldd r12,Z+11 - ldd r13,Z+27 - eor r23,r8 - eor r8,r13 - eor r26,r12 - mov r14,r23 - mov r15,r12 - mov r24,r26 - mov r25,r13 - mov r16,r8 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r26 - and r24,r13 - and r25,r8 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r26,r25 - eor r13,r16 - eor r8,r14 - eor r12,r23 - eor r23,r8 - eor r13,r26 - com r26 - std Z+3,r23 - std Z+11,r12 - std Z+27,r13 - std Z+35,r8 - ldd r23,Z+2 - ldd r12,Z+10 - ldd r13,Z+26 - eor r23,r9 - eor r9,r13 - eor r27,r12 - mov r14,r23 - mov r15,r12 - mov r24,r27 - mov r25,r13 - mov r16,r9 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r27 - and r24,r13 - and r25,r9 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r27,r25 - eor r13,r16 - eor r9,r14 - eor r12,r23 - eor r23,r9 - eor r13,r27 - com r27 - std Z+2,r23 - std Z+10,r12 - std Z+26,r13 - std Z+34,r9 - ldd r23,Z+1 - ldd r12,Z+9 - ldd r13,Z+25 - eor r23,r10 - eor r10,r13 - eor r2,r12 - mov r14,r23 - mov r15,r12 - mov r24,r2 - mov r25,r13 - mov r16,r10 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r2 - and r24,r13 - and r25,r10 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r2,r25 - eor r13,r16 - eor r10,r14 - eor r12,r23 - eor r23,r10 - eor r13,r2 - com r2 - std Z+1,r23 - std Z+9,r12 - std Z+25,r13 - std Z+33,r10 - ld r23,Z - ldd r12,Z+8 - ldd r13,Z+24 - eor r23,r11 - eor r11,r13 - eor r3,r12 - mov r14,r23 - mov r15,r12 - mov r24,r3 - mov r25,r13 - mov r16,r11 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r3 - and r24,r13 - and r25,r11 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r3,r25 - eor r13,r16 - eor r11,r14 - eor r12,r23 - eor r23,r11 - eor r13,r3 - com r3 - st Z,r23 - std Z+8,r12 - std Z+24,r13 - std Z+32,r11 - ld r11,Z - ldd r10,Z+1 - ldd r9,Z+2 - ldd r8,Z+3 - ldd r7,Z+4 - ldd r6,Z+5 - ldd r5,Z+6 - ldd r4,Z+7 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r14 - mov r14,r24 - mov r24,r16 - mov r16,r0 - mov r0,r13 - mov r13,r15 - mov r15,r25 - mov r25,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r4 - mov r0,r5 - push r6 - mov r4,r7 - mov r5,r8 - mov r6,r9 - mov r7,r10 - mov r8,r11 - pop r11 - mov r10,r0 - mov r9,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - st Z,r11 - std Z+1,r10 - std Z+2,r9 - std Z+3,r8 - std Z+4,r7 - std Z+5,r6 - std Z+6,r5 - std Z+7,r4 - ldd r11,Z+8 - ldd r10,Z+9 - ldd r9,Z+10 - ldd r8,Z+11 - ldd r7,Z+12 - ldd r6,Z+13 - ldd r5,Z+14 - ldd r4,Z+15 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - lsl r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r4,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+8,r11 - std Z+9,r10 - std Z+10,r9 - std Z+11,r8 - std Z+12,r7 - std Z+13,r6 - std Z+14,r5 - std Z+15,r4 - movw r12,r18 - movw r14,r20 - movw r24,r26 - movw r16,r2 - bst r12,0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - bld r17,7 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - eor r24,r26 - eor r25,r27 - eor r16,r2 - eor r17,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r26 - mov r26,r27 - mov r27,r2 - mov r2,r3 - mov r3,r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - eor r26,r24 - eor r27,r25 - eor r2,r16 - eor r3,r17 - ldd r11,Z+24 - ldd r10,Z+25 - ldd r9,Z+26 - ldd r8,Z+27 - ldd r7,Z+28 - ldd r6,Z+29 - ldd r5,Z+30 - ldd r4,Z+31 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r0,r4 - mov r4,r6 - mov r6,r8 - mov r8,r10 - mov r10,r0 - mov r0,r5 - mov r5,r7 - mov r7,r9 - mov r9,r11 - mov r11,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+24,r11 - std Z+25,r10 - std Z+26,r9 - std Z+27,r8 - std Z+28,r7 - std Z+29,r6 - std Z+30,r5 - std Z+31,r4 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - subi r22,15 - ldi r25,60 - cpse r22,r25 - rjmp 20b - std Z+16,r3 - std Z+17,r2 - std Z+18,r27 - std Z+19,r26 - std Z+20,r21 - std Z+21,r20 - std Z+22,r19 - std Z+23,r18 - std Z+32,r11 - std Z+33,r10 - std Z+34,r9 - std Z+35,r8 - std Z+36,r7 - std Z+37,r6 - std Z+38,r5 - std Z+39,r4 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size ascon_permute, .-ascon_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.h deleted file mode 100644 index d3fa3ca..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-ascon.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H - -#include "internal-util.h" - -/** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. - * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Structure of the internal state of the ASCON permutation. - */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; - -/** - * \brief Permutes the ASCON state. - * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. - * - * The input and output \a state will be in big-endian byte order. - */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-isap.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-isap.h deleted file mode 100644 index ba99f2a..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-isap.h +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ISAP variant. - * - * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 - * ISAP_RATE Number of bytes in the rate for hashing and encryption. - * ISAP_sH Number of rounds for hashing. - * ISAP_sE Number of rounds for encryption. - * ISAP_sB Number of rounds for key bit absorption. - * ISAP_sK Number of rounds for keying. - * ISAP_STATE Type for the permuation state; e.g. ascon_state_t - * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". - */ -#if defined(ISAP_ALG_NAME) - -#define ISAP_CONCAT_INNER(name,suffix) name##suffix -#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) - -/* IV string for initialising the associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) - [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { - 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for authenticating associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for encrypting payload data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/** - * \brief Re-keys the ISAP permutation state. - * - * \param state The permutation state to be re-keyed. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param iv Points to the initialization vector for this re-keying operation. - * \param data Points to the data to be absorbed to perform the re-keying. - * \param data_len Length of the data to be absorbed. - * - * The output key will be left in the leading bytes of \a state. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, - const unsigned char *data, unsigned data_len) -{ - unsigned bit, num_bits; - - /* Initialize the state with the key and IV */ - memcpy(state->B, k, ISAP_KEY_SIZE); - memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); - ISAP_PERMUTE(state, ISAP_sK); - - /* Absorb all of the bits of the data buffer one by one */ - num_bits = data_len * 8 - 1; - for (bit = 0; bit < num_bits; ++bit) { - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sB); - } - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sK); -} - -/** - * \brief Encrypts (or decrypts) a message payload with ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param c Buffer to receive the output ciphertext. - * \param m Buffer to receive the input plaintext. - * \param mlen Length of the input plaintext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Set up the re-keyed encryption key and nonce in the state */ - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); - memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, - npub, ISAP_NONCE_SIZE); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= ISAP_RATE) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, ISAP_RATE); - c += ISAP_RATE; - m += ISAP_RATE; - mlen -= ISAP_RATE; - } - if (mlen > 0) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); - } -} - -/** - * \brief Authenticates the associated data and ciphertext using ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param ad Buffer containing the associated data. - * \param adlen Length of the associated data. - * \param c Buffer containing the ciphertext. - * \param clen Length of the ciphertext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *c, unsigned long long clen, - unsigned char *tag) -{ - unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; - unsigned temp; - - /* Absorb the associated data */ - memcpy(state->B, npub, ISAP_NONCE_SIZE); - memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), - sizeof(state->B) - ISAP_NONCE_SIZE); - ISAP_PERMUTE(state, ISAP_sH); - while (adlen >= ISAP_RATE) { - lw_xor_block(state->B, ad, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - ad += ISAP_RATE; - adlen -= ISAP_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ - - /* Absorb the ciphertext */ - while (clen >= ISAP_RATE) { - lw_xor_block(state->B, c, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - c += ISAP_RATE; - clen -= ISAP_RATE; - } - temp = (unsigned)clen; - lw_xor_block(state->B, c, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - - /* Re-key the state and generate the authentication tag */ - memcpy(tag, state->B, ISAP_TAG_SIZE); - memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); - memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); - ISAP_PERMUTE(state, ISAP_sH); - memcpy(tag, state->B, ISAP_TAG_SIZE); -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ISAP_TAG_SIZE; - - /* Encrypt the plaintext to produce the ciphertext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (&state, k, npub, ad, adlen, c, mlen, c + mlen); - return 0; -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - unsigned char tag[ISAP_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ISAP_TAG_SIZE) - return -1; - *mlen = clen - ISAP_TAG_SIZE; - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); - - /* Decrypt the ciphertext to produce the plaintext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); -} - -#endif /* ISAP_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ISAP algorithm */ -#undef ISAP_ALG_NAME -#undef ISAP_RATE -#undef ISAP_sH -#undef ISAP_sE -#undef ISAP_sB -#undef ISAP_sK -#undef ISAP_STATE -#undef ISAP_PERMUTE -#undef ISAP_CONCAT_INNER -#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak-avr.S deleted file mode 100644 index e50ccaf..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak-avr.S +++ /dev/null @@ -1,1552 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global keccakp_200_permute - .type keccakp_200_permute, @function -keccakp_200_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r26,Z+6 - ldd r27,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r4,Z+12 - ldd r5,Z+13 - ldd r6,Z+14 - ldd r7,Z+15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - ldd r24,Z+24 - push r31 - push r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,130 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - mov r30,r1 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,129 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - ldi r30,136 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,10 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,137 - eor r18,r30 - rcall 82f - ldi r30,3 - eor r18,r30 - rcall 82f - ldi r30,2 - eor r18,r30 - rcall 82f - ldi r30,128 - eor r18,r30 - rjmp 420f -82: - mov r30,r18 - eor r30,r23 - eor r30,r2 - eor r30,r7 - eor r30,r12 - mov r31,r19 - eor r31,r26 - eor r31,r3 - eor r31,r8 - eor r31,r13 - mov r25,r20 - eor r25,r27 - eor r25,r4 - eor r25,r9 - eor r25,r14 - mov r16,r21 - eor r16,r28 - eor r16,r5 - eor r16,r10 - eor r16,r15 - mov r17,r22 - eor r17,r29 - eor r17,r6 - eor r17,r11 - eor r17,r24 - mov r0,r31 - lsl r0 - adc r0,r1 - eor r0,r17 - eor r18,r0 - eor r23,r0 - eor r2,r0 - eor r7,r0 - eor r12,r0 - mov r0,r25 - lsl r0 - adc r0,r1 - eor r0,r30 - eor r19,r0 - eor r26,r0 - eor r3,r0 - eor r8,r0 - eor r13,r0 - mov r0,r16 - lsl r0 - adc r0,r1 - eor r0,r31 - eor r20,r0 - eor r27,r0 - eor r4,r0 - eor r9,r0 - eor r14,r0 - mov r0,r17 - lsl r0 - adc r0,r1 - eor r0,r25 - eor r21,r0 - eor r28,r0 - eor r5,r0 - eor r10,r0 - eor r15,r0 - mov r0,r30 - lsl r0 - adc r0,r1 - eor r0,r16 - eor r22,r0 - eor r29,r0 - eor r6,r0 - eor r11,r0 - eor r24,r0 - mov r30,r19 - swap r26 - mov r19,r26 - swap r29 - mov r26,r29 - mov r0,r1 - lsr r14 - ror r0 - lsr r14 - ror r0 - lsr r14 - ror r0 - or r14,r0 - mov r29,r14 - bst r6,0 - lsr r6 - bld r6,7 - mov r14,r6 - lsl r12 - adc r12,r1 - lsl r12 - adc r12,r1 - mov r6,r12 - mov r0,r1 - lsr r20 - ror r0 - lsr r20 - ror r0 - or r20,r0 - mov r12,r20 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - mov r20,r4 - lsl r5 - adc r5,r1 - mov r4,r5 - mov r5,r11 - mov r11,r15 - lsl r7 - adc r7,r1 - mov r15,r7 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - mov r7,r22 - mov r0,r1 - lsr r24 - ror r0 - lsr r24 - ror r0 - or r24,r0 - mov r22,r24 - lsl r13 - adc r13,r1 - lsl r13 - adc r13,r1 - mov r24,r13 - bst r28,0 - lsr r28 - bld r28,7 - mov r13,r28 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r28,r8 - swap r23 - mov r8,r23 - swap r21 - mov r23,r21 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r21,r10 - bst r9,0 - lsr r9 - bld r9,7 - mov r10,r9 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - mov r9,r3 - mov r0,r1 - lsr r27 - ror r0 - lsr r27 - ror r0 - or r27,r0 - mov r3,r27 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - mov r27,r2 - lsl r30 - adc r30,r1 - mov r2,r30 - mov r30,r18 - mov r31,r19 - mov r25,r20 - mov r16,r21 - mov r17,r22 - mov r18,r25 - mov r0,r31 - com r0 - and r18,r0 - eor r18,r30 - mov r19,r16 - mov r0,r25 - com r0 - and r19,r0 - eor r19,r31 - mov r20,r17 - mov r0,r16 - com r0 - and r20,r0 - eor r20,r25 - mov r21,r30 - mov r0,r17 - com r0 - and r21,r0 - eor r21,r16 - mov r22,r31 - mov r0,r30 - com r0 - and r22,r0 - eor r22,r17 - mov r30,r23 - mov r31,r26 - mov r25,r27 - mov r16,r28 - mov r17,r29 - mov r23,r25 - mov r0,r31 - com r0 - and r23,r0 - eor r23,r30 - mov r26,r16 - mov r0,r25 - com r0 - and r26,r0 - eor r26,r31 - mov r27,r17 - mov r0,r16 - com r0 - and r27,r0 - eor r27,r25 - mov r28,r30 - mov r0,r17 - com r0 - and r28,r0 - eor r28,r16 - mov r29,r31 - mov r0,r30 - com r0 - and r29,r0 - eor r29,r17 - mov r30,r2 - mov r31,r3 - mov r25,r4 - mov r16,r5 - mov r17,r6 - mov r2,r25 - mov r0,r31 - com r0 - and r2,r0 - eor r2,r30 - mov r3,r16 - mov r0,r25 - com r0 - and r3,r0 - eor r3,r31 - mov r4,r17 - mov r0,r16 - com r0 - and r4,r0 - eor r4,r25 - mov r5,r30 - mov r0,r17 - com r0 - and r5,r0 - eor r5,r16 - mov r6,r31 - mov r0,r30 - com r0 - and r6,r0 - eor r6,r17 - mov r30,r7 - mov r31,r8 - mov r25,r9 - mov r16,r10 - mov r17,r11 - mov r7,r25 - mov r0,r31 - com r0 - and r7,r0 - eor r7,r30 - mov r8,r16 - mov r0,r25 - com r0 - and r8,r0 - eor r8,r31 - mov r9,r17 - mov r0,r16 - com r0 - and r9,r0 - eor r9,r25 - mov r10,r30 - mov r0,r17 - com r0 - and r10,r0 - eor r10,r16 - mov r11,r31 - mov r0,r30 - com r0 - and r11,r0 - eor r11,r17 - mov r30,r12 - mov r31,r13 - mov r25,r14 - mov r16,r15 - mov r17,r24 - mov r12,r25 - mov r0,r31 - com r0 - and r12,r0 - eor r12,r30 - mov r13,r16 - mov r0,r25 - com r0 - and r13,r0 - eor r13,r31 - mov r14,r17 - mov r0,r16 - com r0 - and r14,r0 - eor r14,r25 - mov r15,r30 - mov r0,r17 - com r0 - and r15,r0 - eor r15,r16 - mov r24,r31 - mov r0,r30 - com r0 - and r24,r0 - eor r24,r17 - ret -420: - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r22 - std Z+5,r23 - std Z+6,r26 - std Z+7,r27 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r4 - std Z+13,r5 - std Z+14,r6 - std Z+15,r7 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - std Z+24,r24 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size keccakp_200_permute, .-keccakp_200_permute - - .text -.global keccakp_400_permute - .type keccakp_400_permute, @function -keccakp_400_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - movw r30,r24 -.L__stack_usage = 17 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - ldd r10,Z+4 - ldd r11,Z+5 - ldd r12,Z+6 - ldd r13,Z+7 - ldd r14,Z+8 - ldd r15,Z+9 - cpi r22,20 - brcs 15f - rcall 153f - ldi r23,1 - eor r6,r23 -15: - cpi r22,19 - brcs 23f - rcall 153f - ldi r23,130 - eor r6,r23 - ldi r17,128 - eor r7,r17 -23: - cpi r22,18 - brcs 31f - rcall 153f - ldi r23,138 - eor r6,r23 - ldi r17,128 - eor r7,r17 -31: - cpi r22,17 - brcs 37f - rcall 153f - ldi r23,128 - eor r7,r23 -37: - cpi r22,16 - brcs 45f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -45: - cpi r22,15 - brcs 51f - rcall 153f - ldi r23,1 - eor r6,r23 -51: - cpi r22,14 - brcs 59f - rcall 153f - ldi r23,129 - eor r6,r23 - ldi r17,128 - eor r7,r17 -59: - cpi r22,13 - brcs 67f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -67: - cpi r22,12 - brcs 73f - rcall 153f - ldi r23,138 - eor r6,r23 -73: - cpi r22,11 - brcs 79f - rcall 153f - ldi r23,136 - eor r6,r23 -79: - cpi r22,10 - brcs 87f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -87: - cpi r22,9 - brcs 93f - rcall 153f - ldi r23,10 - eor r6,r23 -93: - cpi r22,8 - brcs 101f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -101: - cpi r22,7 - brcs 107f - rcall 153f - ldi r23,139 - eor r6,r23 -107: - cpi r22,6 - brcs 115f - rcall 153f - ldi r23,137 - eor r6,r23 - ldi r17,128 - eor r7,r17 -115: - cpi r22,5 - brcs 123f - rcall 153f - ldi r23,3 - eor r6,r23 - ldi r17,128 - eor r7,r17 -123: - cpi r22,4 - brcs 131f - rcall 153f - ldi r23,2 - eor r6,r23 - ldi r17,128 - eor r7,r17 -131: - cpi r22,3 - brcs 137f - rcall 153f - ldi r23,128 - eor r6,r23 -137: - cpi r22,2 - brcs 145f - rcall 153f - ldi r23,10 - eor r6,r23 - ldi r17,128 - eor r7,r17 -145: - cpi r22,1 - brcs 151f - rcall 153f - ldi r23,10 - eor r6,r23 -151: - rjmp 1004f -153: - movw r18,r6 - ldd r0,Z+10 - eor r18,r0 - ldd r0,Z+11 - eor r19,r0 - ldd r0,Z+20 - eor r18,r0 - ldd r0,Z+21 - eor r19,r0 - ldd r0,Z+30 - eor r18,r0 - ldd r0,Z+31 - eor r19,r0 - ldd r0,Z+40 - eor r18,r0 - ldd r0,Z+41 - eor r19,r0 - movw r20,r8 - ldd r0,Z+12 - eor r20,r0 - ldd r0,Z+13 - eor r21,r0 - ldd r0,Z+22 - eor r20,r0 - ldd r0,Z+23 - eor r21,r0 - ldd r0,Z+32 - eor r20,r0 - ldd r0,Z+33 - eor r21,r0 - ldd r0,Z+42 - eor r20,r0 - ldd r0,Z+43 - eor r21,r0 - movw r26,r10 - ldd r0,Z+14 - eor r26,r0 - ldd r0,Z+15 - eor r27,r0 - ldd r0,Z+24 - eor r26,r0 - ldd r0,Z+25 - eor r27,r0 - ldd r0,Z+34 - eor r26,r0 - ldd r0,Z+35 - eor r27,r0 - ldd r0,Z+44 - eor r26,r0 - ldd r0,Z+45 - eor r27,r0 - movw r2,r12 - ldd r0,Z+16 - eor r2,r0 - ldd r0,Z+17 - eor r3,r0 - ldd r0,Z+26 - eor r2,r0 - ldd r0,Z+27 - eor r3,r0 - ldd r0,Z+36 - eor r2,r0 - ldd r0,Z+37 - eor r3,r0 - ldd r0,Z+46 - eor r2,r0 - ldd r0,Z+47 - eor r3,r0 - movw r4,r14 - ldd r0,Z+18 - eor r4,r0 - ldd r0,Z+19 - eor r5,r0 - ldd r0,Z+28 - eor r4,r0 - ldd r0,Z+29 - eor r5,r0 - ldd r0,Z+38 - eor r4,r0 - ldd r0,Z+39 - eor r5,r0 - ldd r0,Z+48 - eor r4,r0 - ldd r0,Z+49 - eor r5,r0 - movw r24,r20 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r4 - eor r25,r5 - eor r6,r24 - eor r7,r25 - ldd r0,Z+10 - eor r0,r24 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r25 - std Z+11,r0 - ldd r0,Z+20 - eor r0,r24 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r25 - std Z+21,r0 - ldd r0,Z+30 - eor r0,r24 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r25 - std Z+31,r0 - ldd r0,Z+40 - eor r0,r24 - std Z+40,r0 - ldd r0,Z+41 - eor r0,r25 - std Z+41,r0 - movw r24,r26 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r18 - eor r25,r19 - eor r8,r24 - eor r9,r25 - ldd r0,Z+12 - eor r0,r24 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r25 - std Z+13,r0 - ldd r0,Z+22 - eor r0,r24 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r25 - std Z+23,r0 - ldd r0,Z+32 - eor r0,r24 - std Z+32,r0 - ldd r0,Z+33 - eor r0,r25 - std Z+33,r0 - ldd r0,Z+42 - eor r0,r24 - std Z+42,r0 - ldd r0,Z+43 - eor r0,r25 - std Z+43,r0 - movw r24,r2 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r20 - eor r25,r21 - eor r10,r24 - eor r11,r25 - ldd r0,Z+14 - eor r0,r24 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r25 - std Z+15,r0 - ldd r0,Z+24 - eor r0,r24 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r25 - std Z+25,r0 - ldd r0,Z+34 - eor r0,r24 - std Z+34,r0 - ldd r0,Z+35 - eor r0,r25 - std Z+35,r0 - ldd r0,Z+44 - eor r0,r24 - std Z+44,r0 - ldd r0,Z+45 - eor r0,r25 - std Z+45,r0 - movw r24,r4 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r26 - eor r25,r27 - eor r12,r24 - eor r13,r25 - ldd r0,Z+16 - eor r0,r24 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r25 - std Z+17,r0 - ldd r0,Z+26 - eor r0,r24 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r25 - std Z+27,r0 - ldd r0,Z+36 - eor r0,r24 - std Z+36,r0 - ldd r0,Z+37 - eor r0,r25 - std Z+37,r0 - ldd r0,Z+46 - eor r0,r24 - std Z+46,r0 - ldd r0,Z+47 - eor r0,r25 - std Z+47,r0 - movw r24,r18 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r2 - eor r25,r3 - eor r14,r24 - eor r15,r25 - ldd r0,Z+18 - eor r0,r24 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r25 - std Z+19,r0 - ldd r0,Z+28 - eor r0,r24 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r25 - std Z+29,r0 - ldd r0,Z+38 - eor r0,r24 - std Z+38,r0 - ldd r0,Z+39 - eor r0,r25 - std Z+39,r0 - ldd r0,Z+48 - eor r0,r24 - std Z+48,r0 - ldd r0,Z+49 - eor r0,r25 - std Z+49,r0 - movw r24,r8 - ldd r8,Z+12 - ldd r9,Z+13 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldd r18,Z+18 - ldd r19,Z+19 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+12,r18 - std Z+13,r19 - ldd r18,Z+44 - ldd r19,Z+45 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+18,r18 - std Z+19,r19 - ldd r18,Z+28 - ldd r19,Z+29 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+44,r18 - std Z+45,r19 - ldd r18,Z+40 - ldd r19,Z+41 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+28,r18 - std Z+29,r19 - movw r18,r10 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+40,r18 - std Z+41,r19 - ldd r10,Z+24 - ldd r11,Z+25 - mov r0,r11 - mov r11,r10 - mov r10,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldd r18,Z+26 - ldd r19,Z+27 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+24,r18 - std Z+25,r19 - ldd r18,Z+38 - ldd r19,Z+39 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+26,r18 - std Z+27,r19 - ldd r18,Z+46 - ldd r19,Z+47 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+38,r18 - std Z+39,r19 - ldd r18,Z+30 - ldd r19,Z+31 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+46,r18 - std Z+47,r19 - movw r18,r14 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+30,r18 - std Z+31,r19 - ldd r14,Z+48 - ldd r15,Z+49 - mov r0,r1 - lsr r15 - ror r14 - ror r0 - lsr r15 - ror r14 - ror r0 - or r15,r0 - ldd r18,Z+42 - ldd r19,Z+43 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+48,r18 - std Z+49,r19 - ldd r18,Z+16 - ldd r19,Z+17 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+42,r18 - std Z+43,r19 - ldd r18,Z+32 - ldd r19,Z+33 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+16,r18 - std Z+17,r19 - ldd r18,Z+10 - ldd r19,Z+11 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+32,r18 - std Z+33,r19 - movw r18,r12 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+10,r18 - std Z+11,r19 - ldd r12,Z+36 - ldd r13,Z+37 - mov r0,r13 - mov r13,r12 - mov r12,r0 - mov r0,r1 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - or r13,r0 - ldd r18,Z+34 - ldd r19,Z+35 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+36,r18 - std Z+37,r19 - ldd r18,Z+22 - ldd r19,Z+23 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+34,r18 - std Z+35,r19 - ldd r18,Z+14 - ldd r19,Z+15 - mov r0,r19 - mov r19,r18 - mov r18,r0 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+22,r18 - std Z+23,r19 - ldd r18,Z+20 - ldd r19,Z+21 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+14,r18 - std Z+15,r19 - lsl r24 - rol r25 - adc r24,r1 - std Z+20,r24 - std Z+21,r25 - movw r18,r6 - movw r20,r8 - movw r26,r10 - movw r2,r12 - movw r4,r14 - movw r6,r26 - mov r0,r20 - com r0 - and r6,r0 - mov r0,r21 - com r0 - and r7,r0 - eor r6,r18 - eor r7,r19 - movw r8,r2 - mov r0,r26 - com r0 - and r8,r0 - mov r0,r27 - com r0 - and r9,r0 - eor r8,r20 - eor r9,r21 - movw r10,r4 - mov r0,r2 - com r0 - and r10,r0 - mov r0,r3 - com r0 - and r11,r0 - eor r10,r26 - eor r11,r27 - movw r12,r18 - mov r0,r4 - com r0 - and r12,r0 - mov r0,r5 - com r0 - and r13,r0 - eor r12,r2 - eor r13,r3 - movw r14,r20 - mov r0,r18 - com r0 - and r14,r0 - mov r0,r19 - com r0 - and r15,r0 - eor r14,r4 - eor r15,r5 - ldd r18,Z+10 - ldd r19,Z+11 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r26,Z+14 - ldd r27,Z+15 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+10,r24 - std Z+11,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+12,r24 - std Z+13,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+14,r24 - std Z+15,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+16,r24 - std Z+17,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+18,r24 - std Z+19,r25 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+20,r24 - std Z+21,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+22,r24 - std Z+23,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+24,r24 - std Z+25,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+26,r24 - std Z+27,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+28,r24 - std Z+29,r25 - ldd r18,Z+30 - ldd r19,Z+31 - ldd r20,Z+32 - ldd r21,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+30,r24 - std Z+31,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+32,r24 - std Z+33,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+34,r24 - std Z+35,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+36,r24 - std Z+37,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+38,r24 - std Z+39,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - ldd r26,Z+44 - ldd r27,Z+45 - ldd r2,Z+46 - ldd r3,Z+47 - ldd r4,Z+48 - ldd r5,Z+49 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+40,r24 - std Z+41,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+42,r24 - std Z+43,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+44,r24 - std Z+45,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+46,r24 - std Z+47,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+48,r24 - std Z+49,r25 - ret -1004: - st Z,r6 - std Z+1,r7 - std Z+2,r8 - std Z+3,r9 - std Z+4,r10 - std Z+5,r11 - std Z+6,r12 - std Z+7,r13 - std Z+8,r14 - std Z+9,r15 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size keccakp_400_permute, .-keccakp_400_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.h deleted file mode 100644 index 2ffef42..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-keccak.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H - -#include "internal-util.h" - -/** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. - */ -#define KECCAKP_400_STATE_SIZE 50 - -/** - * \brief Structure of the internal state of the Keccak-p[200] permutation. - */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; - -/** - * \brief Structure of the internal state of the Keccak-p[400] permutation. - */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; - -/** - * \brief Permutes the Keccak-p[200] state. - * - * \param state The Keccak-p[200] state to be permuted. - */ -void keccakp_200_permute(keccakp_200_state_t *state); - -/** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. - * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). - */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-util.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.c b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.c deleted file mode 100644 index 26d50a3..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "isap.h" -#include "internal-keccak.h" -#include "internal-ascon.h" -#include - -aead_cipher_t const isap_keccak_128a_cipher = { - "ISAP-K-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128a_aead_encrypt, - isap_keccak_128a_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128a_cipher = { - "ISAP-A-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128a_aead_encrypt, - isap_ascon_128a_aead_decrypt -}; - -aead_cipher_t const isap_keccak_128_cipher = { - "ISAP-K-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128_aead_encrypt, - isap_keccak_128_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128_cipher = { - "ISAP-A-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128_aead_encrypt, - isap_ascon_128_aead_decrypt -}; - -/* ISAP-K-128A */ -#define ISAP_ALG_NAME isap_keccak_128a -#define ISAP_RATE (144 / 8) -#define ISAP_sH 16 -#define ISAP_sE 8 -#define ISAP_sB 1 -#define ISAP_sK 8 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128A */ -#define ISAP_ALG_NAME isap_ascon_128a -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 6 -#define ISAP_sB 1 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" - -/* ISAP-K-128 */ -#define ISAP_ALG_NAME isap_keccak_128 -#define ISAP_RATE (144 / 8) -#define ISAP_sH 20 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128 */ -#define ISAP_ALG_NAME isap_ascon_128 -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.h b/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.h deleted file mode 100644 index ddf8203..0000000 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys-avr/isap.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ISAP_H -#define LWCRYPTO_ISAP_H - -#include "aead-common.h" - -/** - * \file isap.h - * \brief ISAP authenticated encryption algorithm. - * - * ISAP is a family of authenticated encryption algorithms that are built - * around the Keccak-p[400] or ASCON permutations. There are four algorithms - * in the family, each of which have a 128-bit key, a 128-bit nonce, and a - * 128-bit tag: - * - * \li ISAP-K-128A based around the Keccak-p[400] permutation with a - * reduced number of rounds. This is the primary member in the family. - * \li ISAP-A-128A based around the ASCON permutation with a reduced - * number of rounds. - * \li ISAP-K-128 based around the Keccak-p[400] permutation. - * \li ISAP-A-128 based around the ASCON permutation. - * - * ISAP is designed to provide some protection against adversaries - * using differential power analysis to determine the key. The - * downside is that key setup is very slow. - * - * References: https://isap.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all ISAP family members. - */ -#define ISAP_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all ISAP family members. - */ -#define ISAP_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all ISAP family members. - */ -#define ISAP_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the ISAP-K-128A cipher. - */ -extern aead_cipher_t const isap_keccak_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128A cipher. - */ -extern aead_cipher_t const isap_ascon_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-K-128 cipher. - */ -extern aead_cipher_t const isap_keccak_128_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128 cipher. - */ -extern aead_cipher_t const isap_ascon_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128a_aead_decrypt() - */ -int isap_keccak_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128a_aead_encrypt() - */ -int isap_keccak_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128a_aead_decrypt() - */ -int isap_ascon_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128a_aead_encrypt() - */ -int isap_ascon_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128_aead_decrypt() - */ -int isap_keccak_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128_aead_encrypt() - */ -int isap_keccak_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128_aead_decrypt() - */ -int isap_ascon_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128_aead_encrypt() - */ -int isap_ascon_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon-avr.S new file mode 100644 index 0000000..e8a4fb4 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon-avr.S @@ -0,0 +1,778 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global ascon_permute + .type ascon_permute, @function +ascon_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r18,15 + sub r18,r22 + swap r18 + or r22,r18 + ldd r3,Z+16 + ldd r2,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 +20: + eor r18,r22 + ldd r23,Z+7 + ldd r12,Z+15 + ldd r13,Z+31 + eor r23,r4 + eor r4,r13 + eor r18,r12 + mov r14,r23 + mov r15,r12 + mov r24,r18 + mov r25,r13 + mov r16,r4 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r18 + and r24,r13 + and r25,r4 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r18,r25 + eor r13,r16 + eor r4,r14 + eor r12,r23 + eor r23,r4 + eor r13,r18 + com r18 + std Z+7,r23 + std Z+15,r12 + std Z+31,r13 + std Z+39,r4 + ldd r23,Z+6 + ldd r12,Z+14 + ldd r13,Z+30 + eor r23,r5 + eor r5,r13 + eor r19,r12 + mov r14,r23 + mov r15,r12 + mov r24,r19 + mov r25,r13 + mov r16,r5 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r19 + and r24,r13 + and r25,r5 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r19,r25 + eor r13,r16 + eor r5,r14 + eor r12,r23 + eor r23,r5 + eor r13,r19 + com r19 + std Z+6,r23 + std Z+14,r12 + std Z+30,r13 + std Z+38,r5 + ldd r23,Z+5 + ldd r12,Z+13 + ldd r13,Z+29 + eor r23,r6 + eor r6,r13 + eor r20,r12 + mov r14,r23 + mov r15,r12 + mov r24,r20 + mov r25,r13 + mov r16,r6 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r20 + and r24,r13 + and r25,r6 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r20,r25 + eor r13,r16 + eor r6,r14 + eor r12,r23 + eor r23,r6 + eor r13,r20 + com r20 + std Z+5,r23 + std Z+13,r12 + std Z+29,r13 + std Z+37,r6 + ldd r23,Z+4 + ldd r12,Z+12 + ldd r13,Z+28 + eor r23,r7 + eor r7,r13 + eor r21,r12 + mov r14,r23 + mov r15,r12 + mov r24,r21 + mov r25,r13 + mov r16,r7 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r21 + and r24,r13 + and r25,r7 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r21,r25 + eor r13,r16 + eor r7,r14 + eor r12,r23 + eor r23,r7 + eor r13,r21 + com r21 + std Z+4,r23 + std Z+12,r12 + std Z+28,r13 + std Z+36,r7 + ldd r23,Z+3 + ldd r12,Z+11 + ldd r13,Z+27 + eor r23,r8 + eor r8,r13 + eor r26,r12 + mov r14,r23 + mov r15,r12 + mov r24,r26 + mov r25,r13 + mov r16,r8 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r26 + and r24,r13 + and r25,r8 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r26,r25 + eor r13,r16 + eor r8,r14 + eor r12,r23 + eor r23,r8 + eor r13,r26 + com r26 + std Z+3,r23 + std Z+11,r12 + std Z+27,r13 + std Z+35,r8 + ldd r23,Z+2 + ldd r12,Z+10 + ldd r13,Z+26 + eor r23,r9 + eor r9,r13 + eor r27,r12 + mov r14,r23 + mov r15,r12 + mov r24,r27 + mov r25,r13 + mov r16,r9 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r27 + and r24,r13 + and r25,r9 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r27,r25 + eor r13,r16 + eor r9,r14 + eor r12,r23 + eor r23,r9 + eor r13,r27 + com r27 + std Z+2,r23 + std Z+10,r12 + std Z+26,r13 + std Z+34,r9 + ldd r23,Z+1 + ldd r12,Z+9 + ldd r13,Z+25 + eor r23,r10 + eor r10,r13 + eor r2,r12 + mov r14,r23 + mov r15,r12 + mov r24,r2 + mov r25,r13 + mov r16,r10 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r2 + and r24,r13 + and r25,r10 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r2,r25 + eor r13,r16 + eor r10,r14 + eor r12,r23 + eor r23,r10 + eor r13,r2 + com r2 + std Z+1,r23 + std Z+9,r12 + std Z+25,r13 + std Z+33,r10 + ld r23,Z + ldd r12,Z+8 + ldd r13,Z+24 + eor r23,r11 + eor r11,r13 + eor r3,r12 + mov r14,r23 + mov r15,r12 + mov r24,r3 + mov r25,r13 + mov r16,r11 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r3 + and r24,r13 + and r25,r11 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r3,r25 + eor r13,r16 + eor r11,r14 + eor r12,r23 + eor r23,r11 + eor r13,r3 + com r3 + st Z,r23 + std Z+8,r12 + std Z+24,r13 + std Z+32,r11 + ld r11,Z + ldd r10,Z+1 + ldd r9,Z+2 + ldd r8,Z+3 + ldd r7,Z+4 + ldd r6,Z+5 + ldd r5,Z+6 + ldd r4,Z+7 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r14 + mov r14,r24 + mov r24,r16 + mov r16,r0 + mov r0,r13 + mov r13,r15 + mov r15,r25 + mov r25,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r4 + mov r0,r5 + push r6 + mov r4,r7 + mov r5,r8 + mov r6,r9 + mov r7,r10 + mov r8,r11 + pop r11 + mov r10,r0 + mov r9,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + st Z,r11 + std Z+1,r10 + std Z+2,r9 + std Z+3,r8 + std Z+4,r7 + std Z+5,r6 + std Z+6,r5 + std Z+7,r4 + ldd r11,Z+8 + ldd r10,Z+9 + ldd r9,Z+10 + ldd r8,Z+11 + ldd r7,Z+12 + ldd r6,Z+13 + ldd r5,Z+14 + ldd r4,Z+15 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + lsl r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r4,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+8,r11 + std Z+9,r10 + std Z+10,r9 + std Z+11,r8 + std Z+12,r7 + std Z+13,r6 + std Z+14,r5 + std Z+15,r4 + movw r12,r18 + movw r14,r20 + movw r24,r26 + movw r16,r2 + bst r12,0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + bld r17,7 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + eor r24,r26 + eor r25,r27 + eor r16,r2 + eor r17,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r26 + mov r26,r27 + mov r27,r2 + mov r2,r3 + mov r3,r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + eor r26,r24 + eor r27,r25 + eor r2,r16 + eor r3,r17 + ldd r11,Z+24 + ldd r10,Z+25 + ldd r9,Z+26 + ldd r8,Z+27 + ldd r7,Z+28 + ldd r6,Z+29 + ldd r5,Z+30 + ldd r4,Z+31 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r0,r4 + mov r4,r6 + mov r6,r8 + mov r8,r10 + mov r10,r0 + mov r0,r5 + mov r5,r7 + mov r7,r9 + mov r9,r11 + mov r11,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+24,r11 + std Z+25,r10 + std Z+26,r9 + std Z+27,r8 + std Z+28,r7 + std Z+29,r6 + std Z+30,r5 + std Z+31,r4 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + subi r22,15 + ldi r25,60 + cpse r22,r25 + rjmp 20b + std Z+16,r3 + std Z+17,r2 + std Z+18,r27 + std Z+19,r26 + std Z+20,r21 + std Z+21,r20 + std Z+22,r19 + std Z+23,r18 + std Z+32,r11 + std Z+33,r10 + std Z+34,r9 + std Z+35,r8 + std Z+36,r7 + std Z+37,r6 + std Z+38,r5 + std Z+39,r4 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size ascon_permute, .-ascon_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak-avr.S new file mode 100644 index 0000000..e50ccaf --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak-avr.S @@ -0,0 +1,1552 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global keccakp_200_permute + .type keccakp_200_permute, @function +keccakp_200_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r26,Z+6 + ldd r27,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r4,Z+12 + ldd r5,Z+13 + ldd r6,Z+14 + ldd r7,Z+15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + ldd r24,Z+24 + push r31 + push r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,130 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + mov r30,r1 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,129 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + ldi r30,136 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,10 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,137 + eor r18,r30 + rcall 82f + ldi r30,3 + eor r18,r30 + rcall 82f + ldi r30,2 + eor r18,r30 + rcall 82f + ldi r30,128 + eor r18,r30 + rjmp 420f +82: + mov r30,r18 + eor r30,r23 + eor r30,r2 + eor r30,r7 + eor r30,r12 + mov r31,r19 + eor r31,r26 + eor r31,r3 + eor r31,r8 + eor r31,r13 + mov r25,r20 + eor r25,r27 + eor r25,r4 + eor r25,r9 + eor r25,r14 + mov r16,r21 + eor r16,r28 + eor r16,r5 + eor r16,r10 + eor r16,r15 + mov r17,r22 + eor r17,r29 + eor r17,r6 + eor r17,r11 + eor r17,r24 + mov r0,r31 + lsl r0 + adc r0,r1 + eor r0,r17 + eor r18,r0 + eor r23,r0 + eor r2,r0 + eor r7,r0 + eor r12,r0 + mov r0,r25 + lsl r0 + adc r0,r1 + eor r0,r30 + eor r19,r0 + eor r26,r0 + eor r3,r0 + eor r8,r0 + eor r13,r0 + mov r0,r16 + lsl r0 + adc r0,r1 + eor r0,r31 + eor r20,r0 + eor r27,r0 + eor r4,r0 + eor r9,r0 + eor r14,r0 + mov r0,r17 + lsl r0 + adc r0,r1 + eor r0,r25 + eor r21,r0 + eor r28,r0 + eor r5,r0 + eor r10,r0 + eor r15,r0 + mov r0,r30 + lsl r0 + adc r0,r1 + eor r0,r16 + eor r22,r0 + eor r29,r0 + eor r6,r0 + eor r11,r0 + eor r24,r0 + mov r30,r19 + swap r26 + mov r19,r26 + swap r29 + mov r26,r29 + mov r0,r1 + lsr r14 + ror r0 + lsr r14 + ror r0 + lsr r14 + ror r0 + or r14,r0 + mov r29,r14 + bst r6,0 + lsr r6 + bld r6,7 + mov r14,r6 + lsl r12 + adc r12,r1 + lsl r12 + adc r12,r1 + mov r6,r12 + mov r0,r1 + lsr r20 + ror r0 + lsr r20 + ror r0 + or r20,r0 + mov r12,r20 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + mov r20,r4 + lsl r5 + adc r5,r1 + mov r4,r5 + mov r5,r11 + mov r11,r15 + lsl r7 + adc r7,r1 + mov r15,r7 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + mov r7,r22 + mov r0,r1 + lsr r24 + ror r0 + lsr r24 + ror r0 + or r24,r0 + mov r22,r24 + lsl r13 + adc r13,r1 + lsl r13 + adc r13,r1 + mov r24,r13 + bst r28,0 + lsr r28 + bld r28,7 + mov r13,r28 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r28,r8 + swap r23 + mov r8,r23 + swap r21 + mov r23,r21 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r21,r10 + bst r9,0 + lsr r9 + bld r9,7 + mov r10,r9 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + mov r9,r3 + mov r0,r1 + lsr r27 + ror r0 + lsr r27 + ror r0 + or r27,r0 + mov r3,r27 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + mov r27,r2 + lsl r30 + adc r30,r1 + mov r2,r30 + mov r30,r18 + mov r31,r19 + mov r25,r20 + mov r16,r21 + mov r17,r22 + mov r18,r25 + mov r0,r31 + com r0 + and r18,r0 + eor r18,r30 + mov r19,r16 + mov r0,r25 + com r0 + and r19,r0 + eor r19,r31 + mov r20,r17 + mov r0,r16 + com r0 + and r20,r0 + eor r20,r25 + mov r21,r30 + mov r0,r17 + com r0 + and r21,r0 + eor r21,r16 + mov r22,r31 + mov r0,r30 + com r0 + and r22,r0 + eor r22,r17 + mov r30,r23 + mov r31,r26 + mov r25,r27 + mov r16,r28 + mov r17,r29 + mov r23,r25 + mov r0,r31 + com r0 + and r23,r0 + eor r23,r30 + mov r26,r16 + mov r0,r25 + com r0 + and r26,r0 + eor r26,r31 + mov r27,r17 + mov r0,r16 + com r0 + and r27,r0 + eor r27,r25 + mov r28,r30 + mov r0,r17 + com r0 + and r28,r0 + eor r28,r16 + mov r29,r31 + mov r0,r30 + com r0 + and r29,r0 + eor r29,r17 + mov r30,r2 + mov r31,r3 + mov r25,r4 + mov r16,r5 + mov r17,r6 + mov r2,r25 + mov r0,r31 + com r0 + and r2,r0 + eor r2,r30 + mov r3,r16 + mov r0,r25 + com r0 + and r3,r0 + eor r3,r31 + mov r4,r17 + mov r0,r16 + com r0 + and r4,r0 + eor r4,r25 + mov r5,r30 + mov r0,r17 + com r0 + and r5,r0 + eor r5,r16 + mov r6,r31 + mov r0,r30 + com r0 + and r6,r0 + eor r6,r17 + mov r30,r7 + mov r31,r8 + mov r25,r9 + mov r16,r10 + mov r17,r11 + mov r7,r25 + mov r0,r31 + com r0 + and r7,r0 + eor r7,r30 + mov r8,r16 + mov r0,r25 + com r0 + and r8,r0 + eor r8,r31 + mov r9,r17 + mov r0,r16 + com r0 + and r9,r0 + eor r9,r25 + mov r10,r30 + mov r0,r17 + com r0 + and r10,r0 + eor r10,r16 + mov r11,r31 + mov r0,r30 + com r0 + and r11,r0 + eor r11,r17 + mov r30,r12 + mov r31,r13 + mov r25,r14 + mov r16,r15 + mov r17,r24 + mov r12,r25 + mov r0,r31 + com r0 + and r12,r0 + eor r12,r30 + mov r13,r16 + mov r0,r25 + com r0 + and r13,r0 + eor r13,r31 + mov r14,r17 + mov r0,r16 + com r0 + and r14,r0 + eor r14,r25 + mov r15,r30 + mov r0,r17 + com r0 + and r15,r0 + eor r15,r16 + mov r24,r31 + mov r0,r30 + com r0 + and r24,r0 + eor r24,r17 + ret +420: + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r22 + std Z+5,r23 + std Z+6,r26 + std Z+7,r27 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r4 + std Z+13,r5 + std Z+14,r6 + std Z+15,r7 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + std Z+24,r24 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size keccakp_200_permute, .-keccakp_200_permute + + .text +.global keccakp_400_permute + .type keccakp_400_permute, @function +keccakp_400_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + movw r30,r24 +.L__stack_usage = 17 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + ldd r10,Z+4 + ldd r11,Z+5 + ldd r12,Z+6 + ldd r13,Z+7 + ldd r14,Z+8 + ldd r15,Z+9 + cpi r22,20 + brcs 15f + rcall 153f + ldi r23,1 + eor r6,r23 +15: + cpi r22,19 + brcs 23f + rcall 153f + ldi r23,130 + eor r6,r23 + ldi r17,128 + eor r7,r17 +23: + cpi r22,18 + brcs 31f + rcall 153f + ldi r23,138 + eor r6,r23 + ldi r17,128 + eor r7,r17 +31: + cpi r22,17 + brcs 37f + rcall 153f + ldi r23,128 + eor r7,r23 +37: + cpi r22,16 + brcs 45f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +45: + cpi r22,15 + brcs 51f + rcall 153f + ldi r23,1 + eor r6,r23 +51: + cpi r22,14 + brcs 59f + rcall 153f + ldi r23,129 + eor r6,r23 + ldi r17,128 + eor r7,r17 +59: + cpi r22,13 + brcs 67f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +67: + cpi r22,12 + brcs 73f + rcall 153f + ldi r23,138 + eor r6,r23 +73: + cpi r22,11 + brcs 79f + rcall 153f + ldi r23,136 + eor r6,r23 +79: + cpi r22,10 + brcs 87f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +87: + cpi r22,9 + brcs 93f + rcall 153f + ldi r23,10 + eor r6,r23 +93: + cpi r22,8 + brcs 101f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +101: + cpi r22,7 + brcs 107f + rcall 153f + ldi r23,139 + eor r6,r23 +107: + cpi r22,6 + brcs 115f + rcall 153f + ldi r23,137 + eor r6,r23 + ldi r17,128 + eor r7,r17 +115: + cpi r22,5 + brcs 123f + rcall 153f + ldi r23,3 + eor r6,r23 + ldi r17,128 + eor r7,r17 +123: + cpi r22,4 + brcs 131f + rcall 153f + ldi r23,2 + eor r6,r23 + ldi r17,128 + eor r7,r17 +131: + cpi r22,3 + brcs 137f + rcall 153f + ldi r23,128 + eor r6,r23 +137: + cpi r22,2 + brcs 145f + rcall 153f + ldi r23,10 + eor r6,r23 + ldi r17,128 + eor r7,r17 +145: + cpi r22,1 + brcs 151f + rcall 153f + ldi r23,10 + eor r6,r23 +151: + rjmp 1004f +153: + movw r18,r6 + ldd r0,Z+10 + eor r18,r0 + ldd r0,Z+11 + eor r19,r0 + ldd r0,Z+20 + eor r18,r0 + ldd r0,Z+21 + eor r19,r0 + ldd r0,Z+30 + eor r18,r0 + ldd r0,Z+31 + eor r19,r0 + ldd r0,Z+40 + eor r18,r0 + ldd r0,Z+41 + eor r19,r0 + movw r20,r8 + ldd r0,Z+12 + eor r20,r0 + ldd r0,Z+13 + eor r21,r0 + ldd r0,Z+22 + eor r20,r0 + ldd r0,Z+23 + eor r21,r0 + ldd r0,Z+32 + eor r20,r0 + ldd r0,Z+33 + eor r21,r0 + ldd r0,Z+42 + eor r20,r0 + ldd r0,Z+43 + eor r21,r0 + movw r26,r10 + ldd r0,Z+14 + eor r26,r0 + ldd r0,Z+15 + eor r27,r0 + ldd r0,Z+24 + eor r26,r0 + ldd r0,Z+25 + eor r27,r0 + ldd r0,Z+34 + eor r26,r0 + ldd r0,Z+35 + eor r27,r0 + ldd r0,Z+44 + eor r26,r0 + ldd r0,Z+45 + eor r27,r0 + movw r2,r12 + ldd r0,Z+16 + eor r2,r0 + ldd r0,Z+17 + eor r3,r0 + ldd r0,Z+26 + eor r2,r0 + ldd r0,Z+27 + eor r3,r0 + ldd r0,Z+36 + eor r2,r0 + ldd r0,Z+37 + eor r3,r0 + ldd r0,Z+46 + eor r2,r0 + ldd r0,Z+47 + eor r3,r0 + movw r4,r14 + ldd r0,Z+18 + eor r4,r0 + ldd r0,Z+19 + eor r5,r0 + ldd r0,Z+28 + eor r4,r0 + ldd r0,Z+29 + eor r5,r0 + ldd r0,Z+38 + eor r4,r0 + ldd r0,Z+39 + eor r5,r0 + ldd r0,Z+48 + eor r4,r0 + ldd r0,Z+49 + eor r5,r0 + movw r24,r20 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r4 + eor r25,r5 + eor r6,r24 + eor r7,r25 + ldd r0,Z+10 + eor r0,r24 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r25 + std Z+11,r0 + ldd r0,Z+20 + eor r0,r24 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r25 + std Z+21,r0 + ldd r0,Z+30 + eor r0,r24 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r25 + std Z+31,r0 + ldd r0,Z+40 + eor r0,r24 + std Z+40,r0 + ldd r0,Z+41 + eor r0,r25 + std Z+41,r0 + movw r24,r26 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r18 + eor r25,r19 + eor r8,r24 + eor r9,r25 + ldd r0,Z+12 + eor r0,r24 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r25 + std Z+13,r0 + ldd r0,Z+22 + eor r0,r24 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r25 + std Z+23,r0 + ldd r0,Z+32 + eor r0,r24 + std Z+32,r0 + ldd r0,Z+33 + eor r0,r25 + std Z+33,r0 + ldd r0,Z+42 + eor r0,r24 + std Z+42,r0 + ldd r0,Z+43 + eor r0,r25 + std Z+43,r0 + movw r24,r2 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r20 + eor r25,r21 + eor r10,r24 + eor r11,r25 + ldd r0,Z+14 + eor r0,r24 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r25 + std Z+15,r0 + ldd r0,Z+24 + eor r0,r24 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r25 + std Z+25,r0 + ldd r0,Z+34 + eor r0,r24 + std Z+34,r0 + ldd r0,Z+35 + eor r0,r25 + std Z+35,r0 + ldd r0,Z+44 + eor r0,r24 + std Z+44,r0 + ldd r0,Z+45 + eor r0,r25 + std Z+45,r0 + movw r24,r4 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r26 + eor r25,r27 + eor r12,r24 + eor r13,r25 + ldd r0,Z+16 + eor r0,r24 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r25 + std Z+17,r0 + ldd r0,Z+26 + eor r0,r24 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r25 + std Z+27,r0 + ldd r0,Z+36 + eor r0,r24 + std Z+36,r0 + ldd r0,Z+37 + eor r0,r25 + std Z+37,r0 + ldd r0,Z+46 + eor r0,r24 + std Z+46,r0 + ldd r0,Z+47 + eor r0,r25 + std Z+47,r0 + movw r24,r18 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r2 + eor r25,r3 + eor r14,r24 + eor r15,r25 + ldd r0,Z+18 + eor r0,r24 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r25 + std Z+19,r0 + ldd r0,Z+28 + eor r0,r24 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r25 + std Z+29,r0 + ldd r0,Z+38 + eor r0,r24 + std Z+38,r0 + ldd r0,Z+39 + eor r0,r25 + std Z+39,r0 + ldd r0,Z+48 + eor r0,r24 + std Z+48,r0 + ldd r0,Z+49 + eor r0,r25 + std Z+49,r0 + movw r24,r8 + ldd r8,Z+12 + ldd r9,Z+13 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldd r18,Z+18 + ldd r19,Z+19 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+12,r18 + std Z+13,r19 + ldd r18,Z+44 + ldd r19,Z+45 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+18,r18 + std Z+19,r19 + ldd r18,Z+28 + ldd r19,Z+29 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+44,r18 + std Z+45,r19 + ldd r18,Z+40 + ldd r19,Z+41 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+28,r18 + std Z+29,r19 + movw r18,r10 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+40,r18 + std Z+41,r19 + ldd r10,Z+24 + ldd r11,Z+25 + mov r0,r11 + mov r11,r10 + mov r10,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldd r18,Z+26 + ldd r19,Z+27 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+24,r18 + std Z+25,r19 + ldd r18,Z+38 + ldd r19,Z+39 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+26,r18 + std Z+27,r19 + ldd r18,Z+46 + ldd r19,Z+47 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+38,r18 + std Z+39,r19 + ldd r18,Z+30 + ldd r19,Z+31 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+46,r18 + std Z+47,r19 + movw r18,r14 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+30,r18 + std Z+31,r19 + ldd r14,Z+48 + ldd r15,Z+49 + mov r0,r1 + lsr r15 + ror r14 + ror r0 + lsr r15 + ror r14 + ror r0 + or r15,r0 + ldd r18,Z+42 + ldd r19,Z+43 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+48,r18 + std Z+49,r19 + ldd r18,Z+16 + ldd r19,Z+17 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+42,r18 + std Z+43,r19 + ldd r18,Z+32 + ldd r19,Z+33 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+16,r18 + std Z+17,r19 + ldd r18,Z+10 + ldd r19,Z+11 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+32,r18 + std Z+33,r19 + movw r18,r12 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+10,r18 + std Z+11,r19 + ldd r12,Z+36 + ldd r13,Z+37 + mov r0,r13 + mov r13,r12 + mov r12,r0 + mov r0,r1 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + or r13,r0 + ldd r18,Z+34 + ldd r19,Z+35 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+36,r18 + std Z+37,r19 + ldd r18,Z+22 + ldd r19,Z+23 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+34,r18 + std Z+35,r19 + ldd r18,Z+14 + ldd r19,Z+15 + mov r0,r19 + mov r19,r18 + mov r18,r0 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+22,r18 + std Z+23,r19 + ldd r18,Z+20 + ldd r19,Z+21 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+14,r18 + std Z+15,r19 + lsl r24 + rol r25 + adc r24,r1 + std Z+20,r24 + std Z+21,r25 + movw r18,r6 + movw r20,r8 + movw r26,r10 + movw r2,r12 + movw r4,r14 + movw r6,r26 + mov r0,r20 + com r0 + and r6,r0 + mov r0,r21 + com r0 + and r7,r0 + eor r6,r18 + eor r7,r19 + movw r8,r2 + mov r0,r26 + com r0 + and r8,r0 + mov r0,r27 + com r0 + and r9,r0 + eor r8,r20 + eor r9,r21 + movw r10,r4 + mov r0,r2 + com r0 + and r10,r0 + mov r0,r3 + com r0 + and r11,r0 + eor r10,r26 + eor r11,r27 + movw r12,r18 + mov r0,r4 + com r0 + and r12,r0 + mov r0,r5 + com r0 + and r13,r0 + eor r12,r2 + eor r13,r3 + movw r14,r20 + mov r0,r18 + com r0 + and r14,r0 + mov r0,r19 + com r0 + and r15,r0 + eor r14,r4 + eor r15,r5 + ldd r18,Z+10 + ldd r19,Z+11 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r26,Z+14 + ldd r27,Z+15 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+10,r24 + std Z+11,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+12,r24 + std Z+13,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+14,r24 + std Z+15,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+16,r24 + std Z+17,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+18,r24 + std Z+19,r25 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+20,r24 + std Z+21,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+22,r24 + std Z+23,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+24,r24 + std Z+25,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+26,r24 + std Z+27,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+28,r24 + std Z+29,r25 + ldd r18,Z+30 + ldd r19,Z+31 + ldd r20,Z+32 + ldd r21,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+30,r24 + std Z+31,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+32,r24 + std Z+33,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+34,r24 + std Z+35,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+36,r24 + std Z+37,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+38,r24 + std Z+39,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + ldd r26,Z+44 + ldd r27,Z+45 + ldd r2,Z+46 + ldd r3,Z+47 + ldd r4,Z+48 + ldd r5,Z+49 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+40,r24 + std Z+41,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+42,r24 + std Z+43,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+44,r24 + std Z+45,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+46,r24 + std Z+47,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+48,r24 + std Z+49,r25 + ret +1004: + st Z,r6 + std Z+1,r7 + std Z+2,r8 + std Z+3,r9 + std Z+4,r10 + std Z+5,r11 + std Z+6,r12 + std Z+7,r13 + std Z+8,r14 + std Z+9,r15 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size keccakp_400_permute, .-keccakp_400_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h index e79158c..e30166d 100644 --- a/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h +++ b/isap/Implementations/crypto_aead/isapk128av20/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.c b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/api.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/encrypt.c b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/encrypt.c deleted file mode 100644 index 72d2d68..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "isap.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_keccak_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return isap_keccak_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon-avr.S deleted file mode 100644 index e8a4fb4..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon-avr.S +++ /dev/null @@ -1,778 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global ascon_permute - .type ascon_permute, @function -ascon_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r18,15 - sub r18,r22 - swap r18 - or r22,r18 - ldd r3,Z+16 - ldd r2,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 -20: - eor r18,r22 - ldd r23,Z+7 - ldd r12,Z+15 - ldd r13,Z+31 - eor r23,r4 - eor r4,r13 - eor r18,r12 - mov r14,r23 - mov r15,r12 - mov r24,r18 - mov r25,r13 - mov r16,r4 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r18 - and r24,r13 - and r25,r4 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r18,r25 - eor r13,r16 - eor r4,r14 - eor r12,r23 - eor r23,r4 - eor r13,r18 - com r18 - std Z+7,r23 - std Z+15,r12 - std Z+31,r13 - std Z+39,r4 - ldd r23,Z+6 - ldd r12,Z+14 - ldd r13,Z+30 - eor r23,r5 - eor r5,r13 - eor r19,r12 - mov r14,r23 - mov r15,r12 - mov r24,r19 - mov r25,r13 - mov r16,r5 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r19 - and r24,r13 - and r25,r5 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r19,r25 - eor r13,r16 - eor r5,r14 - eor r12,r23 - eor r23,r5 - eor r13,r19 - com r19 - std Z+6,r23 - std Z+14,r12 - std Z+30,r13 - std Z+38,r5 - ldd r23,Z+5 - ldd r12,Z+13 - ldd r13,Z+29 - eor r23,r6 - eor r6,r13 - eor r20,r12 - mov r14,r23 - mov r15,r12 - mov r24,r20 - mov r25,r13 - mov r16,r6 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r20 - and r24,r13 - and r25,r6 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r20,r25 - eor r13,r16 - eor r6,r14 - eor r12,r23 - eor r23,r6 - eor r13,r20 - com r20 - std Z+5,r23 - std Z+13,r12 - std Z+29,r13 - std Z+37,r6 - ldd r23,Z+4 - ldd r12,Z+12 - ldd r13,Z+28 - eor r23,r7 - eor r7,r13 - eor r21,r12 - mov r14,r23 - mov r15,r12 - mov r24,r21 - mov r25,r13 - mov r16,r7 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r21 - and r24,r13 - and r25,r7 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r21,r25 - eor r13,r16 - eor r7,r14 - eor r12,r23 - eor r23,r7 - eor r13,r21 - com r21 - std Z+4,r23 - std Z+12,r12 - std Z+28,r13 - std Z+36,r7 - ldd r23,Z+3 - ldd r12,Z+11 - ldd r13,Z+27 - eor r23,r8 - eor r8,r13 - eor r26,r12 - mov r14,r23 - mov r15,r12 - mov r24,r26 - mov r25,r13 - mov r16,r8 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r26 - and r24,r13 - and r25,r8 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r26,r25 - eor r13,r16 - eor r8,r14 - eor r12,r23 - eor r23,r8 - eor r13,r26 - com r26 - std Z+3,r23 - std Z+11,r12 - std Z+27,r13 - std Z+35,r8 - ldd r23,Z+2 - ldd r12,Z+10 - ldd r13,Z+26 - eor r23,r9 - eor r9,r13 - eor r27,r12 - mov r14,r23 - mov r15,r12 - mov r24,r27 - mov r25,r13 - mov r16,r9 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r27 - and r24,r13 - and r25,r9 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r27,r25 - eor r13,r16 - eor r9,r14 - eor r12,r23 - eor r23,r9 - eor r13,r27 - com r27 - std Z+2,r23 - std Z+10,r12 - std Z+26,r13 - std Z+34,r9 - ldd r23,Z+1 - ldd r12,Z+9 - ldd r13,Z+25 - eor r23,r10 - eor r10,r13 - eor r2,r12 - mov r14,r23 - mov r15,r12 - mov r24,r2 - mov r25,r13 - mov r16,r10 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r2 - and r24,r13 - and r25,r10 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r2,r25 - eor r13,r16 - eor r10,r14 - eor r12,r23 - eor r23,r10 - eor r13,r2 - com r2 - std Z+1,r23 - std Z+9,r12 - std Z+25,r13 - std Z+33,r10 - ld r23,Z - ldd r12,Z+8 - ldd r13,Z+24 - eor r23,r11 - eor r11,r13 - eor r3,r12 - mov r14,r23 - mov r15,r12 - mov r24,r3 - mov r25,r13 - mov r16,r11 - com r14 - com r15 - com r24 - com r25 - com r16 - and r14,r12 - and r15,r3 - and r24,r13 - and r25,r11 - and r16,r23 - eor r23,r15 - eor r12,r24 - eor r3,r25 - eor r13,r16 - eor r11,r14 - eor r12,r23 - eor r23,r11 - eor r13,r3 - com r3 - st Z,r23 - std Z+8,r12 - std Z+24,r13 - std Z+32,r11 - ld r11,Z - ldd r10,Z+1 - ldd r9,Z+2 - ldd r8,Z+3 - ldd r7,Z+4 - ldd r6,Z+5 - ldd r5,Z+6 - ldd r4,Z+7 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r14 - mov r14,r24 - mov r24,r16 - mov r16,r0 - mov r0,r13 - mov r13,r15 - mov r15,r25 - mov r25,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r4 - mov r0,r5 - push r6 - mov r4,r7 - mov r5,r8 - mov r6,r9 - mov r7,r10 - mov r8,r11 - pop r11 - mov r10,r0 - mov r9,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - st Z,r11 - std Z+1,r10 - std Z+2,r9 - std Z+3,r8 - std Z+4,r7 - std Z+5,r6 - std Z+6,r5 - std Z+7,r4 - ldd r11,Z+8 - ldd r10,Z+9 - ldd r9,Z+10 - ldd r8,Z+11 - ldd r7,Z+12 - ldd r6,Z+13 - ldd r5,Z+14 - ldd r4,Z+15 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - lsl r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r4,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+8,r11 - std Z+9,r10 - std Z+10,r9 - std Z+11,r8 - std Z+12,r7 - std Z+13,r6 - std Z+14,r5 - std Z+15,r4 - movw r12,r18 - movw r14,r20 - movw r24,r26 - movw r16,r2 - bst r12,0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - bld r17,7 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - eor r24,r26 - eor r25,r27 - eor r16,r2 - eor r17,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r26 - mov r26,r27 - mov r27,r2 - mov r2,r3 - mov r3,r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r2 - rol r3 - adc r18,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - eor r26,r24 - eor r27,r25 - eor r2,r16 - eor r3,r17 - ldd r11,Z+24 - ldd r10,Z+25 - ldd r9,Z+26 - ldd r8,Z+27 - ldd r7,Z+28 - ldd r6,Z+29 - ldd r5,Z+30 - ldd r4,Z+31 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - mov r0,r1 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r0 - or r17,r0 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r0,r4 - mov r4,r6 - mov r6,r8 - mov r8,r10 - mov r10,r0 - mov r0,r5 - mov r5,r7 - mov r7,r9 - mov r9,r11 - mov r11,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - std Z+24,r11 - std Z+25,r10 - std Z+26,r9 - std Z+27,r8 - std Z+28,r7 - std Z+29,r6 - std Z+30,r5 - std Z+31,r4 - ldd r11,Z+32 - ldd r10,Z+33 - ldd r9,Z+34 - ldd r8,Z+35 - ldd r7,Z+36 - ldd r6,Z+37 - ldd r5,Z+38 - ldd r4,Z+39 - movw r12,r4 - movw r14,r6 - movw r24,r8 - movw r16,r10 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r24 - mov r24,r25 - mov r25,r16 - mov r16,r17 - mov r17,r0 - lsl r12 - rol r13 - rol r14 - rol r15 - rol r24 - rol r25 - rol r16 - rol r17 - adc r12,r1 - eor r12,r4 - eor r13,r5 - eor r14,r6 - eor r15,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - mov r23,r9 - mov r0,r10 - push r11 - mov r11,r8 - mov r10,r7 - mov r9,r6 - mov r8,r5 - mov r7,r4 - pop r6 - mov r5,r0 - mov r4,r23 - mov r0,r1 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r0 - or r11,r0 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - eor r10,r16 - eor r11,r17 - subi r22,15 - ldi r25,60 - cpse r22,r25 - rjmp 20b - std Z+16,r3 - std Z+17,r2 - std Z+18,r27 - std Z+19,r26 - std Z+20,r21 - std Z+21,r20 - std Z+22,r19 - std Z+23,r18 - std Z+32,r11 - std Z+33,r10 - std Z+34,r9 - std Z+35,r8 - std Z+36,r7 - std Z+37,r6 - std Z+38,r5 - std Z+39,r4 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size ascon_permute, .-ascon_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.c deleted file mode 100644 index 657aabe..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-ascon.h" - -#if !defined(__AVR__) - -void ascon_permute(ascon_state_t *state, uint8_t first_round) -{ - uint64_t t0, t1, t2, t3, t4; -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = be_load_word64(state->B); - uint64_t x1 = be_load_word64(state->B + 8); - uint64_t x2 = be_load_word64(state->B + 16); - uint64_t x3 = be_load_word64(state->B + 24); - uint64_t x4 = be_load_word64(state->B + 32); -#else - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; -#endif - while (first_round < 12) { - /* Add the round constant to the state */ - x2 ^= ((0x0F - first_round) << 4) | first_round; - - /* Substitution layer - apply the s-box using bit-slicing - * according to the algorithm recommended in the specification */ - x0 ^= x4; x4 ^= x3; x2 ^= x1; - t0 = ~x0; t1 = ~x1; t2 = ~x2; t3 = ~x3; t4 = ~x4; - t0 &= x1; t1 &= x2; t2 &= x3; t3 &= x4; t4 &= x0; - x0 ^= t1; x1 ^= t2; x2 ^= t3; x3 ^= t4; x4 ^= t0; - x1 ^= x0; x0 ^= x4; x3 ^= x2; x2 = ~x2; - - /* Linear diffusion layer */ - x0 ^= rightRotate19_64(x0) ^ rightRotate28_64(x0); - x1 ^= rightRotate61_64(x1) ^ rightRotate39_64(x1); - x2 ^= rightRotate1_64(x2) ^ rightRotate6_64(x2); - x3 ^= rightRotate10_64(x3) ^ rightRotate17_64(x3); - x4 ^= rightRotate7_64(x4) ^ rightRotate41_64(x4); - - /* Move onto the next round */ - ++first_round; - } -#if defined(LW_UTIL_LITTLE_ENDIAN) - be_store_word64(state->B, x0); - be_store_word64(state->B + 8, x1); - be_store_word64(state->B + 16, x2); - be_store_word64(state->B + 24, x3); - be_store_word64(state->B + 32, x4); -#else - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; -#endif -} - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.h deleted file mode 100644 index d3fa3ca..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-ascon.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H - -#include "internal-util.h" - -/** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. - * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Structure of the internal state of the ASCON permutation. - */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; - -/** - * \brief Permutes the ASCON state. - * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. - * - * The input and output \a state will be in big-endian byte order. - */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-isap.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-isap.h deleted file mode 100644 index ba99f2a..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-isap.h +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying ISAP variant. - * - * ISAP_ALG_NAME Name of the ISAP algorithm; e.g. isap_keccak_128 - * ISAP_RATE Number of bytes in the rate for hashing and encryption. - * ISAP_sH Number of rounds for hashing. - * ISAP_sE Number of rounds for encryption. - * ISAP_sB Number of rounds for key bit absorption. - * ISAP_sK Number of rounds for keying. - * ISAP_STATE Type for the permuation state; e.g. ascon_state_t - * ISAP_PERMUTE(s,r) Permutes the state "s" with number of rounds "r". - */ -#if defined(ISAP_ALG_NAME) - -#define ISAP_CONCAT_INNER(name,suffix) name##suffix -#define ISAP_CONCAT(name,suffix) ISAP_CONCAT_INNER(name,suffix) - -/* IV string for initialising the associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_A) - [sizeof(ISAP_STATE) - ISAP_NONCE_SIZE] = { - 0x01, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for authenticating associated data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x02, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/* IV string for encrypting payload data */ -static unsigned char const ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE) - [sizeof(ISAP_STATE) - ISAP_KEY_SIZE] = { - 0x03, ISAP_KEY_SIZE * 8, ISAP_RATE * 8, 1, - ISAP_sH, ISAP_sB, ISAP_sE, ISAP_sK -}; - -/** - * \brief Re-keys the ISAP permutation state. - * - * \param state The permutation state to be re-keyed. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param iv Points to the initialization vector for this re-keying operation. - * \param data Points to the data to be absorbed to perform the re-keying. - * \param data_len Length of the data to be absorbed. - * - * The output key will be left in the leading bytes of \a state. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *iv, - const unsigned char *data, unsigned data_len) -{ - unsigned bit, num_bits; - - /* Initialize the state with the key and IV */ - memcpy(state->B, k, ISAP_KEY_SIZE); - memcpy(state->B + ISAP_KEY_SIZE, iv, sizeof(state->B) - ISAP_KEY_SIZE); - ISAP_PERMUTE(state, ISAP_sK); - - /* Absorb all of the bits of the data buffer one by one */ - num_bits = data_len * 8 - 1; - for (bit = 0; bit < num_bits; ++bit) { - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sB); - } - state->B[0] ^= (data[bit / 8] << (bit % 8)) & 0x80; - ISAP_PERMUTE(state, ISAP_sK); -} - -/** - * \brief Encrypts (or decrypts) a message payload with ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param c Buffer to receive the output ciphertext. - * \param m Buffer to receive the input plaintext. - * \param mlen Length of the input plaintext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_encrypt) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Set up the re-keyed encryption key and nonce in the state */ - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KE), npub, ISAP_NONCE_SIZE); - memcpy(state->B + sizeof(ISAP_STATE) - ISAP_NONCE_SIZE, - npub, ISAP_NONCE_SIZE); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= ISAP_RATE) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, ISAP_RATE); - c += ISAP_RATE; - m += ISAP_RATE; - mlen -= ISAP_RATE; - } - if (mlen > 0) { - ISAP_PERMUTE(state, ISAP_sE); - lw_xor_block_2_src(c, state->B, m, (unsigned)mlen); - } -} - -/** - * \brief Authenticates the associated data and ciphertext using ISAP. - * - * \param state ISAP permutation state. - * \param k Points to the 128-bit key for the ISAP cipher. - * \param npub Points to the 128-bit nonce for the ISAP cipher. - * \param ad Buffer containing the associated data. - * \param adlen Length of the associated data. - * \param c Buffer containing the ciphertext. - * \param clen Length of the ciphertext. - */ -static void ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (ISAP_STATE *state, const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *c, unsigned long long clen, - unsigned char *tag) -{ - unsigned char preserve[sizeof(ISAP_STATE) - ISAP_TAG_SIZE]; - unsigned temp; - - /* Absorb the associated data */ - memcpy(state->B, npub, ISAP_NONCE_SIZE); - memcpy(state->B + ISAP_NONCE_SIZE, ISAP_CONCAT(ISAP_ALG_NAME,_IV_A), - sizeof(state->B) - ISAP_NONCE_SIZE); - ISAP_PERMUTE(state, ISAP_sH); - while (adlen >= ISAP_RATE) { - lw_xor_block(state->B, ad, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - ad += ISAP_RATE; - adlen -= ISAP_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - state->B[sizeof(state->B) - 1] ^= 0x01; /* domain separation */ - - /* Absorb the ciphertext */ - while (clen >= ISAP_RATE) { - lw_xor_block(state->B, c, ISAP_RATE); - ISAP_PERMUTE(state, ISAP_sH); - c += ISAP_RATE; - clen -= ISAP_RATE; - } - temp = (unsigned)clen; - lw_xor_block(state->B, c, temp); - state->B[temp] ^= 0x80; /* padding */ - ISAP_PERMUTE(state, ISAP_sH); - - /* Re-key the state and generate the authentication tag */ - memcpy(tag, state->B, ISAP_TAG_SIZE); - memcpy(preserve, state->B + ISAP_TAG_SIZE, sizeof(preserve)); - ISAP_CONCAT(ISAP_ALG_NAME,_rekey) - (state, k, ISAP_CONCAT(ISAP_ALG_NAME,_IV_KA), tag, ISAP_TAG_SIZE); - memcpy(state->B + ISAP_TAG_SIZE, preserve, sizeof(preserve)); - ISAP_PERMUTE(state, ISAP_sH); - memcpy(tag, state->B, ISAP_TAG_SIZE); -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ISAP_TAG_SIZE; - - /* Encrypt the plaintext to produce the ciphertext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, c, m, mlen); - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac) - (&state, k, npub, ad, adlen, c, mlen, c + mlen); - return 0; -} - -int ISAP_CONCAT(ISAP_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - ISAP_STATE state; - unsigned char tag[ISAP_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ISAP_TAG_SIZE) - return -1; - *mlen = clen - ISAP_TAG_SIZE; - - /* Authenticate the associated data and ciphertext to generate the tag */ - ISAP_CONCAT(ISAP_ALG_NAME,_mac)(&state, k, npub, ad, adlen, c, *mlen, tag); - - /* Decrypt the ciphertext to produce the plaintext */ - ISAP_CONCAT(ISAP_ALG_NAME,_encrypt)(&state, k, npub, m, c, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, tag, c + *mlen, ISAP_TAG_SIZE); -} - -#endif /* ISAP_ALG_NAME */ - -/* Now undefine everything so that we can include this file again for - * another variant on the ISAP algorithm */ -#undef ISAP_ALG_NAME -#undef ISAP_RATE -#undef ISAP_sH -#undef ISAP_sE -#undef ISAP_sB -#undef ISAP_sK -#undef ISAP_STATE -#undef ISAP_PERMUTE -#undef ISAP_CONCAT_INNER -#undef ISAP_CONCAT diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak-avr.S deleted file mode 100644 index e50ccaf..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak-avr.S +++ /dev/null @@ -1,1552 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global keccakp_200_permute - .type keccakp_200_permute, @function -keccakp_200_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r26,Z+6 - ldd r27,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r4,Z+12 - ldd r5,Z+13 - ldd r6,Z+14 - ldd r7,Z+15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - ldd r24,Z+24 - push r31 - push r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,130 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - mov r30,r1 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,1 - eor r18,r30 - rcall 82f - ldi r30,129 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,138 - eor r18,r30 - rcall 82f - ldi r30,136 - eor r18,r30 - rcall 82f - ldi r30,9 - eor r18,r30 - rcall 82f - ldi r30,10 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,139 - eor r18,r30 - rcall 82f - ldi r30,137 - eor r18,r30 - rcall 82f - ldi r30,3 - eor r18,r30 - rcall 82f - ldi r30,2 - eor r18,r30 - rcall 82f - ldi r30,128 - eor r18,r30 - rjmp 420f -82: - mov r30,r18 - eor r30,r23 - eor r30,r2 - eor r30,r7 - eor r30,r12 - mov r31,r19 - eor r31,r26 - eor r31,r3 - eor r31,r8 - eor r31,r13 - mov r25,r20 - eor r25,r27 - eor r25,r4 - eor r25,r9 - eor r25,r14 - mov r16,r21 - eor r16,r28 - eor r16,r5 - eor r16,r10 - eor r16,r15 - mov r17,r22 - eor r17,r29 - eor r17,r6 - eor r17,r11 - eor r17,r24 - mov r0,r31 - lsl r0 - adc r0,r1 - eor r0,r17 - eor r18,r0 - eor r23,r0 - eor r2,r0 - eor r7,r0 - eor r12,r0 - mov r0,r25 - lsl r0 - adc r0,r1 - eor r0,r30 - eor r19,r0 - eor r26,r0 - eor r3,r0 - eor r8,r0 - eor r13,r0 - mov r0,r16 - lsl r0 - adc r0,r1 - eor r0,r31 - eor r20,r0 - eor r27,r0 - eor r4,r0 - eor r9,r0 - eor r14,r0 - mov r0,r17 - lsl r0 - adc r0,r1 - eor r0,r25 - eor r21,r0 - eor r28,r0 - eor r5,r0 - eor r10,r0 - eor r15,r0 - mov r0,r30 - lsl r0 - adc r0,r1 - eor r0,r16 - eor r22,r0 - eor r29,r0 - eor r6,r0 - eor r11,r0 - eor r24,r0 - mov r30,r19 - swap r26 - mov r19,r26 - swap r29 - mov r26,r29 - mov r0,r1 - lsr r14 - ror r0 - lsr r14 - ror r0 - lsr r14 - ror r0 - or r14,r0 - mov r29,r14 - bst r6,0 - lsr r6 - bld r6,7 - mov r14,r6 - lsl r12 - adc r12,r1 - lsl r12 - adc r12,r1 - mov r6,r12 - mov r0,r1 - lsr r20 - ror r0 - lsr r20 - ror r0 - or r20,r0 - mov r12,r20 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - mov r20,r4 - lsl r5 - adc r5,r1 - mov r4,r5 - mov r5,r11 - mov r11,r15 - lsl r7 - adc r7,r1 - mov r15,r7 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - mov r7,r22 - mov r0,r1 - lsr r24 - ror r0 - lsr r24 - ror r0 - or r24,r0 - mov r22,r24 - lsl r13 - adc r13,r1 - lsl r13 - adc r13,r1 - mov r24,r13 - bst r28,0 - lsr r28 - bld r28,7 - mov r13,r28 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r28,r8 - swap r23 - mov r8,r23 - swap r21 - mov r23,r21 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r21,r10 - bst r9,0 - lsr r9 - bld r9,7 - mov r10,r9 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - mov r9,r3 - mov r0,r1 - lsr r27 - ror r0 - lsr r27 - ror r0 - or r27,r0 - mov r3,r27 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - mov r27,r2 - lsl r30 - adc r30,r1 - mov r2,r30 - mov r30,r18 - mov r31,r19 - mov r25,r20 - mov r16,r21 - mov r17,r22 - mov r18,r25 - mov r0,r31 - com r0 - and r18,r0 - eor r18,r30 - mov r19,r16 - mov r0,r25 - com r0 - and r19,r0 - eor r19,r31 - mov r20,r17 - mov r0,r16 - com r0 - and r20,r0 - eor r20,r25 - mov r21,r30 - mov r0,r17 - com r0 - and r21,r0 - eor r21,r16 - mov r22,r31 - mov r0,r30 - com r0 - and r22,r0 - eor r22,r17 - mov r30,r23 - mov r31,r26 - mov r25,r27 - mov r16,r28 - mov r17,r29 - mov r23,r25 - mov r0,r31 - com r0 - and r23,r0 - eor r23,r30 - mov r26,r16 - mov r0,r25 - com r0 - and r26,r0 - eor r26,r31 - mov r27,r17 - mov r0,r16 - com r0 - and r27,r0 - eor r27,r25 - mov r28,r30 - mov r0,r17 - com r0 - and r28,r0 - eor r28,r16 - mov r29,r31 - mov r0,r30 - com r0 - and r29,r0 - eor r29,r17 - mov r30,r2 - mov r31,r3 - mov r25,r4 - mov r16,r5 - mov r17,r6 - mov r2,r25 - mov r0,r31 - com r0 - and r2,r0 - eor r2,r30 - mov r3,r16 - mov r0,r25 - com r0 - and r3,r0 - eor r3,r31 - mov r4,r17 - mov r0,r16 - com r0 - and r4,r0 - eor r4,r25 - mov r5,r30 - mov r0,r17 - com r0 - and r5,r0 - eor r5,r16 - mov r6,r31 - mov r0,r30 - com r0 - and r6,r0 - eor r6,r17 - mov r30,r7 - mov r31,r8 - mov r25,r9 - mov r16,r10 - mov r17,r11 - mov r7,r25 - mov r0,r31 - com r0 - and r7,r0 - eor r7,r30 - mov r8,r16 - mov r0,r25 - com r0 - and r8,r0 - eor r8,r31 - mov r9,r17 - mov r0,r16 - com r0 - and r9,r0 - eor r9,r25 - mov r10,r30 - mov r0,r17 - com r0 - and r10,r0 - eor r10,r16 - mov r11,r31 - mov r0,r30 - com r0 - and r11,r0 - eor r11,r17 - mov r30,r12 - mov r31,r13 - mov r25,r14 - mov r16,r15 - mov r17,r24 - mov r12,r25 - mov r0,r31 - com r0 - and r12,r0 - eor r12,r30 - mov r13,r16 - mov r0,r25 - com r0 - and r13,r0 - eor r13,r31 - mov r14,r17 - mov r0,r16 - com r0 - and r14,r0 - eor r14,r25 - mov r15,r30 - mov r0,r17 - com r0 - and r15,r0 - eor r15,r16 - mov r24,r31 - mov r0,r30 - com r0 - and r24,r0 - eor r24,r17 - ret -420: - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r22 - std Z+5,r23 - std Z+6,r26 - std Z+7,r27 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r4 - std Z+13,r5 - std Z+14,r6 - std Z+15,r7 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - std Z+24,r24 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size keccakp_200_permute, .-keccakp_200_permute - - .text -.global keccakp_400_permute - .type keccakp_400_permute, @function -keccakp_400_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - movw r30,r24 -.L__stack_usage = 17 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - ldd r10,Z+4 - ldd r11,Z+5 - ldd r12,Z+6 - ldd r13,Z+7 - ldd r14,Z+8 - ldd r15,Z+9 - cpi r22,20 - brcs 15f - rcall 153f - ldi r23,1 - eor r6,r23 -15: - cpi r22,19 - brcs 23f - rcall 153f - ldi r23,130 - eor r6,r23 - ldi r17,128 - eor r7,r17 -23: - cpi r22,18 - brcs 31f - rcall 153f - ldi r23,138 - eor r6,r23 - ldi r17,128 - eor r7,r17 -31: - cpi r22,17 - brcs 37f - rcall 153f - ldi r23,128 - eor r7,r23 -37: - cpi r22,16 - brcs 45f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -45: - cpi r22,15 - brcs 51f - rcall 153f - ldi r23,1 - eor r6,r23 -51: - cpi r22,14 - brcs 59f - rcall 153f - ldi r23,129 - eor r6,r23 - ldi r17,128 - eor r7,r17 -59: - cpi r22,13 - brcs 67f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -67: - cpi r22,12 - brcs 73f - rcall 153f - ldi r23,138 - eor r6,r23 -73: - cpi r22,11 - brcs 79f - rcall 153f - ldi r23,136 - eor r6,r23 -79: - cpi r22,10 - brcs 87f - rcall 153f - ldi r23,9 - eor r6,r23 - ldi r17,128 - eor r7,r17 -87: - cpi r22,9 - brcs 93f - rcall 153f - ldi r23,10 - eor r6,r23 -93: - cpi r22,8 - brcs 101f - rcall 153f - ldi r23,139 - eor r6,r23 - ldi r17,128 - eor r7,r17 -101: - cpi r22,7 - brcs 107f - rcall 153f - ldi r23,139 - eor r6,r23 -107: - cpi r22,6 - brcs 115f - rcall 153f - ldi r23,137 - eor r6,r23 - ldi r17,128 - eor r7,r17 -115: - cpi r22,5 - brcs 123f - rcall 153f - ldi r23,3 - eor r6,r23 - ldi r17,128 - eor r7,r17 -123: - cpi r22,4 - brcs 131f - rcall 153f - ldi r23,2 - eor r6,r23 - ldi r17,128 - eor r7,r17 -131: - cpi r22,3 - brcs 137f - rcall 153f - ldi r23,128 - eor r6,r23 -137: - cpi r22,2 - brcs 145f - rcall 153f - ldi r23,10 - eor r6,r23 - ldi r17,128 - eor r7,r17 -145: - cpi r22,1 - brcs 151f - rcall 153f - ldi r23,10 - eor r6,r23 -151: - rjmp 1004f -153: - movw r18,r6 - ldd r0,Z+10 - eor r18,r0 - ldd r0,Z+11 - eor r19,r0 - ldd r0,Z+20 - eor r18,r0 - ldd r0,Z+21 - eor r19,r0 - ldd r0,Z+30 - eor r18,r0 - ldd r0,Z+31 - eor r19,r0 - ldd r0,Z+40 - eor r18,r0 - ldd r0,Z+41 - eor r19,r0 - movw r20,r8 - ldd r0,Z+12 - eor r20,r0 - ldd r0,Z+13 - eor r21,r0 - ldd r0,Z+22 - eor r20,r0 - ldd r0,Z+23 - eor r21,r0 - ldd r0,Z+32 - eor r20,r0 - ldd r0,Z+33 - eor r21,r0 - ldd r0,Z+42 - eor r20,r0 - ldd r0,Z+43 - eor r21,r0 - movw r26,r10 - ldd r0,Z+14 - eor r26,r0 - ldd r0,Z+15 - eor r27,r0 - ldd r0,Z+24 - eor r26,r0 - ldd r0,Z+25 - eor r27,r0 - ldd r0,Z+34 - eor r26,r0 - ldd r0,Z+35 - eor r27,r0 - ldd r0,Z+44 - eor r26,r0 - ldd r0,Z+45 - eor r27,r0 - movw r2,r12 - ldd r0,Z+16 - eor r2,r0 - ldd r0,Z+17 - eor r3,r0 - ldd r0,Z+26 - eor r2,r0 - ldd r0,Z+27 - eor r3,r0 - ldd r0,Z+36 - eor r2,r0 - ldd r0,Z+37 - eor r3,r0 - ldd r0,Z+46 - eor r2,r0 - ldd r0,Z+47 - eor r3,r0 - movw r4,r14 - ldd r0,Z+18 - eor r4,r0 - ldd r0,Z+19 - eor r5,r0 - ldd r0,Z+28 - eor r4,r0 - ldd r0,Z+29 - eor r5,r0 - ldd r0,Z+38 - eor r4,r0 - ldd r0,Z+39 - eor r5,r0 - ldd r0,Z+48 - eor r4,r0 - ldd r0,Z+49 - eor r5,r0 - movw r24,r20 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r4 - eor r25,r5 - eor r6,r24 - eor r7,r25 - ldd r0,Z+10 - eor r0,r24 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r25 - std Z+11,r0 - ldd r0,Z+20 - eor r0,r24 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r25 - std Z+21,r0 - ldd r0,Z+30 - eor r0,r24 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r25 - std Z+31,r0 - ldd r0,Z+40 - eor r0,r24 - std Z+40,r0 - ldd r0,Z+41 - eor r0,r25 - std Z+41,r0 - movw r24,r26 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r18 - eor r25,r19 - eor r8,r24 - eor r9,r25 - ldd r0,Z+12 - eor r0,r24 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r25 - std Z+13,r0 - ldd r0,Z+22 - eor r0,r24 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r25 - std Z+23,r0 - ldd r0,Z+32 - eor r0,r24 - std Z+32,r0 - ldd r0,Z+33 - eor r0,r25 - std Z+33,r0 - ldd r0,Z+42 - eor r0,r24 - std Z+42,r0 - ldd r0,Z+43 - eor r0,r25 - std Z+43,r0 - movw r24,r2 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r20 - eor r25,r21 - eor r10,r24 - eor r11,r25 - ldd r0,Z+14 - eor r0,r24 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r25 - std Z+15,r0 - ldd r0,Z+24 - eor r0,r24 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r25 - std Z+25,r0 - ldd r0,Z+34 - eor r0,r24 - std Z+34,r0 - ldd r0,Z+35 - eor r0,r25 - std Z+35,r0 - ldd r0,Z+44 - eor r0,r24 - std Z+44,r0 - ldd r0,Z+45 - eor r0,r25 - std Z+45,r0 - movw r24,r4 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r26 - eor r25,r27 - eor r12,r24 - eor r13,r25 - ldd r0,Z+16 - eor r0,r24 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r25 - std Z+17,r0 - ldd r0,Z+26 - eor r0,r24 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r25 - std Z+27,r0 - ldd r0,Z+36 - eor r0,r24 - std Z+36,r0 - ldd r0,Z+37 - eor r0,r25 - std Z+37,r0 - ldd r0,Z+46 - eor r0,r24 - std Z+46,r0 - ldd r0,Z+47 - eor r0,r25 - std Z+47,r0 - movw r24,r18 - lsl r24 - rol r25 - adc r24,r1 - eor r24,r2 - eor r25,r3 - eor r14,r24 - eor r15,r25 - ldd r0,Z+18 - eor r0,r24 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r25 - std Z+19,r0 - ldd r0,Z+28 - eor r0,r24 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r25 - std Z+29,r0 - ldd r0,Z+38 - eor r0,r24 - std Z+38,r0 - ldd r0,Z+39 - eor r0,r25 - std Z+39,r0 - ldd r0,Z+48 - eor r0,r24 - std Z+48,r0 - ldd r0,Z+49 - eor r0,r25 - std Z+49,r0 - movw r24,r8 - ldd r8,Z+12 - ldd r9,Z+13 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldd r18,Z+18 - ldd r19,Z+19 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+12,r18 - std Z+13,r19 - ldd r18,Z+44 - ldd r19,Z+45 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+18,r18 - std Z+19,r19 - ldd r18,Z+28 - ldd r19,Z+29 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+44,r18 - std Z+45,r19 - ldd r18,Z+40 - ldd r19,Z+41 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+28,r18 - std Z+29,r19 - movw r18,r10 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+40,r18 - std Z+41,r19 - ldd r10,Z+24 - ldd r11,Z+25 - mov r0,r11 - mov r11,r10 - mov r10,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldd r18,Z+26 - ldd r19,Z+27 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+24,r18 - std Z+25,r19 - ldd r18,Z+38 - ldd r19,Z+39 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+26,r18 - std Z+27,r19 - ldd r18,Z+46 - ldd r19,Z+47 - mov r0,r19 - mov r19,r18 - mov r18,r0 - std Z+38,r18 - std Z+39,r19 - ldd r18,Z+30 - ldd r19,Z+31 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - std Z+46,r18 - std Z+47,r19 - movw r18,r14 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+30,r18 - std Z+31,r19 - ldd r14,Z+48 - ldd r15,Z+49 - mov r0,r1 - lsr r15 - ror r14 - ror r0 - lsr r15 - ror r14 - ror r0 - or r15,r0 - ldd r18,Z+42 - ldd r19,Z+43 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+48,r18 - std Z+49,r19 - ldd r18,Z+16 - ldd r19,Z+17 - mov r0,r19 - mov r19,r18 - mov r18,r0 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+42,r18 - std Z+43,r19 - ldd r18,Z+32 - ldd r19,Z+33 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+16,r18 - std Z+17,r19 - ldd r18,Z+10 - ldd r19,Z+11 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+32,r18 - std Z+33,r19 - movw r18,r12 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+10,r18 - std Z+11,r19 - ldd r12,Z+36 - ldd r13,Z+37 - mov r0,r13 - mov r13,r12 - mov r12,r0 - mov r0,r1 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - lsr r13 - ror r12 - ror r0 - or r13,r0 - ldd r18,Z+34 - ldd r19,Z+35 - bst r18,0 - lsr r19 - ror r18 - bld r19,7 - std Z+36,r18 - std Z+37,r19 - ldd r18,Z+22 - ldd r19,Z+23 - mov r0,r19 - mov r19,r18 - mov r18,r0 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+34,r18 - std Z+35,r19 - ldd r18,Z+14 - ldd r19,Z+15 - mov r0,r19 - mov r19,r18 - mov r18,r0 - mov r0,r1 - lsr r19 - ror r18 - ror r0 - lsr r19 - ror r18 - ror r0 - or r19,r0 - std Z+22,r18 - std Z+23,r19 - ldd r18,Z+20 - ldd r19,Z+21 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - lsl r18 - rol r19 - adc r18,r1 - std Z+14,r18 - std Z+15,r19 - lsl r24 - rol r25 - adc r24,r1 - std Z+20,r24 - std Z+21,r25 - movw r18,r6 - movw r20,r8 - movw r26,r10 - movw r2,r12 - movw r4,r14 - movw r6,r26 - mov r0,r20 - com r0 - and r6,r0 - mov r0,r21 - com r0 - and r7,r0 - eor r6,r18 - eor r7,r19 - movw r8,r2 - mov r0,r26 - com r0 - and r8,r0 - mov r0,r27 - com r0 - and r9,r0 - eor r8,r20 - eor r9,r21 - movw r10,r4 - mov r0,r2 - com r0 - and r10,r0 - mov r0,r3 - com r0 - and r11,r0 - eor r10,r26 - eor r11,r27 - movw r12,r18 - mov r0,r4 - com r0 - and r12,r0 - mov r0,r5 - com r0 - and r13,r0 - eor r12,r2 - eor r13,r3 - movw r14,r20 - mov r0,r18 - com r0 - and r14,r0 - mov r0,r19 - com r0 - and r15,r0 - eor r14,r4 - eor r15,r5 - ldd r18,Z+10 - ldd r19,Z+11 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r26,Z+14 - ldd r27,Z+15 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+10,r24 - std Z+11,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+12,r24 - std Z+13,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+14,r24 - std Z+15,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+16,r24 - std Z+17,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+18,r24 - std Z+19,r25 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+20,r24 - std Z+21,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+22,r24 - std Z+23,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+24,r24 - std Z+25,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+26,r24 - std Z+27,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+28,r24 - std Z+29,r25 - ldd r18,Z+30 - ldd r19,Z+31 - ldd r20,Z+32 - ldd r21,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+30,r24 - std Z+31,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+32,r24 - std Z+33,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+34,r24 - std Z+35,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+36,r24 - std Z+37,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+38,r24 - std Z+39,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - ldd r26,Z+44 - ldd r27,Z+45 - ldd r2,Z+46 - ldd r3,Z+47 - ldd r4,Z+48 - ldd r5,Z+49 - movw r24,r26 - mov r0,r20 - com r0 - and r24,r0 - mov r0,r21 - com r0 - and r25,r0 - eor r24,r18 - eor r25,r19 - std Z+40,r24 - std Z+41,r25 - movw r24,r2 - mov r0,r26 - com r0 - and r24,r0 - mov r0,r27 - com r0 - and r25,r0 - eor r24,r20 - eor r25,r21 - std Z+42,r24 - std Z+43,r25 - movw r24,r4 - mov r0,r2 - com r0 - and r24,r0 - mov r0,r3 - com r0 - and r25,r0 - eor r24,r26 - eor r25,r27 - std Z+44,r24 - std Z+45,r25 - movw r24,r18 - mov r0,r4 - com r0 - and r24,r0 - mov r0,r5 - com r0 - and r25,r0 - eor r24,r2 - eor r25,r3 - std Z+46,r24 - std Z+47,r25 - movw r24,r20 - mov r0,r18 - com r0 - and r24,r0 - mov r0,r19 - com r0 - and r25,r0 - eor r24,r4 - eor r25,r5 - std Z+48,r24 - std Z+49,r25 - ret -1004: - st Z,r6 - std Z+1,r7 - std Z+2,r8 - std Z+3,r9 - std Z+4,r10 - std Z+5,r11 - std Z+6,r12 - std Z+7,r13 - std Z+8,r14 - std Z+9,r15 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size keccakp_400_permute, .-keccakp_400_permute - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.c deleted file mode 100644 index 60539df..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.c +++ /dev/null @@ -1,214 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-keccak.h" - -#if !defined(__AVR__) - -/* Faster method to compute ((x + y) % 5) that avoids the division */ -static unsigned char const addMod5Table[9] = { - 0, 1, 2, 3, 4, 0, 1, 2, 3 -}; -#define addMod5(x, y) (addMod5Table[(x) + (y)]) - -void keccakp_200_permute(keccakp_200_state_t *state) -{ - static uint8_t const RC[18] = { - 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, - 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, - 0x02, 0x80 - }; - uint8_t C[5]; - uint8_t D; - unsigned round; - unsigned index, index2; - for (round = 0; round < 18; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_8(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate4_8(state->A[1][1]); - state->A[1][1] = leftRotate4_8(state->A[1][4]); - state->A[1][4] = leftRotate5_8(state->A[4][2]); - state->A[4][2] = leftRotate7_8(state->A[2][4]); - state->A[2][4] = leftRotate2_8(state->A[4][0]); - state->A[4][0] = leftRotate6_8(state->A[0][2]); - state->A[0][2] = leftRotate3_8(state->A[2][2]); - state->A[2][2] = leftRotate1_8(state->A[2][3]); - state->A[2][3] = state->A[3][4]; - state->A[3][4] = state->A[4][3]; - state->A[4][3] = leftRotate1_8(state->A[3][0]); - state->A[3][0] = leftRotate3_8(state->A[0][4]); - state->A[0][4] = leftRotate6_8(state->A[4][4]); - state->A[4][4] = leftRotate2_8(state->A[4][1]); - state->A[4][1] = leftRotate7_8(state->A[1][3]); - state->A[1][3] = leftRotate5_8(state->A[3][1]); - state->A[3][1] = leftRotate4_8(state->A[1][0]); - state->A[1][0] = leftRotate4_8(state->A[0][3]); - state->A[0][3] = leftRotate5_8(state->A[3][3]); - state->A[3][3] = leftRotate7_8(state->A[3][2]); - state->A[3][2] = leftRotate2_8(state->A[2][1]); - state->A[2][1] = leftRotate6_8(state->A[1][2]); - state->A[1][2] = leftRotate3_8(state->A[2][0]); - state->A[2][0] = leftRotate1_8(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define keccakp_400_permute_host keccakp_400_permute -#endif - -/* Keccak-p[400] that assumes that the input is already in host byte order */ -void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) -{ - static uint16_t const RC[20] = { - 0x0001, 0x8082, 0x808A, 0x8000, 0x808B, 0x0001, 0x8081, 0x8009, - 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, - 0x8002, 0x0080, 0x800A, 0x000A - }; - uint16_t C[5]; - uint16_t D; - unsigned round; - unsigned index, index2; - for (round = 20 - rounds; round < 20; ++round) { - /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. Compute D on the fly */ - for (index = 0; index < 5; ++index) { - C[index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; - } - for (index = 0; index < 5; ++index) { - D = C[addMod5(index, 4)] ^ - leftRotate1_16(C[addMod5(index, 1)]); - for (index2 = 0; index2 < 5; ++index2) - state->A[index2][index] ^= D; - } - - /* Step mapping rho and pi combined into a single step. - * Rotate all lanes by a specific offset and rearrange */ - D = state->A[0][1]; - state->A[0][1] = leftRotate12_16(state->A[1][1]); - state->A[1][1] = leftRotate4_16 (state->A[1][4]); - state->A[1][4] = leftRotate13_16(state->A[4][2]); - state->A[4][2] = leftRotate7_16 (state->A[2][4]); - state->A[2][4] = leftRotate2_16 (state->A[4][0]); - state->A[4][0] = leftRotate14_16(state->A[0][2]); - state->A[0][2] = leftRotate11_16(state->A[2][2]); - state->A[2][2] = leftRotate9_16 (state->A[2][3]); - state->A[2][3] = leftRotate8_16 (state->A[3][4]); - state->A[3][4] = leftRotate8_16 (state->A[4][3]); - state->A[4][3] = leftRotate9_16 (state->A[3][0]); - state->A[3][0] = leftRotate11_16(state->A[0][4]); - state->A[0][4] = leftRotate14_16(state->A[4][4]); - state->A[4][4] = leftRotate2_16 (state->A[4][1]); - state->A[4][1] = leftRotate7_16 (state->A[1][3]); - state->A[1][3] = leftRotate13_16(state->A[3][1]); - state->A[3][1] = leftRotate4_16 (state->A[1][0]); - state->A[1][0] = leftRotate12_16(state->A[0][3]); - state->A[0][3] = leftRotate5_16 (state->A[3][3]); - state->A[3][3] = leftRotate15_16(state->A[3][2]); - state->A[3][2] = leftRotate10_16(state->A[2][1]); - state->A[2][1] = leftRotate6_16 (state->A[1][2]); - state->A[1][2] = leftRotate3_16 (state->A[2][0]); - state->A[2][0] = leftRotate1_16(D); - - /* Step mapping chi. Combine each lane with two others in its row */ - for (index = 0; index < 5; ++index) { - C[0] = state->A[index][0]; - C[1] = state->A[index][1]; - C[2] = state->A[index][2]; - C[3] = state->A[index][3]; - C[4] = state->A[index][4]; - for (index2 = 0; index2 < 5; ++index2) { - state->A[index][index2] = - C[index2] ^ - ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); - } - } - - /* Step mapping iota. XOR A[0][0] with the round constant */ - state->A[0][0] ^= RC[round]; - } -} - -#if !defined(LW_UTIL_LITTLE_ENDIAN) - -/** - * \brief Reverses the bytes in a Keccak-p[400] state. - * - * \param state The Keccak-p[400] state to apply byte-reversal to. - */ -static void keccakp_400_reverse_bytes(keccakp_400_state_t *state) -{ - unsigned index; - unsigned char temp1; - unsigned char temp2; - for (index = 0; index < 50; index += 2) { - temp1 = state->B[index]; - temp2 = state->B[index + 1]; - state->B[index] = temp2; - state->B[index + 1] = temp1; - } -} - -/* Keccak-p[400] that requires byte reversal on input and output */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) -{ - keccakp_400_reverse_bytes(state); - keccakp_400_permute_host(state, rounds); - keccakp_400_reverse_bytes(state); -} - -#endif - -#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.h deleted file mode 100644 index 2ffef42..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-keccak.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H - -#include "internal-util.h" - -/** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. - */ -#define KECCAKP_400_STATE_SIZE 50 - -/** - * \brief Structure of the internal state of the Keccak-p[200] permutation. - */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; - -/** - * \brief Structure of the internal state of the Keccak-p[400] permutation. - */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; - -/** - * \brief Permutes the Keccak-p[200] state. - * - * \param state The Keccak-p[200] state to be permuted. - */ -void keccakp_200_permute(keccakp_200_state_t *state); - -/** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. - * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). - */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-util.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.c b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.c deleted file mode 100644 index 26d50a3..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "isap.h" -#include "internal-keccak.h" -#include "internal-ascon.h" -#include - -aead_cipher_t const isap_keccak_128a_cipher = { - "ISAP-K-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128a_aead_encrypt, - isap_keccak_128a_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128a_cipher = { - "ISAP-A-128A", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128a_aead_encrypt, - isap_ascon_128a_aead_decrypt -}; - -aead_cipher_t const isap_keccak_128_cipher = { - "ISAP-K-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_keccak_128_aead_encrypt, - isap_keccak_128_aead_decrypt -}; - -aead_cipher_t const isap_ascon_128_cipher = { - "ISAP-A-128", - ISAP_KEY_SIZE, - ISAP_NONCE_SIZE, - ISAP_TAG_SIZE, - AEAD_FLAG_NONE, - isap_ascon_128_aead_encrypt, - isap_ascon_128_aead_decrypt -}; - -/* ISAP-K-128A */ -#define ISAP_ALG_NAME isap_keccak_128a -#define ISAP_RATE (144 / 8) -#define ISAP_sH 16 -#define ISAP_sE 8 -#define ISAP_sB 1 -#define ISAP_sK 8 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128A */ -#define ISAP_ALG_NAME isap_ascon_128a -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 6 -#define ISAP_sB 1 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" - -/* ISAP-K-128 */ -#define ISAP_ALG_NAME isap_keccak_128 -#define ISAP_RATE (144 / 8) -#define ISAP_sH 20 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE keccakp_400_state_t -#define ISAP_PERMUTE(s,r) keccakp_400_permute((s), (r)) -#include "internal-isap.h" - -/* ISAP-A-128 */ -#define ISAP_ALG_NAME isap_ascon_128 -#define ISAP_RATE (64 / 8) -#define ISAP_sH 12 -#define ISAP_sE 12 -#define ISAP_sB 12 -#define ISAP_sK 12 -#define ISAP_STATE ascon_state_t -#define ISAP_PERMUTE(s,r) ascon_permute((s), 12 - (r)) -#include "internal-isap.h" diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.h b/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.h deleted file mode 100644 index ddf8203..0000000 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys-avr/isap.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ISAP_H -#define LWCRYPTO_ISAP_H - -#include "aead-common.h" - -/** - * \file isap.h - * \brief ISAP authenticated encryption algorithm. - * - * ISAP is a family of authenticated encryption algorithms that are built - * around the Keccak-p[400] or ASCON permutations. There are four algorithms - * in the family, each of which have a 128-bit key, a 128-bit nonce, and a - * 128-bit tag: - * - * \li ISAP-K-128A based around the Keccak-p[400] permutation with a - * reduced number of rounds. This is the primary member in the family. - * \li ISAP-A-128A based around the ASCON permutation with a reduced - * number of rounds. - * \li ISAP-K-128 based around the Keccak-p[400] permutation. - * \li ISAP-A-128 based around the ASCON permutation. - * - * ISAP is designed to provide some protection against adversaries - * using differential power analysis to determine the key. The - * downside is that key setup is very slow. - * - * References: https://isap.iaik.tugraz.at/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all ISAP family members. - */ -#define ISAP_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all ISAP family members. - */ -#define ISAP_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all ISAP family members. - */ -#define ISAP_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the ISAP-K-128A cipher. - */ -extern aead_cipher_t const isap_keccak_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128A cipher. - */ -extern aead_cipher_t const isap_ascon_128a_cipher; - -/** - * \brief Meta-information block for the ISAP-K-128 cipher. - */ -extern aead_cipher_t const isap_keccak_128_cipher; - -/** - * \brief Meta-information block for the ISAP-A-128 cipher. - */ -extern aead_cipher_t const isap_ascon_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128a_aead_decrypt() - */ -int isap_keccak_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128a_aead_encrypt() - */ -int isap_keccak_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128A. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128a_aead_decrypt() - */ -int isap_ascon_128a_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128A. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128a_aead_encrypt() - */ -int isap_ascon_128a_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-K-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_keccak_128_aead_decrypt() - */ -int isap_keccak_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-K-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_keccak_128_aead_encrypt() - */ -int isap_keccak_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with ISAP-A-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa isap_ascon_128_aead_decrypt() - */ -int isap_ascon_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ISAP-A-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa isap_ascon_128_aead_encrypt() - */ -int isap_ascon_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon-avr.S b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon-avr.S new file mode 100644 index 0000000..e8a4fb4 --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon-avr.S @@ -0,0 +1,778 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global ascon_permute + .type ascon_permute, @function +ascon_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r18,15 + sub r18,r22 + swap r18 + or r22,r18 + ldd r3,Z+16 + ldd r2,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 +20: + eor r18,r22 + ldd r23,Z+7 + ldd r12,Z+15 + ldd r13,Z+31 + eor r23,r4 + eor r4,r13 + eor r18,r12 + mov r14,r23 + mov r15,r12 + mov r24,r18 + mov r25,r13 + mov r16,r4 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r18 + and r24,r13 + and r25,r4 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r18,r25 + eor r13,r16 + eor r4,r14 + eor r12,r23 + eor r23,r4 + eor r13,r18 + com r18 + std Z+7,r23 + std Z+15,r12 + std Z+31,r13 + std Z+39,r4 + ldd r23,Z+6 + ldd r12,Z+14 + ldd r13,Z+30 + eor r23,r5 + eor r5,r13 + eor r19,r12 + mov r14,r23 + mov r15,r12 + mov r24,r19 + mov r25,r13 + mov r16,r5 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r19 + and r24,r13 + and r25,r5 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r19,r25 + eor r13,r16 + eor r5,r14 + eor r12,r23 + eor r23,r5 + eor r13,r19 + com r19 + std Z+6,r23 + std Z+14,r12 + std Z+30,r13 + std Z+38,r5 + ldd r23,Z+5 + ldd r12,Z+13 + ldd r13,Z+29 + eor r23,r6 + eor r6,r13 + eor r20,r12 + mov r14,r23 + mov r15,r12 + mov r24,r20 + mov r25,r13 + mov r16,r6 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r20 + and r24,r13 + and r25,r6 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r20,r25 + eor r13,r16 + eor r6,r14 + eor r12,r23 + eor r23,r6 + eor r13,r20 + com r20 + std Z+5,r23 + std Z+13,r12 + std Z+29,r13 + std Z+37,r6 + ldd r23,Z+4 + ldd r12,Z+12 + ldd r13,Z+28 + eor r23,r7 + eor r7,r13 + eor r21,r12 + mov r14,r23 + mov r15,r12 + mov r24,r21 + mov r25,r13 + mov r16,r7 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r21 + and r24,r13 + and r25,r7 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r21,r25 + eor r13,r16 + eor r7,r14 + eor r12,r23 + eor r23,r7 + eor r13,r21 + com r21 + std Z+4,r23 + std Z+12,r12 + std Z+28,r13 + std Z+36,r7 + ldd r23,Z+3 + ldd r12,Z+11 + ldd r13,Z+27 + eor r23,r8 + eor r8,r13 + eor r26,r12 + mov r14,r23 + mov r15,r12 + mov r24,r26 + mov r25,r13 + mov r16,r8 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r26 + and r24,r13 + and r25,r8 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r26,r25 + eor r13,r16 + eor r8,r14 + eor r12,r23 + eor r23,r8 + eor r13,r26 + com r26 + std Z+3,r23 + std Z+11,r12 + std Z+27,r13 + std Z+35,r8 + ldd r23,Z+2 + ldd r12,Z+10 + ldd r13,Z+26 + eor r23,r9 + eor r9,r13 + eor r27,r12 + mov r14,r23 + mov r15,r12 + mov r24,r27 + mov r25,r13 + mov r16,r9 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r27 + and r24,r13 + and r25,r9 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r27,r25 + eor r13,r16 + eor r9,r14 + eor r12,r23 + eor r23,r9 + eor r13,r27 + com r27 + std Z+2,r23 + std Z+10,r12 + std Z+26,r13 + std Z+34,r9 + ldd r23,Z+1 + ldd r12,Z+9 + ldd r13,Z+25 + eor r23,r10 + eor r10,r13 + eor r2,r12 + mov r14,r23 + mov r15,r12 + mov r24,r2 + mov r25,r13 + mov r16,r10 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r2 + and r24,r13 + and r25,r10 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r2,r25 + eor r13,r16 + eor r10,r14 + eor r12,r23 + eor r23,r10 + eor r13,r2 + com r2 + std Z+1,r23 + std Z+9,r12 + std Z+25,r13 + std Z+33,r10 + ld r23,Z + ldd r12,Z+8 + ldd r13,Z+24 + eor r23,r11 + eor r11,r13 + eor r3,r12 + mov r14,r23 + mov r15,r12 + mov r24,r3 + mov r25,r13 + mov r16,r11 + com r14 + com r15 + com r24 + com r25 + com r16 + and r14,r12 + and r15,r3 + and r24,r13 + and r25,r11 + and r16,r23 + eor r23,r15 + eor r12,r24 + eor r3,r25 + eor r13,r16 + eor r11,r14 + eor r12,r23 + eor r23,r11 + eor r13,r3 + com r3 + st Z,r23 + std Z+8,r12 + std Z+24,r13 + std Z+32,r11 + ld r11,Z + ldd r10,Z+1 + ldd r9,Z+2 + ldd r8,Z+3 + ldd r7,Z+4 + ldd r6,Z+5 + ldd r5,Z+6 + ldd r4,Z+7 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r14 + mov r14,r24 + mov r24,r16 + mov r16,r0 + mov r0,r13 + mov r13,r15 + mov r15,r25 + mov r25,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r4 + mov r0,r5 + push r6 + mov r4,r7 + mov r5,r8 + mov r6,r9 + mov r7,r10 + mov r8,r11 + pop r11 + mov r10,r0 + mov r9,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + st Z,r11 + std Z+1,r10 + std Z+2,r9 + std Z+3,r8 + std Z+4,r7 + std Z+5,r6 + std Z+6,r5 + std Z+7,r4 + ldd r11,Z+8 + ldd r10,Z+9 + ldd r9,Z+10 + ldd r8,Z+11 + ldd r7,Z+12 + ldd r6,Z+13 + ldd r5,Z+14 + ldd r4,Z+15 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + lsl r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r4,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+8,r11 + std Z+9,r10 + std Z+10,r9 + std Z+11,r8 + std Z+12,r7 + std Z+13,r6 + std Z+14,r5 + std Z+15,r4 + movw r12,r18 + movw r14,r20 + movw r24,r26 + movw r16,r2 + bst r12,0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + bld r17,7 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + eor r24,r26 + eor r25,r27 + eor r16,r2 + eor r17,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r26 + mov r26,r27 + mov r27,r2 + mov r2,r3 + mov r3,r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r2 + rol r3 + adc r18,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + eor r26,r24 + eor r27,r25 + eor r2,r16 + eor r3,r17 + ldd r11,Z+24 + ldd r10,Z+25 + ldd r9,Z+26 + ldd r8,Z+27 + ldd r7,Z+28 + ldd r6,Z+29 + ldd r5,Z+30 + ldd r4,Z+31 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + mov r0,r1 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r0 + or r17,r0 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r0,r4 + mov r4,r6 + mov r6,r8 + mov r8,r10 + mov r10,r0 + mov r0,r5 + mov r5,r7 + mov r7,r9 + mov r9,r11 + mov r11,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + std Z+24,r11 + std Z+25,r10 + std Z+26,r9 + std Z+27,r8 + std Z+28,r7 + std Z+29,r6 + std Z+30,r5 + std Z+31,r4 + ldd r11,Z+32 + ldd r10,Z+33 + ldd r9,Z+34 + ldd r8,Z+35 + ldd r7,Z+36 + ldd r6,Z+37 + ldd r5,Z+38 + ldd r4,Z+39 + movw r12,r4 + movw r14,r6 + movw r24,r8 + movw r16,r10 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r24 + mov r24,r25 + mov r25,r16 + mov r16,r17 + mov r17,r0 + lsl r12 + rol r13 + rol r14 + rol r15 + rol r24 + rol r25 + rol r16 + rol r17 + adc r12,r1 + eor r12,r4 + eor r13,r5 + eor r14,r6 + eor r15,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + mov r23,r9 + mov r0,r10 + push r11 + mov r11,r8 + mov r10,r7 + mov r9,r6 + mov r8,r5 + mov r7,r4 + pop r6 + mov r5,r0 + mov r4,r23 + mov r0,r1 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r0 + or r11,r0 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + eor r10,r16 + eor r11,r17 + subi r22,15 + ldi r25,60 + cpse r22,r25 + rjmp 20b + std Z+16,r3 + std Z+17,r2 + std Z+18,r27 + std Z+19,r26 + std Z+20,r21 + std Z+21,r20 + std Z+22,r19 + std Z+23,r18 + std Z+32,r11 + std Z+33,r10 + std Z+34,r9 + std Z+35,r8 + std Z+36,r7 + std Z+37,r6 + std Z+38,r5 + std Z+39,r4 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size ascon_permute, .-ascon_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c index 12a8ec6..657aabe 100644 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-ascon.c @@ -22,6 +22,8 @@ #include "internal-ascon.h" +#if !defined(__AVR__) + void ascon_permute(ascon_state_t *state, uint8_t first_round) { uint64_t t0, t1, t2, t3, t4; @@ -74,3 +76,5 @@ void ascon_permute(ascon_state_t *state, uint8_t first_round) state->S[4] = x4; #endif } + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak-avr.S b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak-avr.S new file mode 100644 index 0000000..e50ccaf --- /dev/null +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak-avr.S @@ -0,0 +1,1552 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global keccakp_200_permute + .type keccakp_200_permute, @function +keccakp_200_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r26,Z+6 + ldd r27,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r4,Z+12 + ldd r5,Z+13 + ldd r6,Z+14 + ldd r7,Z+15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + ldd r24,Z+24 + push r31 + push r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,130 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + mov r30,r1 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,1 + eor r18,r30 + rcall 82f + ldi r30,129 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,138 + eor r18,r30 + rcall 82f + ldi r30,136 + eor r18,r30 + rcall 82f + ldi r30,9 + eor r18,r30 + rcall 82f + ldi r30,10 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,139 + eor r18,r30 + rcall 82f + ldi r30,137 + eor r18,r30 + rcall 82f + ldi r30,3 + eor r18,r30 + rcall 82f + ldi r30,2 + eor r18,r30 + rcall 82f + ldi r30,128 + eor r18,r30 + rjmp 420f +82: + mov r30,r18 + eor r30,r23 + eor r30,r2 + eor r30,r7 + eor r30,r12 + mov r31,r19 + eor r31,r26 + eor r31,r3 + eor r31,r8 + eor r31,r13 + mov r25,r20 + eor r25,r27 + eor r25,r4 + eor r25,r9 + eor r25,r14 + mov r16,r21 + eor r16,r28 + eor r16,r5 + eor r16,r10 + eor r16,r15 + mov r17,r22 + eor r17,r29 + eor r17,r6 + eor r17,r11 + eor r17,r24 + mov r0,r31 + lsl r0 + adc r0,r1 + eor r0,r17 + eor r18,r0 + eor r23,r0 + eor r2,r0 + eor r7,r0 + eor r12,r0 + mov r0,r25 + lsl r0 + adc r0,r1 + eor r0,r30 + eor r19,r0 + eor r26,r0 + eor r3,r0 + eor r8,r0 + eor r13,r0 + mov r0,r16 + lsl r0 + adc r0,r1 + eor r0,r31 + eor r20,r0 + eor r27,r0 + eor r4,r0 + eor r9,r0 + eor r14,r0 + mov r0,r17 + lsl r0 + adc r0,r1 + eor r0,r25 + eor r21,r0 + eor r28,r0 + eor r5,r0 + eor r10,r0 + eor r15,r0 + mov r0,r30 + lsl r0 + adc r0,r1 + eor r0,r16 + eor r22,r0 + eor r29,r0 + eor r6,r0 + eor r11,r0 + eor r24,r0 + mov r30,r19 + swap r26 + mov r19,r26 + swap r29 + mov r26,r29 + mov r0,r1 + lsr r14 + ror r0 + lsr r14 + ror r0 + lsr r14 + ror r0 + or r14,r0 + mov r29,r14 + bst r6,0 + lsr r6 + bld r6,7 + mov r14,r6 + lsl r12 + adc r12,r1 + lsl r12 + adc r12,r1 + mov r6,r12 + mov r0,r1 + lsr r20 + ror r0 + lsr r20 + ror r0 + or r20,r0 + mov r12,r20 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + mov r20,r4 + lsl r5 + adc r5,r1 + mov r4,r5 + mov r5,r11 + mov r11,r15 + lsl r7 + adc r7,r1 + mov r15,r7 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + mov r7,r22 + mov r0,r1 + lsr r24 + ror r0 + lsr r24 + ror r0 + or r24,r0 + mov r22,r24 + lsl r13 + adc r13,r1 + lsl r13 + adc r13,r1 + mov r24,r13 + bst r28,0 + lsr r28 + bld r28,7 + mov r13,r28 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r28,r8 + swap r23 + mov r8,r23 + swap r21 + mov r23,r21 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r21,r10 + bst r9,0 + lsr r9 + bld r9,7 + mov r10,r9 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + mov r9,r3 + mov r0,r1 + lsr r27 + ror r0 + lsr r27 + ror r0 + or r27,r0 + mov r3,r27 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + mov r27,r2 + lsl r30 + adc r30,r1 + mov r2,r30 + mov r30,r18 + mov r31,r19 + mov r25,r20 + mov r16,r21 + mov r17,r22 + mov r18,r25 + mov r0,r31 + com r0 + and r18,r0 + eor r18,r30 + mov r19,r16 + mov r0,r25 + com r0 + and r19,r0 + eor r19,r31 + mov r20,r17 + mov r0,r16 + com r0 + and r20,r0 + eor r20,r25 + mov r21,r30 + mov r0,r17 + com r0 + and r21,r0 + eor r21,r16 + mov r22,r31 + mov r0,r30 + com r0 + and r22,r0 + eor r22,r17 + mov r30,r23 + mov r31,r26 + mov r25,r27 + mov r16,r28 + mov r17,r29 + mov r23,r25 + mov r0,r31 + com r0 + and r23,r0 + eor r23,r30 + mov r26,r16 + mov r0,r25 + com r0 + and r26,r0 + eor r26,r31 + mov r27,r17 + mov r0,r16 + com r0 + and r27,r0 + eor r27,r25 + mov r28,r30 + mov r0,r17 + com r0 + and r28,r0 + eor r28,r16 + mov r29,r31 + mov r0,r30 + com r0 + and r29,r0 + eor r29,r17 + mov r30,r2 + mov r31,r3 + mov r25,r4 + mov r16,r5 + mov r17,r6 + mov r2,r25 + mov r0,r31 + com r0 + and r2,r0 + eor r2,r30 + mov r3,r16 + mov r0,r25 + com r0 + and r3,r0 + eor r3,r31 + mov r4,r17 + mov r0,r16 + com r0 + and r4,r0 + eor r4,r25 + mov r5,r30 + mov r0,r17 + com r0 + and r5,r0 + eor r5,r16 + mov r6,r31 + mov r0,r30 + com r0 + and r6,r0 + eor r6,r17 + mov r30,r7 + mov r31,r8 + mov r25,r9 + mov r16,r10 + mov r17,r11 + mov r7,r25 + mov r0,r31 + com r0 + and r7,r0 + eor r7,r30 + mov r8,r16 + mov r0,r25 + com r0 + and r8,r0 + eor r8,r31 + mov r9,r17 + mov r0,r16 + com r0 + and r9,r0 + eor r9,r25 + mov r10,r30 + mov r0,r17 + com r0 + and r10,r0 + eor r10,r16 + mov r11,r31 + mov r0,r30 + com r0 + and r11,r0 + eor r11,r17 + mov r30,r12 + mov r31,r13 + mov r25,r14 + mov r16,r15 + mov r17,r24 + mov r12,r25 + mov r0,r31 + com r0 + and r12,r0 + eor r12,r30 + mov r13,r16 + mov r0,r25 + com r0 + and r13,r0 + eor r13,r31 + mov r14,r17 + mov r0,r16 + com r0 + and r14,r0 + eor r14,r25 + mov r15,r30 + mov r0,r17 + com r0 + and r15,r0 + eor r15,r16 + mov r24,r31 + mov r0,r30 + com r0 + and r24,r0 + eor r24,r17 + ret +420: + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r22 + std Z+5,r23 + std Z+6,r26 + std Z+7,r27 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r4 + std Z+13,r5 + std Z+14,r6 + std Z+15,r7 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + std Z+24,r24 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size keccakp_200_permute, .-keccakp_200_permute + + .text +.global keccakp_400_permute + .type keccakp_400_permute, @function +keccakp_400_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + movw r30,r24 +.L__stack_usage = 17 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + ldd r10,Z+4 + ldd r11,Z+5 + ldd r12,Z+6 + ldd r13,Z+7 + ldd r14,Z+8 + ldd r15,Z+9 + cpi r22,20 + brcs 15f + rcall 153f + ldi r23,1 + eor r6,r23 +15: + cpi r22,19 + brcs 23f + rcall 153f + ldi r23,130 + eor r6,r23 + ldi r17,128 + eor r7,r17 +23: + cpi r22,18 + brcs 31f + rcall 153f + ldi r23,138 + eor r6,r23 + ldi r17,128 + eor r7,r17 +31: + cpi r22,17 + brcs 37f + rcall 153f + ldi r23,128 + eor r7,r23 +37: + cpi r22,16 + brcs 45f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +45: + cpi r22,15 + brcs 51f + rcall 153f + ldi r23,1 + eor r6,r23 +51: + cpi r22,14 + brcs 59f + rcall 153f + ldi r23,129 + eor r6,r23 + ldi r17,128 + eor r7,r17 +59: + cpi r22,13 + brcs 67f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +67: + cpi r22,12 + brcs 73f + rcall 153f + ldi r23,138 + eor r6,r23 +73: + cpi r22,11 + brcs 79f + rcall 153f + ldi r23,136 + eor r6,r23 +79: + cpi r22,10 + brcs 87f + rcall 153f + ldi r23,9 + eor r6,r23 + ldi r17,128 + eor r7,r17 +87: + cpi r22,9 + brcs 93f + rcall 153f + ldi r23,10 + eor r6,r23 +93: + cpi r22,8 + brcs 101f + rcall 153f + ldi r23,139 + eor r6,r23 + ldi r17,128 + eor r7,r17 +101: + cpi r22,7 + brcs 107f + rcall 153f + ldi r23,139 + eor r6,r23 +107: + cpi r22,6 + brcs 115f + rcall 153f + ldi r23,137 + eor r6,r23 + ldi r17,128 + eor r7,r17 +115: + cpi r22,5 + brcs 123f + rcall 153f + ldi r23,3 + eor r6,r23 + ldi r17,128 + eor r7,r17 +123: + cpi r22,4 + brcs 131f + rcall 153f + ldi r23,2 + eor r6,r23 + ldi r17,128 + eor r7,r17 +131: + cpi r22,3 + brcs 137f + rcall 153f + ldi r23,128 + eor r6,r23 +137: + cpi r22,2 + brcs 145f + rcall 153f + ldi r23,10 + eor r6,r23 + ldi r17,128 + eor r7,r17 +145: + cpi r22,1 + brcs 151f + rcall 153f + ldi r23,10 + eor r6,r23 +151: + rjmp 1004f +153: + movw r18,r6 + ldd r0,Z+10 + eor r18,r0 + ldd r0,Z+11 + eor r19,r0 + ldd r0,Z+20 + eor r18,r0 + ldd r0,Z+21 + eor r19,r0 + ldd r0,Z+30 + eor r18,r0 + ldd r0,Z+31 + eor r19,r0 + ldd r0,Z+40 + eor r18,r0 + ldd r0,Z+41 + eor r19,r0 + movw r20,r8 + ldd r0,Z+12 + eor r20,r0 + ldd r0,Z+13 + eor r21,r0 + ldd r0,Z+22 + eor r20,r0 + ldd r0,Z+23 + eor r21,r0 + ldd r0,Z+32 + eor r20,r0 + ldd r0,Z+33 + eor r21,r0 + ldd r0,Z+42 + eor r20,r0 + ldd r0,Z+43 + eor r21,r0 + movw r26,r10 + ldd r0,Z+14 + eor r26,r0 + ldd r0,Z+15 + eor r27,r0 + ldd r0,Z+24 + eor r26,r0 + ldd r0,Z+25 + eor r27,r0 + ldd r0,Z+34 + eor r26,r0 + ldd r0,Z+35 + eor r27,r0 + ldd r0,Z+44 + eor r26,r0 + ldd r0,Z+45 + eor r27,r0 + movw r2,r12 + ldd r0,Z+16 + eor r2,r0 + ldd r0,Z+17 + eor r3,r0 + ldd r0,Z+26 + eor r2,r0 + ldd r0,Z+27 + eor r3,r0 + ldd r0,Z+36 + eor r2,r0 + ldd r0,Z+37 + eor r3,r0 + ldd r0,Z+46 + eor r2,r0 + ldd r0,Z+47 + eor r3,r0 + movw r4,r14 + ldd r0,Z+18 + eor r4,r0 + ldd r0,Z+19 + eor r5,r0 + ldd r0,Z+28 + eor r4,r0 + ldd r0,Z+29 + eor r5,r0 + ldd r0,Z+38 + eor r4,r0 + ldd r0,Z+39 + eor r5,r0 + ldd r0,Z+48 + eor r4,r0 + ldd r0,Z+49 + eor r5,r0 + movw r24,r20 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r4 + eor r25,r5 + eor r6,r24 + eor r7,r25 + ldd r0,Z+10 + eor r0,r24 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r25 + std Z+11,r0 + ldd r0,Z+20 + eor r0,r24 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r25 + std Z+21,r0 + ldd r0,Z+30 + eor r0,r24 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r25 + std Z+31,r0 + ldd r0,Z+40 + eor r0,r24 + std Z+40,r0 + ldd r0,Z+41 + eor r0,r25 + std Z+41,r0 + movw r24,r26 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r18 + eor r25,r19 + eor r8,r24 + eor r9,r25 + ldd r0,Z+12 + eor r0,r24 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r25 + std Z+13,r0 + ldd r0,Z+22 + eor r0,r24 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r25 + std Z+23,r0 + ldd r0,Z+32 + eor r0,r24 + std Z+32,r0 + ldd r0,Z+33 + eor r0,r25 + std Z+33,r0 + ldd r0,Z+42 + eor r0,r24 + std Z+42,r0 + ldd r0,Z+43 + eor r0,r25 + std Z+43,r0 + movw r24,r2 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r20 + eor r25,r21 + eor r10,r24 + eor r11,r25 + ldd r0,Z+14 + eor r0,r24 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r25 + std Z+15,r0 + ldd r0,Z+24 + eor r0,r24 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r25 + std Z+25,r0 + ldd r0,Z+34 + eor r0,r24 + std Z+34,r0 + ldd r0,Z+35 + eor r0,r25 + std Z+35,r0 + ldd r0,Z+44 + eor r0,r24 + std Z+44,r0 + ldd r0,Z+45 + eor r0,r25 + std Z+45,r0 + movw r24,r4 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r26 + eor r25,r27 + eor r12,r24 + eor r13,r25 + ldd r0,Z+16 + eor r0,r24 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r25 + std Z+17,r0 + ldd r0,Z+26 + eor r0,r24 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r25 + std Z+27,r0 + ldd r0,Z+36 + eor r0,r24 + std Z+36,r0 + ldd r0,Z+37 + eor r0,r25 + std Z+37,r0 + ldd r0,Z+46 + eor r0,r24 + std Z+46,r0 + ldd r0,Z+47 + eor r0,r25 + std Z+47,r0 + movw r24,r18 + lsl r24 + rol r25 + adc r24,r1 + eor r24,r2 + eor r25,r3 + eor r14,r24 + eor r15,r25 + ldd r0,Z+18 + eor r0,r24 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r25 + std Z+19,r0 + ldd r0,Z+28 + eor r0,r24 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r25 + std Z+29,r0 + ldd r0,Z+38 + eor r0,r24 + std Z+38,r0 + ldd r0,Z+39 + eor r0,r25 + std Z+39,r0 + ldd r0,Z+48 + eor r0,r24 + std Z+48,r0 + ldd r0,Z+49 + eor r0,r25 + std Z+49,r0 + movw r24,r8 + ldd r8,Z+12 + ldd r9,Z+13 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldd r18,Z+18 + ldd r19,Z+19 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+12,r18 + std Z+13,r19 + ldd r18,Z+44 + ldd r19,Z+45 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+18,r18 + std Z+19,r19 + ldd r18,Z+28 + ldd r19,Z+29 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+44,r18 + std Z+45,r19 + ldd r18,Z+40 + ldd r19,Z+41 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+28,r18 + std Z+29,r19 + movw r18,r10 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+40,r18 + std Z+41,r19 + ldd r10,Z+24 + ldd r11,Z+25 + mov r0,r11 + mov r11,r10 + mov r10,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldd r18,Z+26 + ldd r19,Z+27 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+24,r18 + std Z+25,r19 + ldd r18,Z+38 + ldd r19,Z+39 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+26,r18 + std Z+27,r19 + ldd r18,Z+46 + ldd r19,Z+47 + mov r0,r19 + mov r19,r18 + mov r18,r0 + std Z+38,r18 + std Z+39,r19 + ldd r18,Z+30 + ldd r19,Z+31 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + std Z+46,r18 + std Z+47,r19 + movw r18,r14 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+30,r18 + std Z+31,r19 + ldd r14,Z+48 + ldd r15,Z+49 + mov r0,r1 + lsr r15 + ror r14 + ror r0 + lsr r15 + ror r14 + ror r0 + or r15,r0 + ldd r18,Z+42 + ldd r19,Z+43 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+48,r18 + std Z+49,r19 + ldd r18,Z+16 + ldd r19,Z+17 + mov r0,r19 + mov r19,r18 + mov r18,r0 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+42,r18 + std Z+43,r19 + ldd r18,Z+32 + ldd r19,Z+33 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+16,r18 + std Z+17,r19 + ldd r18,Z+10 + ldd r19,Z+11 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+32,r18 + std Z+33,r19 + movw r18,r12 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+10,r18 + std Z+11,r19 + ldd r12,Z+36 + ldd r13,Z+37 + mov r0,r13 + mov r13,r12 + mov r12,r0 + mov r0,r1 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + lsr r13 + ror r12 + ror r0 + or r13,r0 + ldd r18,Z+34 + ldd r19,Z+35 + bst r18,0 + lsr r19 + ror r18 + bld r19,7 + std Z+36,r18 + std Z+37,r19 + ldd r18,Z+22 + ldd r19,Z+23 + mov r0,r19 + mov r19,r18 + mov r18,r0 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+34,r18 + std Z+35,r19 + ldd r18,Z+14 + ldd r19,Z+15 + mov r0,r19 + mov r19,r18 + mov r18,r0 + mov r0,r1 + lsr r19 + ror r18 + ror r0 + lsr r19 + ror r18 + ror r0 + or r19,r0 + std Z+22,r18 + std Z+23,r19 + ldd r18,Z+20 + ldd r19,Z+21 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + lsl r18 + rol r19 + adc r18,r1 + std Z+14,r18 + std Z+15,r19 + lsl r24 + rol r25 + adc r24,r1 + std Z+20,r24 + std Z+21,r25 + movw r18,r6 + movw r20,r8 + movw r26,r10 + movw r2,r12 + movw r4,r14 + movw r6,r26 + mov r0,r20 + com r0 + and r6,r0 + mov r0,r21 + com r0 + and r7,r0 + eor r6,r18 + eor r7,r19 + movw r8,r2 + mov r0,r26 + com r0 + and r8,r0 + mov r0,r27 + com r0 + and r9,r0 + eor r8,r20 + eor r9,r21 + movw r10,r4 + mov r0,r2 + com r0 + and r10,r0 + mov r0,r3 + com r0 + and r11,r0 + eor r10,r26 + eor r11,r27 + movw r12,r18 + mov r0,r4 + com r0 + and r12,r0 + mov r0,r5 + com r0 + and r13,r0 + eor r12,r2 + eor r13,r3 + movw r14,r20 + mov r0,r18 + com r0 + and r14,r0 + mov r0,r19 + com r0 + and r15,r0 + eor r14,r4 + eor r15,r5 + ldd r18,Z+10 + ldd r19,Z+11 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r26,Z+14 + ldd r27,Z+15 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+10,r24 + std Z+11,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+12,r24 + std Z+13,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+14,r24 + std Z+15,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+16,r24 + std Z+17,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+18,r24 + std Z+19,r25 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+20,r24 + std Z+21,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+22,r24 + std Z+23,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+24,r24 + std Z+25,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+26,r24 + std Z+27,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+28,r24 + std Z+29,r25 + ldd r18,Z+30 + ldd r19,Z+31 + ldd r20,Z+32 + ldd r21,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+30,r24 + std Z+31,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+32,r24 + std Z+33,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+34,r24 + std Z+35,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+36,r24 + std Z+37,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+38,r24 + std Z+39,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + ldd r26,Z+44 + ldd r27,Z+45 + ldd r2,Z+46 + ldd r3,Z+47 + ldd r4,Z+48 + ldd r5,Z+49 + movw r24,r26 + mov r0,r20 + com r0 + and r24,r0 + mov r0,r21 + com r0 + and r25,r0 + eor r24,r18 + eor r25,r19 + std Z+40,r24 + std Z+41,r25 + movw r24,r2 + mov r0,r26 + com r0 + and r24,r0 + mov r0,r27 + com r0 + and r25,r0 + eor r24,r20 + eor r25,r21 + std Z+42,r24 + std Z+43,r25 + movw r24,r4 + mov r0,r2 + com r0 + and r24,r0 + mov r0,r3 + com r0 + and r25,r0 + eor r24,r26 + eor r25,r27 + std Z+44,r24 + std Z+45,r25 + movw r24,r18 + mov r0,r4 + com r0 + and r24,r0 + mov r0,r5 + com r0 + and r25,r0 + eor r24,r2 + eor r25,r3 + std Z+46,r24 + std Z+47,r25 + movw r24,r20 + mov r0,r18 + com r0 + and r24,r0 + mov r0,r19 + com r0 + and r25,r0 + eor r24,r4 + eor r25,r5 + std Z+48,r24 + std Z+49,r25 + ret +1004: + st Z,r6 + std Z+1,r7 + std Z+2,r8 + std Z+3,r9 + std Z+4,r10 + std Z+5,r11 + std Z+6,r12 + std Z+7,r13 + std Z+8,r14 + std Z+9,r15 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size keccakp_400_permute, .-keccakp_400_permute + +#endif diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c index c3c4011..60539df 100644 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.c @@ -22,74 +22,79 @@ #include "internal-keccak.h" +#if !defined(__AVR__) + /* Faster method to compute ((x + y) % 5) that avoids the division */ static unsigned char const addMod5Table[9] = { 0, 1, 2, 3, 4, 0, 1, 2, 3 }; #define addMod5(x, y) (addMod5Table[(x) + (y)]) -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds) +void keccakp_200_permute(keccakp_200_state_t *state) { static uint8_t const RC[18] = { 0x01, 0x82, 0x8A, 0x00, 0x8B, 0x01, 0x81, 0x09, 0x8A, 0x88, 0x09, 0x0A, 0x8B, 0x8B, 0x89, 0x03, 0x02, 0x80 }; - uint8_t B[5][5]; + uint8_t C[5]; uint8_t D; unsigned round; unsigned index, index2; - for (round = 18 - rounds; round < 18; ++round) { + for (round = 0; round < 18; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_8(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_8(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate4_8(state->A[0][3]); - B[2][0] = leftRotate1_8(state->A[0][1]); - B[3][0] = leftRotate3_8(state->A[0][4]); - B[4][0] = leftRotate6_8(state->A[0][2]); - B[0][1] = leftRotate4_8(state->A[1][1]); - B[1][1] = leftRotate4_8(state->A[1][4]); - B[2][1] = leftRotate6_8(state->A[1][2]); - B[3][1] = leftRotate4_8(state->A[1][0]); - B[4][1] = leftRotate7_8(state->A[1][3]); - B[0][2] = leftRotate3_8(state->A[2][2]); - B[1][2] = leftRotate3_8(state->A[2][0]); - B[2][2] = leftRotate1_8(state->A[2][3]); - B[3][2] = leftRotate2_8(state->A[2][1]); - B[4][2] = leftRotate7_8(state->A[2][4]); - B[0][3] = leftRotate5_8(state->A[3][3]); - B[1][3] = leftRotate5_8(state->A[3][1]); - B[2][3] = state->A[3][4]; - B[3][3] = leftRotate7_8(state->A[3][2]); - B[4][3] = leftRotate1_8(state->A[3][0]); - B[0][4] = leftRotate6_8(state->A[4][4]); - B[1][4] = leftRotate5_8(state->A[4][2]); - B[2][4] = leftRotate2_8(state->A[4][0]); - B[3][4] = state->A[4][3]; - B[4][4] = leftRotate2_8(state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate4_8(state->A[1][1]); + state->A[1][1] = leftRotate4_8(state->A[1][4]); + state->A[1][4] = leftRotate5_8(state->A[4][2]); + state->A[4][2] = leftRotate7_8(state->A[2][4]); + state->A[2][4] = leftRotate2_8(state->A[4][0]); + state->A[4][0] = leftRotate6_8(state->A[0][2]); + state->A[0][2] = leftRotate3_8(state->A[2][2]); + state->A[2][2] = leftRotate1_8(state->A[2][3]); + state->A[2][3] = state->A[3][4]; + state->A[3][4] = state->A[4][3]; + state->A[4][3] = leftRotate1_8(state->A[3][0]); + state->A[3][0] = leftRotate3_8(state->A[0][4]); + state->A[0][4] = leftRotate6_8(state->A[4][4]); + state->A[4][4] = leftRotate2_8(state->A[4][1]); + state->A[4][1] = leftRotate7_8(state->A[1][3]); + state->A[1][3] = leftRotate5_8(state->A[3][1]); + state->A[3][1] = leftRotate4_8(state->A[1][0]); + state->A[1][0] = leftRotate4_8(state->A[0][3]); + state->A[0][3] = leftRotate5_8(state->A[3][3]); + state->A[3][3] = leftRotate7_8(state->A[3][2]); + state->A[3][2] = leftRotate2_8(state->A[2][1]); + state->A[2][1] = leftRotate6_8(state->A[1][2]); + state->A[1][2] = leftRotate3_8(state->A[2][0]); + state->A[2][0] = leftRotate1_8(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -110,61 +115,64 @@ void keccakp_400_permute_host(keccakp_400_state_t *state, unsigned rounds) 0x008A, 0x0088, 0x8009, 0x000A, 0x808B, 0x008B, 0x8089, 0x8003, 0x8002, 0x0080, 0x800A, 0x000A }; - uint16_t B[5][5]; + uint16_t C[5]; uint16_t D; unsigned round; unsigned index, index2; for (round = 20 - rounds; round < 20; ++round) { /* Step mapping theta. The specification mentions two temporary - * arrays of size 5 called C and D. To save a bit of memory, - * we use the first row of B to store C and compute D on the fly */ + * arrays of size 5 called C and D. Compute D on the fly */ for (index = 0; index < 5; ++index) { - B[0][index] = state->A[0][index] ^ state->A[1][index] ^ - state->A[2][index] ^ state->A[3][index] ^ - state->A[4][index]; + C[index] = state->A[0][index] ^ state->A[1][index] ^ + state->A[2][index] ^ state->A[3][index] ^ + state->A[4][index]; } for (index = 0; index < 5; ++index) { - D = B[0][addMod5(index, 4)] ^ - leftRotate1_16(B[0][addMod5(index, 1)]); + D = C[addMod5(index, 4)] ^ + leftRotate1_16(C[addMod5(index, 1)]); for (index2 = 0; index2 < 5; ++index2) state->A[index2][index] ^= D; } /* Step mapping rho and pi combined into a single step. * Rotate all lanes by a specific offset and rearrange */ - B[0][0] = state->A[0][0]; - B[1][0] = leftRotate12_16(state->A[0][3]); - B[2][0] = leftRotate1_16 (state->A[0][1]); - B[3][0] = leftRotate11_16(state->A[0][4]); - B[4][0] = leftRotate14_16(state->A[0][2]); - B[0][1] = leftRotate12_16(state->A[1][1]); - B[1][1] = leftRotate4_16 (state->A[1][4]); - B[2][1] = leftRotate6_16 (state->A[1][2]); - B[3][1] = leftRotate4_16 (state->A[1][0]); - B[4][1] = leftRotate7_16 (state->A[1][3]); - B[0][2] = leftRotate11_16(state->A[2][2]); - B[1][2] = leftRotate3_16 (state->A[2][0]); - B[2][2] = leftRotate9_16 (state->A[2][3]); - B[3][2] = leftRotate10_16(state->A[2][1]); - B[4][2] = leftRotate7_16 (state->A[2][4]); - B[0][3] = leftRotate5_16 (state->A[3][3]); - B[1][3] = leftRotate13_16(state->A[3][1]); - B[2][3] = leftRotate8_16 (state->A[3][4]); - B[3][3] = leftRotate15_16(state->A[3][2]); - B[4][3] = leftRotate9_16 (state->A[3][0]); - B[0][4] = leftRotate14_16(state->A[4][4]); - B[1][4] = leftRotate13_16(state->A[4][2]); - B[2][4] = leftRotate2_16 (state->A[4][0]); - B[3][4] = leftRotate8_16 (state->A[4][3]); - B[4][4] = leftRotate2_16 (state->A[4][1]); + D = state->A[0][1]; + state->A[0][1] = leftRotate12_16(state->A[1][1]); + state->A[1][1] = leftRotate4_16 (state->A[1][4]); + state->A[1][4] = leftRotate13_16(state->A[4][2]); + state->A[4][2] = leftRotate7_16 (state->A[2][4]); + state->A[2][4] = leftRotate2_16 (state->A[4][0]); + state->A[4][0] = leftRotate14_16(state->A[0][2]); + state->A[0][2] = leftRotate11_16(state->A[2][2]); + state->A[2][2] = leftRotate9_16 (state->A[2][3]); + state->A[2][3] = leftRotate8_16 (state->A[3][4]); + state->A[3][4] = leftRotate8_16 (state->A[4][3]); + state->A[4][3] = leftRotate9_16 (state->A[3][0]); + state->A[3][0] = leftRotate11_16(state->A[0][4]); + state->A[0][4] = leftRotate14_16(state->A[4][4]); + state->A[4][4] = leftRotate2_16 (state->A[4][1]); + state->A[4][1] = leftRotate7_16 (state->A[1][3]); + state->A[1][3] = leftRotate13_16(state->A[3][1]); + state->A[3][1] = leftRotate4_16 (state->A[1][0]); + state->A[1][0] = leftRotate12_16(state->A[0][3]); + state->A[0][3] = leftRotate5_16 (state->A[3][3]); + state->A[3][3] = leftRotate15_16(state->A[3][2]); + state->A[3][2] = leftRotate10_16(state->A[2][1]); + state->A[2][1] = leftRotate6_16 (state->A[1][2]); + state->A[1][2] = leftRotate3_16 (state->A[2][0]); + state->A[2][0] = leftRotate1_16(D); /* Step mapping chi. Combine each lane with two others in its row */ for (index = 0; index < 5; ++index) { + C[0] = state->A[index][0]; + C[1] = state->A[index][1]; + C[2] = state->A[index][2]; + C[3] = state->A[index][3]; + C[4] = state->A[index][4]; for (index2 = 0; index2 < 5; ++index2) { - state->A[index2][index] = - B[index2][index] ^ - ((~B[index2][addMod5(index, 1)]) & - B[index2][addMod5(index, 2)]); + state->A[index][index2] = + C[index2] ^ + ((~C[addMod5(index2, 1)]) & C[addMod5(index2, 2)]); } } @@ -202,3 +210,5 @@ void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds) } #endif + +#endif /* !__AVR__ */ diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h index 026da50..2ffef42 100644 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-keccak.h @@ -68,9 +68,8 @@ typedef union * \brief Permutes the Keccak-p[200] state. * * \param state The Keccak-p[200] state to be permuted. - * \param rounds The number of rounds to perform (up to 18). */ -void keccakp_200_permute(keccakp_200_state_t *state, unsigned rounds); +void keccakp_200_permute(keccakp_200_state_t *state); /** * \brief Permutes the Keccak-p[400] state, which is assumed to be in diff --git a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h index e79158c..e30166d 100644 --- a/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h +++ b/isap/Implementations/crypto_aead/isapk128v20/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.c b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.h b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/api.h b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/encrypt.c b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/encrypt.c deleted file mode 100644 index 0d644de..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "knot.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_128_256_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_128_256_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.c b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.h b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-util.h b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot-aead.c b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot-aead.c deleted file mode 100644 index 5825f01..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot-aead.c +++ /dev/null @@ -1,503 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_cipher_t const knot_aead_128_256_cipher = { - "KNOT-AEAD-128-256", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_256_encrypt, - knot_aead_128_256_decrypt -}; - -aead_cipher_t const knot_aead_128_384_cipher = { - "KNOT-AEAD-128-384", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_384_encrypt, - knot_aead_128_384_decrypt -}; - -aead_cipher_t const knot_aead_192_384_cipher = { - "KNOT-AEAD-192-384", - KNOT_AEAD_192_KEY_SIZE, - KNOT_AEAD_192_NONCE_SIZE, - KNOT_AEAD_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_192_384_encrypt, - knot_aead_192_384_decrypt -}; - -aead_cipher_t const knot_aead_256_512_cipher = { - "KNOT-AEAD-256-512", - KNOT_AEAD_256_KEY_SIZE, - KNOT_AEAD_256_NONCE_SIZE, - KNOT_AEAD_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_256_512_encrypt, - knot_aead_256_512_decrypt -}; - -/** - * \brief Rate for KNOT-AEAD-128-256. - */ -#define KNOT_AEAD_128_256_RATE 8 - -/** - * \brief Rate for KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_384_RATE 24 - -/** - * \brief Rate for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_384_RATE 12 - -/** - * \brief Rate for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_512_RATE 16 - -/** - * \brief Absorbs the associated data into a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be at least 1. - */ -static void knot_aead_absorb_ad - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= rate) { - lw_xor_block((unsigned char *)state, ad, rate); - permute(state, rounds); - ad += rate; - adlen -= rate; - } - rate = (unsigned)adlen; - lw_xor_block((unsigned char *)state, ad, rate); - ((unsigned char *)state)[rate] ^= 0x01; - permute(state, rounds); -} - -/** - * \brief Encrypts plaintext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param c Buffer to receive the ciphertext. - * \param m Buffer containing the plaintext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_encrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -/** - * \brief Decrypts ciphertext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param m Buffer to receive the plaintext. - * \param c Buffer containing the ciphertext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_decrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot256_permute_6(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot256_permute_6(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 44); - memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); - return 0; -} - -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_192_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_192_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 44); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); -} - -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot512_permute_7(&state, 56); - memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); - return 0; -} - -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_256_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_256_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot512_permute_7(&state, 56); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); -} diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot.h b/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_aead/knot128v1/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c index 3486e6e..f8b378e 100644 --- a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-knot.c @@ -22,6 +22,8 @@ #include "internal-knot.h" +#if !defined(__AVR__) + /* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ static uint8_t const rc6[52] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, @@ -295,3 +297,5 @@ void knot512_permute_8(knot512_state_t *state, uint8_t rounds) { knot512_permute(state, rc8, rounds); } + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h +++ b/knot/Implementations/crypto_aead/knot128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.c b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.h b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/api.h b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/encrypt.c b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/encrypt.c deleted file mode 100644 index e80d720..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "knot.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_128_384_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_128_384_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.c b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.h b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-util.h b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot-aead.c b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot-aead.c deleted file mode 100644 index 5825f01..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot-aead.c +++ /dev/null @@ -1,503 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_cipher_t const knot_aead_128_256_cipher = { - "KNOT-AEAD-128-256", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_256_encrypt, - knot_aead_128_256_decrypt -}; - -aead_cipher_t const knot_aead_128_384_cipher = { - "KNOT-AEAD-128-384", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_384_encrypt, - knot_aead_128_384_decrypt -}; - -aead_cipher_t const knot_aead_192_384_cipher = { - "KNOT-AEAD-192-384", - KNOT_AEAD_192_KEY_SIZE, - KNOT_AEAD_192_NONCE_SIZE, - KNOT_AEAD_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_192_384_encrypt, - knot_aead_192_384_decrypt -}; - -aead_cipher_t const knot_aead_256_512_cipher = { - "KNOT-AEAD-256-512", - KNOT_AEAD_256_KEY_SIZE, - KNOT_AEAD_256_NONCE_SIZE, - KNOT_AEAD_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_256_512_encrypt, - knot_aead_256_512_decrypt -}; - -/** - * \brief Rate for KNOT-AEAD-128-256. - */ -#define KNOT_AEAD_128_256_RATE 8 - -/** - * \brief Rate for KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_384_RATE 24 - -/** - * \brief Rate for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_384_RATE 12 - -/** - * \brief Rate for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_512_RATE 16 - -/** - * \brief Absorbs the associated data into a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be at least 1. - */ -static void knot_aead_absorb_ad - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= rate) { - lw_xor_block((unsigned char *)state, ad, rate); - permute(state, rounds); - ad += rate; - adlen -= rate; - } - rate = (unsigned)adlen; - lw_xor_block((unsigned char *)state, ad, rate); - ((unsigned char *)state)[rate] ^= 0x01; - permute(state, rounds); -} - -/** - * \brief Encrypts plaintext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param c Buffer to receive the ciphertext. - * \param m Buffer containing the plaintext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_encrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -/** - * \brief Decrypts ciphertext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param m Buffer to receive the plaintext. - * \param c Buffer containing the ciphertext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_decrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot256_permute_6(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot256_permute_6(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 44); - memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); - return 0; -} - -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_192_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_192_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 44); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); -} - -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot512_permute_7(&state, 56); - memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); - return 0; -} - -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_256_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_256_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot512_permute_7(&state, 56); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); -} diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot.h b/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_aead/knot128v2/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c index 3486e6e..f8b378e 100644 --- a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-knot.c @@ -22,6 +22,8 @@ #include "internal-knot.h" +#if !defined(__AVR__) + /* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ static uint8_t const rc6[52] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, @@ -295,3 +297,5 @@ void knot512_permute_8(knot512_state_t *state, uint8_t rounds) { knot512_permute(state, rc8, rounds); } + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h index e79158c..e30166d 100644 --- a/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h +++ b/knot/Implementations/crypto_aead/knot128v2/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.c b/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.h b/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/api.h b/knot/Implementations/crypto_aead/knot192/rhys-avr/api.h deleted file mode 100644 index c340ebc..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 24 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 24 -#define CRYPTO_ABYTES 24 -#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/encrypt.c b/knot/Implementations/crypto_aead/knot192/rhys-avr/encrypt.c deleted file mode 100644 index 7d9ae8b..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "knot.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_192_384_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_192_384_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.c b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.h b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-util.h b/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/knot-aead.c b/knot/Implementations/crypto_aead/knot192/rhys-avr/knot-aead.c deleted file mode 100644 index 5825f01..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/knot-aead.c +++ /dev/null @@ -1,503 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_cipher_t const knot_aead_128_256_cipher = { - "KNOT-AEAD-128-256", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_256_encrypt, - knot_aead_128_256_decrypt -}; - -aead_cipher_t const knot_aead_128_384_cipher = { - "KNOT-AEAD-128-384", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_384_encrypt, - knot_aead_128_384_decrypt -}; - -aead_cipher_t const knot_aead_192_384_cipher = { - "KNOT-AEAD-192-384", - KNOT_AEAD_192_KEY_SIZE, - KNOT_AEAD_192_NONCE_SIZE, - KNOT_AEAD_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_192_384_encrypt, - knot_aead_192_384_decrypt -}; - -aead_cipher_t const knot_aead_256_512_cipher = { - "KNOT-AEAD-256-512", - KNOT_AEAD_256_KEY_SIZE, - KNOT_AEAD_256_NONCE_SIZE, - KNOT_AEAD_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_256_512_encrypt, - knot_aead_256_512_decrypt -}; - -/** - * \brief Rate for KNOT-AEAD-128-256. - */ -#define KNOT_AEAD_128_256_RATE 8 - -/** - * \brief Rate for KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_384_RATE 24 - -/** - * \brief Rate for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_384_RATE 12 - -/** - * \brief Rate for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_512_RATE 16 - -/** - * \brief Absorbs the associated data into a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be at least 1. - */ -static void knot_aead_absorb_ad - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= rate) { - lw_xor_block((unsigned char *)state, ad, rate); - permute(state, rounds); - ad += rate; - adlen -= rate; - } - rate = (unsigned)adlen; - lw_xor_block((unsigned char *)state, ad, rate); - ((unsigned char *)state)[rate] ^= 0x01; - permute(state, rounds); -} - -/** - * \brief Encrypts plaintext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param c Buffer to receive the ciphertext. - * \param m Buffer containing the plaintext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_encrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -/** - * \brief Decrypts ciphertext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param m Buffer to receive the plaintext. - * \param c Buffer containing the ciphertext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_decrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot256_permute_6(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot256_permute_6(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 44); - memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); - return 0; -} - -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_192_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_192_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 44); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); -} - -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot512_permute_7(&state, 56); - memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); - return 0; -} - -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_256_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_256_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot512_permute_7(&state, 56); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); -} diff --git a/knot/Implementations/crypto_aead/knot192/rhys-avr/knot.h b/knot/Implementations/crypto_aead/knot192/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_aead/knot192/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c index 3486e6e..f8b378e 100644 --- a/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-knot.c @@ -22,6 +22,8 @@ #include "internal-knot.h" +#if !defined(__AVR__) + /* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ static uint8_t const rc6[52] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, @@ -295,3 +297,5 @@ void knot512_permute_8(knot512_state_t *state, uint8_t rounds) { knot512_permute(state, rc8, rounds); } + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h index e79158c..e30166d 100644 --- a/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h +++ b/knot/Implementations/crypto_aead/knot192/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.c b/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.h b/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/api.h b/knot/Implementations/crypto_aead/knot256/rhys-avr/api.h deleted file mode 100644 index c11fc10..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 32 -#define CRYPTO_ABYTES 32 -#define CRYPTO_NOOVERLAP 1 diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/encrypt.c b/knot/Implementations/crypto_aead/knot256/rhys-avr/encrypt.c deleted file mode 100644 index 8f6225a..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "knot.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_256_512_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return knot_aead_256_512_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.c b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.h b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-util.h b/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/knot-aead.c b/knot/Implementations/crypto_aead/knot256/rhys-avr/knot-aead.c deleted file mode 100644 index 5825f01..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/knot-aead.c +++ /dev/null @@ -1,503 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_cipher_t const knot_aead_128_256_cipher = { - "KNOT-AEAD-128-256", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_256_encrypt, - knot_aead_128_256_decrypt -}; - -aead_cipher_t const knot_aead_128_384_cipher = { - "KNOT-AEAD-128-384", - KNOT_AEAD_128_KEY_SIZE, - KNOT_AEAD_128_NONCE_SIZE, - KNOT_AEAD_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_128_384_encrypt, - knot_aead_128_384_decrypt -}; - -aead_cipher_t const knot_aead_192_384_cipher = { - "KNOT-AEAD-192-384", - KNOT_AEAD_192_KEY_SIZE, - KNOT_AEAD_192_NONCE_SIZE, - KNOT_AEAD_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_192_384_encrypt, - knot_aead_192_384_decrypt -}; - -aead_cipher_t const knot_aead_256_512_cipher = { - "KNOT-AEAD-256-512", - KNOT_AEAD_256_KEY_SIZE, - KNOT_AEAD_256_NONCE_SIZE, - KNOT_AEAD_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_aead_256_512_encrypt, - knot_aead_256_512_decrypt -}; - -/** - * \brief Rate for KNOT-AEAD-128-256. - */ -#define KNOT_AEAD_128_256_RATE 8 - -/** - * \brief Rate for KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_384_RATE 24 - -/** - * \brief Rate for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_384_RATE 12 - -/** - * \brief Rate for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_512_RATE 16 - -/** - * \brief Absorbs the associated data into a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be at least 1. - */ -static void knot_aead_absorb_ad - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= rate) { - lw_xor_block((unsigned char *)state, ad, rate); - permute(state, rounds); - ad += rate; - adlen -= rate; - } - rate = (unsigned)adlen; - lw_xor_block((unsigned char *)state, ad, rate); - ((unsigned char *)state)[rate] ^= 0x01; - permute(state, rounds); -} - -/** - * \brief Encrypts plaintext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param c Buffer to receive the ciphertext. - * \param m Buffer containing the plaintext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_encrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_2_dest(c, (unsigned char *)state, m, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -/** - * \brief Decrypts ciphertext data with a KNOT permutation state. - * - * \param state Points to the KNOT permutation state. - * \param permute Points to the function to perform the KNOT permutation. - * \param rounds Number of rounds to perform. - * \param rate Rate of absorption to use with the permutation. - * \param m Buffer to receive the plaintext. - * \param c Buffer containing the ciphertext. - * \param len Length of the plaintext data, must be at least 1. - */ -static void knot_aead_decrypt - (void *state, knot_permute_t permute, uint8_t rounds, unsigned rate, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - while (len >= rate) { - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - permute(state, rounds); - c += rate; - m += rate; - len -= rate; - } - rate = (unsigned)len; - lw_xor_block_swap(m, (unsigned char *)state, c, rate); - ((unsigned char *)state)[rate] ^= 0x01; -} - -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot256_permute_6(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot256_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - knot256_permute_6(&state, 52); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot256_permute_6, - 28, KNOT_AEAD_128_256_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot256_permute_6(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 32); - memcpy(c + mlen, state.B, KNOT_AEAD_128_TAG_SIZE); - return 0; -} - -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_128_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_128_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_128_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_128_NONCE_SIZE, k, KNOT_AEAD_128_KEY_SIZE); - memset(state.B + KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE, - 0, 47 - (KNOT_AEAD_128_NONCE_SIZE + KNOT_AEAD_128_KEY_SIZE)); - state.B[47] = 0x80; - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_128_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 28, KNOT_AEAD_128_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 32); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_128_TAG_SIZE); -} - -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot384_permute_7(&state, 44); - memcpy(c + mlen, state.B, KNOT_AEAD_192_TAG_SIZE); - return 0; -} - -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_192_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_192_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_192_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_192_NONCE_SIZE, k, KNOT_AEAD_192_KEY_SIZE); - knot384_permute_7(&state, 76); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_192_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot384_permute_7, - 40, KNOT_AEAD_192_384_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot384_permute_7(&state, 44); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_192_TAG_SIZE); -} - -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Encrypts the plaintext to produce the ciphertext */ - if (mlen > 0) { - knot_aead_encrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, c, m, mlen); - } - - /* Compute the authentication tag */ - knot512_permute_7(&state, 56); - memcpy(c + mlen, state.B, KNOT_AEAD_256_TAG_SIZE); - return 0; -} - -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - knot512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < KNOT_AEAD_256_TAG_SIZE) - return -1; - *mlen = clen - KNOT_AEAD_256_TAG_SIZE; - - /* Initialize the permutation state to the nonce and the key */ - memcpy(state.B, npub, KNOT_AEAD_256_NONCE_SIZE); - memcpy(state.B + KNOT_AEAD_256_NONCE_SIZE, k, KNOT_AEAD_256_KEY_SIZE); - knot512_permute_7(&state, 100); - - /* Absorb the associated data */ - if (adlen > 0) { - knot_aead_absorb_ad - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, ad, adlen); - } - state.B[sizeof(state.B) - 1] ^= 0x80; /* Domain separation */ - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= KNOT_AEAD_256_TAG_SIZE; - if (clen > 0) { - knot_aead_decrypt - (&state, (knot_permute_t)knot512_permute_7, - 52, KNOT_AEAD_256_512_RATE, m, c, clen); - } - - /* Check the authentication tag */ - knot512_permute_7(&state, 56); - return aead_check_tag - (m, clen, state.B, c + clen, KNOT_AEAD_256_TAG_SIZE); -} diff --git a/knot/Implementations/crypto_aead/knot256/rhys-avr/knot.h b/knot/Implementations/crypto_aead/knot256/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_aead/knot256/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c index 3486e6e..f8b378e 100644 --- a/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-knot.c @@ -22,6 +22,8 @@ #include "internal-knot.h" +#if !defined(__AVR__) + /* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ static uint8_t const rc6[52] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, @@ -295,3 +297,5 @@ void knot512_permute_8(knot512_state_t *state, uint8_t rounds) { knot512_permute(state, rc8, rounds); } + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h b/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h index e79158c..e30166d 100644 --- a/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h +++ b/knot/Implementations/crypto_aead/knot256/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/api.h b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.c b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.h b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot-hash.c b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot-hash.c deleted file mode 100644 index a4edecd..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot-hash.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_hash_algorithm_t const knot_hash_256_256_algorithm = { - "KNOT-HASH-256-256", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_256, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_256_384_algorithm = { - "KNOT-HASH-256-384", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_384_384_algorithm = { - "KNOT-HASH-384-384", - sizeof(int), - KNOT_HASH_384_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_384_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_512_512_algorithm = { - "KNOT-HASH-512-512", - sizeof(int), - KNOT_HASH_512_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_512_512, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Input rate for KNOT-HASH-256-256. - */ -#define KNOT_HASH_256_256_RATE 4 - -/** - * \brief Input rate for KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_384_RATE 16 - -/** - * \brief Input rate for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_384_RATE 6 - -/** - * \brief Input rate for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_512_RATE 8 - -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot256_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_256_256_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); - knot256_permute_7(&state, 68); - in += KNOT_HASH_256_256_RATE; - inlen -= KNOT_HASH_256_256_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot256_permute_7(&state, 68); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot256_permute_7(&state, 68); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - state.B[sizeof(state.B) - 1] ^= 0x80; - while (inlen >= KNOT_HASH_256_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); - knot384_permute_7(&state, 80); - in += KNOT_HASH_256_384_RATE; - inlen -= KNOT_HASH_256_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 80); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot384_permute_7(&state, 80); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_384_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); - knot384_permute_7(&state, 104); - in += KNOT_HASH_384_384_RATE; - inlen -= KNOT_HASH_384_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 104); - memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); - knot384_permute_7(&state, 104); - memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); - return 0; -} - -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot512_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_512_512_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); - knot512_permute_8(&state, 140); - in += KNOT_HASH_512_512_RATE; - inlen -= KNOT_HASH_512_512_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot512_permute_8(&state, 140); - memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); - knot512_permute_8(&state, 140); - memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); - return 0; -} diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot.h b/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot256v1/rhys/aead-common.c similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/aead-common.c rename to knot/Implementations/crypto_hash/knot256v1/rhys/aead-common.c diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot256v1/rhys/aead-common.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/aead-common.h rename to knot/Implementations/crypto_hash/knot256v1/rhys/aead-common.h diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/api.h b/knot/Implementations/crypto_hash/knot256v1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys-avr/hash.c b/knot/Implementations/crypto_hash/knot256v1/rhys/hash.c similarity index 100% rename from knot/Implementations/crypto_hash/knot256v1/rhys-avr/hash.c rename to knot/Implementations/crypto_hash/knot256v1/rhys/hash.c diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.c b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.c new file mode 100644 index 0000000..f8b378e --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +#if !defined(__AVR__) + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.h b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot256v1/rhys/internal-util.h similarity index 100% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-util.h rename to knot/Implementations/crypto_hash/knot256v1/rhys/internal-util.h diff --git a/knot/Implementations/crypto_hash/knot256v1/rhys/knot-hash.c b/knot/Implementations/crypto_hash/knot256v1/rhys/knot-hash.c new file mode 100644 index 0000000..a4edecd --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/knot-hash.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_hash_algorithm_t const knot_hash_256_256_algorithm = { + "KNOT-HASH-256-256", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_256, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_256_384_algorithm = { + "KNOT-HASH-256-384", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_384_384_algorithm = { + "KNOT-HASH-384-384", + sizeof(int), + KNOT_HASH_384_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_384_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_512_512_algorithm = { + "KNOT-HASH-512-512", + sizeof(int), + KNOT_HASH_512_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_512_512, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Input rate for KNOT-HASH-256-256. + */ +#define KNOT_HASH_256_256_RATE 4 + +/** + * \brief Input rate for KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_384_RATE 16 + +/** + * \brief Input rate for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_384_RATE 6 + +/** + * \brief Input rate for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_512_RATE 8 + +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot256_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_256_256_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); + knot256_permute_7(&state, 68); + in += KNOT_HASH_256_256_RATE; + inlen -= KNOT_HASH_256_256_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot256_permute_7(&state, 68); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot256_permute_7(&state, 68); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + state.B[sizeof(state.B) - 1] ^= 0x80; + while (inlen >= KNOT_HASH_256_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); + knot384_permute_7(&state, 80); + in += KNOT_HASH_256_384_RATE; + inlen -= KNOT_HASH_256_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 80); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot384_permute_7(&state, 80); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_384_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); + knot384_permute_7(&state, 104); + in += KNOT_HASH_384_384_RATE; + inlen -= KNOT_HASH_384_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 104); + memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); + knot384_permute_7(&state, 104); + memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); + return 0; +} + +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot512_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_512_512_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); + knot512_permute_8(&state, 140); + in += KNOT_HASH_512_512_RATE; + inlen -= KNOT_HASH_512_512_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot512_permute_8(&state, 140); + memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); + knot512_permute_8(&state, 140); + memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); + return 0; +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.h b/knot/Implementations/crypto_hash/knot256v1/rhys/knot.h similarity index 58% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.h rename to knot/Implementations/crypto_hash/knot256v1/rhys/knot.h index fd9db13..e2c5198 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/ascon128.h +++ b/knot/Implementations/crypto_hash/knot256v1/rhys/knot.h @@ -20,28 +20,38 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_ASCON_H -#define LWCRYPTO_ASCON_H +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H #include "aead-common.h" /** - * \file ascon128.h - * \brief ASCON-128 encryption algorithm and related family members. - * - * The ASCON family consists of several related algorithms: - * - * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. - * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may - * not be as secure. - * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a - * 160-bit key instead which may be more resistant against quantum computers. - * \li ASCON-HASH with a 256-bit hash output. - * - * References: https://ascon.iaik.tugraz.at/ + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf */ #ifdef __cplusplus @@ -49,81 +59,108 @@ extern "C" { #endif /** - * \brief Size of the key for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. */ -#define ASCON128_KEY_SIZE 16 +#define KNOT_AEAD_192_TAG_SIZE 24 /** - * \brief Size of the nonce for ASCON-128 and ASCON-128a. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. */ -#define ASCON128_NONCE_SIZE 16 +#define KNOT_AEAD_192_NONCE_SIZE 24 /** - * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-256-512. */ -#define ASCON128_TAG_SIZE 16 +#define KNOT_AEAD_256_KEY_SIZE 32 /** - * \brief Size of the key for ASCON-80pq. + * \brief Size of the authentication tag for KNOT-AEAD-256-512. */ -#define ASCON80PQ_KEY_SIZE 20 +#define KNOT_AEAD_256_TAG_SIZE 32 /** - * \brief Size of the nonce for ASCON-80pq. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define ASCON80PQ_NONCE_SIZE 16 +#define KNOT_AEAD_256_NONCE_SIZE 32 /** - * \brief Size of the authentication tag for ASCON-80pq. + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. */ -#define ASCON80PQ_TAG_SIZE 16 +#define KNOT_HASH_256_SIZE 32 /** - * \brief Size of the hash output for ASCON-HASH. + * \brief Size of the hash for KNOT-HASH-384-384. */ -#define ASCON_HASH_SIZE 32 +#define KNOT_HASH_384_SIZE 48 /** - * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + * \brief Size of the hash for KNOT-HASH-512-512. */ -typedef union -{ - struct { - unsigned char state[40]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ +#define KNOT_HASH_512_SIZE 64 -} ascon_hash_state_t; +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; /** - * \brief Meta-information block for the ASCON-128 cipher. + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. */ -extern aead_cipher_t const ascon128_cipher; +extern aead_cipher_t const knot_aead_192_384_cipher; /** - * \brief Meta-information block for the ASCON-128a cipher. + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. */ -extern aead_cipher_t const ascon128a_cipher; +extern aead_cipher_t const knot_aead_256_512_cipher; /** - * \brief Meta-information block for the ASCON-80pq cipher. + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. */ -extern aead_cipher_t const ascon80pq_cipher; +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; /** - * \brief Meta-information block for the ASCON-HASH algorithm. + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_hash_algorithm; +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; /** - * \brief Meta-information block for the ASCON-XOF algorithm. + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_xof_algorithm; +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; /** - * \brief Encrypts and authenticates a packet with ASCON-128. + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -141,9 +178,9 @@ extern aead_hash_algorithm_t const ascon_xof_algorithm; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128_aead_decrypt() + * \sa knot_aead_128_256_decrypt() */ -int ascon128_aead_encrypt +int knot_aead_128_256_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -152,7 +189,7 @@ int ascon128_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -171,9 +208,9 @@ int ascon128_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128_aead_encrypt() + * \sa knot_aead_128_256_encrypt() */ -int ascon128_aead_decrypt +int knot_aead_128_256_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -182,7 +219,7 @@ int ascon128_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with ASCON-128a. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -200,9 +237,9 @@ int ascon128_aead_decrypt * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128a_aead_decrypt() + * \sa knot_aead_128_384_decrypt() */ -int ascon128a_aead_encrypt +int knot_aead_128_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -211,7 +248,7 @@ int ascon128a_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128a. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -230,9 +267,9 @@ int ascon128a_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128a_aead_encrypt() + * \sa knot_aead_128_384_encrypt() */ -int ascon128a_aead_decrypt +int knot_aead_128_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -240,8 +277,9 @@ int ascon128a_aead_decrypt const unsigned char *npub, const unsigned char *k); + /** - * \brief Encrypts and authenticates a packet with ASCON-80pq. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -254,14 +292,14 @@ int ascon128a_aead_decrypt * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon80pq_aead_decrypt() + * \sa knot_aead_192_384_decrypt() */ -int ascon80pq_aead_encrypt +int knot_aead_192_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -270,7 +308,7 @@ int ascon80pq_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-80pq. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -284,14 +322,14 @@ int ascon80pq_aead_encrypt * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon80pq_aead_encrypt() + * \sa knot_aead_192_384_encrypt() */ -int ascon80pq_aead_decrypt +int knot_aead_192_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -300,106 +338,119 @@ int ascon80pq_aead_decrypt const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-HASH. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - * - * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() - */ -int ascon_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an ASCON-HASH hashing operation. + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * - * \param state Hash state to be initialized. + * \return 0 on success, or a negative value if there was an error in + * the parameters. * - * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + * \sa knot_aead_256_512_decrypt() */ -void ascon_hash_init(ascon_hash_state_t *state); +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Updates an ASCON-HASH state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \sa ascon_hash_init(), ascon_hash_finalize() - */ -void ascon_hash_update - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. * - * \sa ascon_hash_init(), ascon_hash_update() + * \sa knot_aead_256_512_encrypt() */ -void ascon_hash_finalize - (ascon_hash_state_t *state, unsigned char *out); +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-XOF and generates a - * fixed-length 32 byte output. + * \brief Hashes a block of input data with KNOT-HASH-256-256. * * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. + * KNOT_HASH_256_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. - * - * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. - * - * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() */ -int ascon_xof +int knot_hash_256_256 (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Initializes the state for an ASCON-XOF hashing operation. + * \brief Hashes a block of input data with KNOT-HASH-256-384. * - * \param state Hash state to be initialized. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_init(ascon_hash_state_t *state); +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Aborbs more input data into an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-384-384. * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_squeeze() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_absorb - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Squeezes output data from an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-512-512. * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_update() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_squeeze - (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/api.h b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.c b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.h b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot-hash.c b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot-hash.c deleted file mode 100644 index a4edecd..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot-hash.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_hash_algorithm_t const knot_hash_256_256_algorithm = { - "KNOT-HASH-256-256", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_256, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_256_384_algorithm = { - "KNOT-HASH-256-384", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_384_384_algorithm = { - "KNOT-HASH-384-384", - sizeof(int), - KNOT_HASH_384_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_384_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_512_512_algorithm = { - "KNOT-HASH-512-512", - sizeof(int), - KNOT_HASH_512_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_512_512, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Input rate for KNOT-HASH-256-256. - */ -#define KNOT_HASH_256_256_RATE 4 - -/** - * \brief Input rate for KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_384_RATE 16 - -/** - * \brief Input rate for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_384_RATE 6 - -/** - * \brief Input rate for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_512_RATE 8 - -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot256_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_256_256_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); - knot256_permute_7(&state, 68); - in += KNOT_HASH_256_256_RATE; - inlen -= KNOT_HASH_256_256_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot256_permute_7(&state, 68); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot256_permute_7(&state, 68); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - state.B[sizeof(state.B) - 1] ^= 0x80; - while (inlen >= KNOT_HASH_256_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); - knot384_permute_7(&state, 80); - in += KNOT_HASH_256_384_RATE; - inlen -= KNOT_HASH_256_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 80); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot384_permute_7(&state, 80); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_384_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); - knot384_permute_7(&state, 104); - in += KNOT_HASH_384_384_RATE; - inlen -= KNOT_HASH_384_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 104); - memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); - knot384_permute_7(&state, 104); - memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); - return 0; -} - -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot512_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_512_512_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); - knot512_permute_8(&state, 140); - in += KNOT_HASH_512_512_RATE; - inlen -= KNOT_HASH_512_512_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot512_permute_8(&state, 140); - memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); - knot512_permute_8(&state, 140); - memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); - return 0; -} diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot.h b/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot256v2/rhys/aead-common.c similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/aead-common.c rename to knot/Implementations/crypto_hash/knot256v2/rhys/aead-common.c diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot256v2/rhys/aead-common.h similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/aead-common.h rename to knot/Implementations/crypto_hash/knot256v2/rhys/aead-common.h diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/api.h b/knot/Implementations/crypto_hash/knot256v2/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys-avr/hash.c b/knot/Implementations/crypto_hash/knot256v2/rhys/hash.c similarity index 100% rename from knot/Implementations/crypto_hash/knot256v2/rhys-avr/hash.c rename to knot/Implementations/crypto_hash/knot256v2/rhys/hash.c diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.c b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.c new file mode 100644 index 0000000..f8b378e --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +#if !defined(__AVR__) + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.h b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot256v2/rhys/internal-util.h similarity index 100% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-util.h rename to knot/Implementations/crypto_hash/knot256v2/rhys/internal-util.h diff --git a/knot/Implementations/crypto_hash/knot256v2/rhys/knot-hash.c b/knot/Implementations/crypto_hash/knot256v2/rhys/knot-hash.c new file mode 100644 index 0000000..a4edecd --- /dev/null +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/knot-hash.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_hash_algorithm_t const knot_hash_256_256_algorithm = { + "KNOT-HASH-256-256", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_256, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_256_384_algorithm = { + "KNOT-HASH-256-384", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_384_384_algorithm = { + "KNOT-HASH-384-384", + sizeof(int), + KNOT_HASH_384_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_384_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_512_512_algorithm = { + "KNOT-HASH-512-512", + sizeof(int), + KNOT_HASH_512_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_512_512, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Input rate for KNOT-HASH-256-256. + */ +#define KNOT_HASH_256_256_RATE 4 + +/** + * \brief Input rate for KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_384_RATE 16 + +/** + * \brief Input rate for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_384_RATE 6 + +/** + * \brief Input rate for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_512_RATE 8 + +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot256_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_256_256_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); + knot256_permute_7(&state, 68); + in += KNOT_HASH_256_256_RATE; + inlen -= KNOT_HASH_256_256_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot256_permute_7(&state, 68); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot256_permute_7(&state, 68); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + state.B[sizeof(state.B) - 1] ^= 0x80; + while (inlen >= KNOT_HASH_256_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); + knot384_permute_7(&state, 80); + in += KNOT_HASH_256_384_RATE; + inlen -= KNOT_HASH_256_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 80); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot384_permute_7(&state, 80); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_384_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); + knot384_permute_7(&state, 104); + in += KNOT_HASH_384_384_RATE; + inlen -= KNOT_HASH_384_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 104); + memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); + knot384_permute_7(&state, 104); + memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); + return 0; +} + +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot512_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_512_512_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); + knot512_permute_8(&state, 140); + in += KNOT_HASH_512_512_RATE; + inlen -= KNOT_HASH_512_512_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot512_permute_8(&state, 140); + memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); + knot512_permute_8(&state, 140); + memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); + return 0; +} diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/ascon128.h b/knot/Implementations/crypto_hash/knot256v2/rhys/knot.h similarity index 58% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/ascon128.h rename to knot/Implementations/crypto_hash/knot256v2/rhys/knot.h index fd9db13..e2c5198 100644 --- a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/ascon128.h +++ b/knot/Implementations/crypto_hash/knot256v2/rhys/knot.h @@ -20,28 +20,38 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_ASCON_H -#define LWCRYPTO_ASCON_H +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H #include "aead-common.h" /** - * \file ascon128.h - * \brief ASCON-128 encryption algorithm and related family members. - * - * The ASCON family consists of several related algorithms: - * - * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. - * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may - * not be as secure. - * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a - * 160-bit key instead which may be more resistant against quantum computers. - * \li ASCON-HASH with a 256-bit hash output. - * - * References: https://ascon.iaik.tugraz.at/ + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf */ #ifdef __cplusplus @@ -49,81 +59,108 @@ extern "C" { #endif /** - * \brief Size of the key for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. */ -#define ASCON128_KEY_SIZE 16 +#define KNOT_AEAD_192_TAG_SIZE 24 /** - * \brief Size of the nonce for ASCON-128 and ASCON-128a. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. */ -#define ASCON128_NONCE_SIZE 16 +#define KNOT_AEAD_192_NONCE_SIZE 24 /** - * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-256-512. */ -#define ASCON128_TAG_SIZE 16 +#define KNOT_AEAD_256_KEY_SIZE 32 /** - * \brief Size of the key for ASCON-80pq. + * \brief Size of the authentication tag for KNOT-AEAD-256-512. */ -#define ASCON80PQ_KEY_SIZE 20 +#define KNOT_AEAD_256_TAG_SIZE 32 /** - * \brief Size of the nonce for ASCON-80pq. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define ASCON80PQ_NONCE_SIZE 16 +#define KNOT_AEAD_256_NONCE_SIZE 32 /** - * \brief Size of the authentication tag for ASCON-80pq. + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. */ -#define ASCON80PQ_TAG_SIZE 16 +#define KNOT_HASH_256_SIZE 32 /** - * \brief Size of the hash output for ASCON-HASH. + * \brief Size of the hash for KNOT-HASH-384-384. */ -#define ASCON_HASH_SIZE 32 +#define KNOT_HASH_384_SIZE 48 /** - * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + * \brief Size of the hash for KNOT-HASH-512-512. */ -typedef union -{ - struct { - unsigned char state[40]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ +#define KNOT_HASH_512_SIZE 64 -} ascon_hash_state_t; +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; /** - * \brief Meta-information block for the ASCON-128 cipher. + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. */ -extern aead_cipher_t const ascon128_cipher; +extern aead_cipher_t const knot_aead_192_384_cipher; /** - * \brief Meta-information block for the ASCON-128a cipher. + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. */ -extern aead_cipher_t const ascon128a_cipher; +extern aead_cipher_t const knot_aead_256_512_cipher; /** - * \brief Meta-information block for the ASCON-80pq cipher. + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. */ -extern aead_cipher_t const ascon80pq_cipher; +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; /** - * \brief Meta-information block for the ASCON-HASH algorithm. + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_hash_algorithm; +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; /** - * \brief Meta-information block for the ASCON-XOF algorithm. + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_xof_algorithm; +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; /** - * \brief Encrypts and authenticates a packet with ASCON-128. + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -141,9 +178,9 @@ extern aead_hash_algorithm_t const ascon_xof_algorithm; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128_aead_decrypt() + * \sa knot_aead_128_256_decrypt() */ -int ascon128_aead_encrypt +int knot_aead_128_256_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -152,7 +189,7 @@ int ascon128_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -171,9 +208,9 @@ int ascon128_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128_aead_encrypt() + * \sa knot_aead_128_256_encrypt() */ -int ascon128_aead_decrypt +int knot_aead_128_256_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -182,7 +219,7 @@ int ascon128_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with ASCON-128a. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -200,9 +237,9 @@ int ascon128_aead_decrypt * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128a_aead_decrypt() + * \sa knot_aead_128_384_decrypt() */ -int ascon128a_aead_encrypt +int knot_aead_128_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -211,7 +248,7 @@ int ascon128a_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128a. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -230,9 +267,9 @@ int ascon128a_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128a_aead_encrypt() + * \sa knot_aead_128_384_encrypt() */ -int ascon128a_aead_decrypt +int knot_aead_128_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -240,8 +277,9 @@ int ascon128a_aead_decrypt const unsigned char *npub, const unsigned char *k); + /** - * \brief Encrypts and authenticates a packet with ASCON-80pq. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -254,14 +292,14 @@ int ascon128a_aead_decrypt * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon80pq_aead_decrypt() + * \sa knot_aead_192_384_decrypt() */ -int ascon80pq_aead_encrypt +int knot_aead_192_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -270,7 +308,7 @@ int ascon80pq_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-80pq. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -284,14 +322,14 @@ int ascon80pq_aead_encrypt * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon80pq_aead_encrypt() + * \sa knot_aead_192_384_encrypt() */ -int ascon80pq_aead_decrypt +int knot_aead_192_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -300,106 +338,119 @@ int ascon80pq_aead_decrypt const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-HASH. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - * - * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() - */ -int ascon_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an ASCON-HASH hashing operation. + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * - * \param state Hash state to be initialized. + * \return 0 on success, or a negative value if there was an error in + * the parameters. * - * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + * \sa knot_aead_256_512_decrypt() */ -void ascon_hash_init(ascon_hash_state_t *state); +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Updates an ASCON-HASH state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \sa ascon_hash_init(), ascon_hash_finalize() - */ -void ascon_hash_update - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. * - * \sa ascon_hash_init(), ascon_hash_update() + * \sa knot_aead_256_512_encrypt() */ -void ascon_hash_finalize - (ascon_hash_state_t *state, unsigned char *out); +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-XOF and generates a - * fixed-length 32 byte output. + * \brief Hashes a block of input data with KNOT-HASH-256-256. * * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. + * KNOT_HASH_256_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. - * - * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. - * - * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() */ -int ascon_xof +int knot_hash_256_256 (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Initializes the state for an ASCON-XOF hashing operation. + * \brief Hashes a block of input data with KNOT-HASH-256-384. * - * \param state Hash state to be initialized. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_init(ascon_hash_state_t *state); +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Aborbs more input data into an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-384-384. * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_squeeze() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_absorb - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Squeezes output data from an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-512-512. * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_update() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_squeeze - (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/api.h b/knot/Implementations/crypto_hash/knot384/rhys-avr/api.h deleted file mode 100644 index d507385..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 48 diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.c b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.h b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/knot-hash.c b/knot/Implementations/crypto_hash/knot384/rhys-avr/knot-hash.c deleted file mode 100644 index a4edecd..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/knot-hash.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_hash_algorithm_t const knot_hash_256_256_algorithm = { - "KNOT-HASH-256-256", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_256, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_256_384_algorithm = { - "KNOT-HASH-256-384", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_384_384_algorithm = { - "KNOT-HASH-384-384", - sizeof(int), - KNOT_HASH_384_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_384_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_512_512_algorithm = { - "KNOT-HASH-512-512", - sizeof(int), - KNOT_HASH_512_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_512_512, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Input rate for KNOT-HASH-256-256. - */ -#define KNOT_HASH_256_256_RATE 4 - -/** - * \brief Input rate for KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_384_RATE 16 - -/** - * \brief Input rate for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_384_RATE 6 - -/** - * \brief Input rate for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_512_RATE 8 - -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot256_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_256_256_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); - knot256_permute_7(&state, 68); - in += KNOT_HASH_256_256_RATE; - inlen -= KNOT_HASH_256_256_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot256_permute_7(&state, 68); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot256_permute_7(&state, 68); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - state.B[sizeof(state.B) - 1] ^= 0x80; - while (inlen >= KNOT_HASH_256_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); - knot384_permute_7(&state, 80); - in += KNOT_HASH_256_384_RATE; - inlen -= KNOT_HASH_256_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 80); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot384_permute_7(&state, 80); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_384_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); - knot384_permute_7(&state, 104); - in += KNOT_HASH_384_384_RATE; - inlen -= KNOT_HASH_384_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 104); - memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); - knot384_permute_7(&state, 104); - memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); - return 0; -} - -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot512_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_512_512_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); - knot512_permute_8(&state, 140); - in += KNOT_HASH_512_512_RATE; - inlen -= KNOT_HASH_512_512_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot512_permute_8(&state, 140); - memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); - knot512_permute_8(&state, 140); - memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); - return 0; -} diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/knot.h b/knot/Implementations/crypto_hash/knot384/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_hash/knot384/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot384/rhys/aead-common.c similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/aead-common.c rename to knot/Implementations/crypto_hash/knot384/rhys/aead-common.c diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot384/rhys/aead-common.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/aead-common.h rename to knot/Implementations/crypto_hash/knot384/rhys/aead-common.h diff --git a/knot/Implementations/crypto_hash/knot384/rhys/api.h b/knot/Implementations/crypto_hash/knot384/rhys/api.h new file mode 100644 index 0000000..d507385 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 48 diff --git a/knot/Implementations/crypto_hash/knot384/rhys-avr/hash.c b/knot/Implementations/crypto_hash/knot384/rhys/hash.c similarity index 100% rename from knot/Implementations/crypto_hash/knot384/rhys-avr/hash.c rename to knot/Implementations/crypto_hash/knot384/rhys/hash.c diff --git a/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.c b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.c new file mode 100644 index 0000000..f8b378e --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +#if !defined(__AVR__) + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} + +#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.h b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.h new file mode 100644 index 0000000..88a782c --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/internal-knot.h @@ -0,0 +1,130 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H + +#include "internal-util.h" + +/** + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Internal state of the KNOT-256 permutation. + */ +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ + +} knot256_state_t; + +/** + * \brief Internal state of the KNOT-384 permutation. + */ +typedef union +{ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ + +} knot384_state_t; + +/** + * \brief Internal state of the KNOT-512 permutation. + */ +typedef union +{ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ + +} knot512_state_t; + +/** + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Generic pointer to a function that performs a KNOT permutation. + * + * \param state Points to the permutation state. + * \param round Number of rounds to perform. + */ +typedef void (*knot_permute_t)(void *state, uint8_t rounds); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot384/rhys/internal-util.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/internal-util.h rename to knot/Implementations/crypto_hash/knot384/rhys/internal-util.h diff --git a/knot/Implementations/crypto_hash/knot384/rhys/knot-hash.c b/knot/Implementations/crypto_hash/knot384/rhys/knot-hash.c new file mode 100644 index 0000000..a4edecd --- /dev/null +++ b/knot/Implementations/crypto_hash/knot384/rhys/knot-hash.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_hash_algorithm_t const knot_hash_256_256_algorithm = { + "KNOT-HASH-256-256", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_256, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_256_384_algorithm = { + "KNOT-HASH-256-384", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_384_384_algorithm = { + "KNOT-HASH-384-384", + sizeof(int), + KNOT_HASH_384_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_384_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_512_512_algorithm = { + "KNOT-HASH-512-512", + sizeof(int), + KNOT_HASH_512_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_512_512, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Input rate for KNOT-HASH-256-256. + */ +#define KNOT_HASH_256_256_RATE 4 + +/** + * \brief Input rate for KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_384_RATE 16 + +/** + * \brief Input rate for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_384_RATE 6 + +/** + * \brief Input rate for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_512_RATE 8 + +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot256_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_256_256_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); + knot256_permute_7(&state, 68); + in += KNOT_HASH_256_256_RATE; + inlen -= KNOT_HASH_256_256_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot256_permute_7(&state, 68); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot256_permute_7(&state, 68); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + state.B[sizeof(state.B) - 1] ^= 0x80; + while (inlen >= KNOT_HASH_256_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); + knot384_permute_7(&state, 80); + in += KNOT_HASH_256_384_RATE; + inlen -= KNOT_HASH_256_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 80); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot384_permute_7(&state, 80); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_384_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); + knot384_permute_7(&state, 104); + in += KNOT_HASH_384_384_RATE; + inlen -= KNOT_HASH_384_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 104); + memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); + knot384_permute_7(&state, 104); + memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); + return 0; +} + +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot512_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_512_512_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); + knot512_permute_8(&state, 140); + in += KNOT_HASH_512_512_RATE; + inlen -= KNOT_HASH_512_512_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot512_permute_8(&state, 140); + memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); + knot512_permute_8(&state, 140); + memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); + return 0; +} diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/ascon128.h b/knot/Implementations/crypto_hash/knot384/rhys/knot.h similarity index 58% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/ascon128.h rename to knot/Implementations/crypto_hash/knot384/rhys/knot.h index fd9db13..e2c5198 100644 --- a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/ascon128.h +++ b/knot/Implementations/crypto_hash/knot384/rhys/knot.h @@ -20,28 +20,38 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_ASCON_H -#define LWCRYPTO_ASCON_H +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H #include "aead-common.h" /** - * \file ascon128.h - * \brief ASCON-128 encryption algorithm and related family members. - * - * The ASCON family consists of several related algorithms: - * - * \li ASCON-128 with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. - * \li ASCON-128a with a 128-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 128 bits. This is faster than ASCON-128 but may - * not be as secure. - * \li ASCON-80pq with a 160-bit key, a 128-bit nonce, a 128-bit authentication - * tag, and a block rate of 64 bits. This is similar to ASCON-128 but has a - * 160-bit key instead which may be more resistant against quantum computers. - * \li ASCON-HASH with a 256-bit hash output. - * - * References: https://ascon.iaik.tugraz.at/ + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf */ #ifdef __cplusplus @@ -49,81 +59,108 @@ extern "C" { #endif /** - * \brief Size of the key for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. + */ +#define KNOT_AEAD_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for KNOT-AEAD-192-384. + */ +#define KNOT_AEAD_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for KNOT-AEAD-192-384. */ -#define ASCON128_KEY_SIZE 16 +#define KNOT_AEAD_192_TAG_SIZE 24 /** - * \brief Size of the nonce for ASCON-128 and ASCON-128a. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. */ -#define ASCON128_NONCE_SIZE 16 +#define KNOT_AEAD_192_NONCE_SIZE 24 /** - * \brief Size of the authentication tag for ASCON-128 and ASCON-128a. + * \brief Size of the key for KNOT-AEAD-256-512. */ -#define ASCON128_TAG_SIZE 16 +#define KNOT_AEAD_256_KEY_SIZE 32 /** - * \brief Size of the key for ASCON-80pq. + * \brief Size of the authentication tag for KNOT-AEAD-256-512. */ -#define ASCON80PQ_KEY_SIZE 20 +#define KNOT_AEAD_256_TAG_SIZE 32 /** - * \brief Size of the nonce for ASCON-80pq. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define ASCON80PQ_NONCE_SIZE 16 +#define KNOT_AEAD_256_NONCE_SIZE 32 /** - * \brief Size of the authentication tag for ASCON-80pq. + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. */ -#define ASCON80PQ_TAG_SIZE 16 +#define KNOT_HASH_256_SIZE 32 /** - * \brief Size of the hash output for ASCON-HASH. + * \brief Size of the hash for KNOT-HASH-384-384. */ -#define ASCON_HASH_SIZE 32 +#define KNOT_HASH_384_SIZE 48 /** - * \brief State information for ASCON-HASH and ASCON-XOF incremental modes. + * \brief Size of the hash for KNOT-HASH-512-512. */ -typedef union -{ - struct { - unsigned char state[40]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ +#define KNOT_HASH_512_SIZE 64 -} ascon_hash_state_t; +/** + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. + */ +extern aead_cipher_t const knot_aead_128_256_cipher; + +/** + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. + */ +extern aead_cipher_t const knot_aead_128_384_cipher; /** - * \brief Meta-information block for the ASCON-128 cipher. + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. */ -extern aead_cipher_t const ascon128_cipher; +extern aead_cipher_t const knot_aead_192_384_cipher; /** - * \brief Meta-information block for the ASCON-128a cipher. + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. */ -extern aead_cipher_t const ascon128a_cipher; +extern aead_cipher_t const knot_aead_256_512_cipher; /** - * \brief Meta-information block for the ASCON-80pq cipher. + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. */ -extern aead_cipher_t const ascon80pq_cipher; +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; /** - * \brief Meta-information block for the ASCON-HASH algorithm. + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_hash_algorithm; +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; /** - * \brief Meta-information block for the ASCON-XOF algorithm. + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. */ -extern aead_hash_algorithm_t const ascon_xof_algorithm; +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; /** - * \brief Encrypts and authenticates a packet with ASCON-128. + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. + */ +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; + +/** + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -141,9 +178,9 @@ extern aead_hash_algorithm_t const ascon_xof_algorithm; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128_aead_decrypt() + * \sa knot_aead_128_256_decrypt() */ -int ascon128_aead_encrypt +int knot_aead_128_256_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -152,7 +189,7 @@ int ascon128_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -171,9 +208,9 @@ int ascon128_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128_aead_encrypt() + * \sa knot_aead_128_256_encrypt() */ -int ascon128_aead_decrypt +int knot_aead_128_256_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -182,7 +219,7 @@ int ascon128_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with ASCON-128a. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -200,9 +237,9 @@ int ascon128_aead_decrypt * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon128a_aead_decrypt() + * \sa knot_aead_128_384_decrypt() */ -int ascon128a_aead_encrypt +int knot_aead_128_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -211,7 +248,7 @@ int ascon128a_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-128a. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -230,9 +267,9 @@ int ascon128a_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon128a_aead_encrypt() + * \sa knot_aead_128_384_encrypt() */ -int ascon128a_aead_decrypt +int knot_aead_128_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -240,8 +277,9 @@ int ascon128a_aead_decrypt const unsigned char *npub, const unsigned char *k); + /** - * \brief Encrypts and authenticates a packet with ASCON-80pq. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -254,14 +292,14 @@ int ascon128a_aead_decrypt * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to encrypt the packet. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ascon80pq_aead_decrypt() + * \sa knot_aead_192_384_decrypt() */ -int ascon80pq_aead_encrypt +int knot_aead_192_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -270,7 +308,7 @@ int ascon80pq_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ASCON-80pq. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -284,14 +322,14 @@ int ascon80pq_aead_encrypt * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 20 bytes of the key to use to decrypt the packet. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ascon80pq_aead_encrypt() + * \sa knot_aead_192_384_encrypt() */ -int ascon80pq_aead_decrypt +int knot_aead_192_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -300,106 +338,119 @@ int ascon80pq_aead_decrypt const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-HASH. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - * - * \sa ascon_hash_init(), ascon_hash_absorb(), ascon_hash_squeeze() - */ -int ascon_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an ASCON-HASH hashing operation. + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. * - * \param state Hash state to be initialized. + * \return 0 on success, or a negative value if there was an error in + * the parameters. * - * \sa ascon_hash_update(), ascon_hash_finalize(), ascon_hash() + * \sa knot_aead_256_512_decrypt() */ -void ascon_hash_init(ascon_hash_state_t *state); +int knot_aead_256_512_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Updates an ASCON-HASH state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. * - * \sa ascon_hash_init(), ascon_hash_finalize() - */ -void ascon_hash_update - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an ASCON-HASH hashing operation. + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. * - * \sa ascon_hash_init(), ascon_hash_update() + * \sa knot_aead_256_512_encrypt() */ -void ascon_hash_finalize - (ascon_hash_state_t *state, unsigned char *out); +int knot_aead_256_512_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); /** - * \brief Hashes a block of input data with ASCON-XOF and generates a - * fixed-length 32 byte output. + * \brief Hashes a block of input data with KNOT-HASH-256-256. * * \param out Buffer to receive the hash output which must be at least - * ASCON_HASH_SIZE bytes in length. + * KNOT_HASH_256_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. - * - * Use ascon_xof_squeeze() instead if you need variable-length XOF ouutput. - * - * \sa ascon_xof_init(), ascon_xof_absorb(), ascon_xof_squeeze() */ -int ascon_xof +int knot_hash_256_256 (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Initializes the state for an ASCON-XOF hashing operation. + * \brief Hashes a block of input data with KNOT-HASH-256-384. * - * \param state Hash state to be initialized. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_absorb(), ascon_xof_squeeze(), ascon_xof() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_init(ascon_hash_state_t *state); +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Aborbs more input data into an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-384-384. * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_squeeze() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_absorb - (ascon_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Squeezes output data from an ASCON-XOF state. + * \brief Hashes a block of input data with KNOT-HASH-512-512. * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa ascon_xof_init(), ascon_xof_update() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void ascon_xof_squeeze - (ascon_hash_state_t *state, unsigned char *out, unsigned long long outlen); +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/api.h b/knot/Implementations/crypto_hash/knot512/rhys-avr/api.h deleted file mode 100644 index de9380d..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 64 diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-256-avr.S deleted file mode 100644 index 15e6389..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-256-avr.S +++ /dev/null @@ -1,1093 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_6, @object - .size table_6, 52 -table_6: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 33 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 49 - .byte 34 - .byte 5 - .byte 10 - .byte 20 - .byte 41 - .byte 19 - .byte 39 - .byte 15 - .byte 30 - .byte 61 - .byte 58 - .byte 52 - .byte 40 - .byte 17 - .byte 35 - .byte 7 - .byte 14 - .byte 28 - .byte 57 - .byte 50 - .byte 36 - .byte 9 - .byte 18 - .byte 37 - .byte 11 - .byte 22 - .byte 45 - .byte 27 - .byte 55 - .byte 46 - .byte 29 - .byte 59 - .byte 54 - .byte 44 - .byte 25 - .byte 51 - .byte 38 - .byte 13 - .byte 26 - .byte 53 - .byte 42 - - .text -.global knot256_permute_6 - .type knot256_permute_6, @function -knot256_permute_6: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_6) - ldi r31,hi8(table_6) -#if defined(RAMPZ) - ldi r17,hh8(table_6) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_6, .-knot256_permute_6 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot256_permute_7 - .type knot256_permute_7, @function -knot256_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 57 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Z+16 - ldd r9,Z+17 - ldd r10,Z+18 - ldd r11,Z+19 - ldd r12,Z+20 - ldd r13,Z+21 - ldd r14,Z+22 - ldd r15,Z+23 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r8 - std Y+18,r9 - std Y+19,r10 - std Y+20,r11 - std Y+21,r12 - std Y+22,r13 - std Y+23,r14 - std Y+24,r15 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -59: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r18,r23 - inc r30 - ldd r23,Y+1 - ldd r4,Y+9 - ldd r5,Y+17 - mov r24,r18 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+33,r7 - mov r16,r5 - eor r16,r24 - mov r8,r23 - or r8,r4 - eor r8,r16 - mov r24,r23 - eor r24,r5 - mov r18,r25 - and r18,r16 - eor r18,r24 - mov r6,r8 - and r6,r24 - eor r6,r25 - std Y+25,r6 - ldd r23,Y+2 - ldd r4,Y+10 - ldd r5,Y+18 - mov r24,r19 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+34,r7 - mov r16,r5 - eor r16,r24 - mov r9,r23 - or r9,r4 - eor r9,r16 - mov r24,r23 - eor r24,r5 - mov r19,r25 - and r19,r16 - eor r19,r24 - mov r6,r9 - and r6,r24 - eor r6,r25 - std Y+26,r6 - ldd r23,Y+3 - ldd r4,Y+11 - ldd r5,Y+19 - mov r24,r20 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+35,r7 - mov r16,r5 - eor r16,r24 - mov r10,r23 - or r10,r4 - eor r10,r16 - mov r24,r23 - eor r24,r5 - mov r20,r25 - and r20,r16 - eor r20,r24 - mov r6,r10 - and r6,r24 - eor r6,r25 - std Y+27,r6 - ldd r23,Y+4 - ldd r4,Y+12 - ldd r5,Y+20 - mov r24,r21 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+36,r7 - mov r16,r5 - eor r16,r24 - mov r11,r23 - or r11,r4 - eor r11,r16 - mov r24,r23 - eor r24,r5 - mov r21,r25 - and r21,r16 - eor r21,r24 - mov r6,r11 - and r6,r24 - eor r6,r25 - std Y+28,r6 - ldd r23,Y+5 - ldd r4,Y+13 - ldd r5,Y+21 - mov r24,r26 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+37,r7 - mov r16,r5 - eor r16,r24 - mov r12,r23 - or r12,r4 - eor r12,r16 - mov r24,r23 - eor r24,r5 - mov r26,r25 - and r26,r16 - eor r26,r24 - mov r6,r12 - and r6,r24 - eor r6,r25 - std Y+29,r6 - ldd r23,Y+6 - ldd r4,Y+14 - ldd r5,Y+22 - mov r24,r27 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+38,r7 - mov r16,r5 - eor r16,r24 - mov r13,r23 - or r13,r4 - eor r13,r16 - mov r24,r23 - eor r24,r5 - mov r27,r25 - and r27,r16 - eor r27,r24 - mov r6,r13 - and r6,r24 - eor r6,r25 - std Y+30,r6 - ldd r23,Y+7 - ldd r4,Y+15 - ldd r5,Y+23 - mov r24,r2 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+39,r7 - mov r16,r5 - eor r16,r24 - mov r14,r23 - or r14,r4 - eor r14,r16 - mov r24,r23 - eor r24,r5 - mov r2,r25 - and r2,r16 - eor r2,r24 - mov r6,r14 - and r6,r24 - eor r6,r25 - std Y+31,r6 - ldd r23,Y+8 - ldd r4,Y+16 - ldd r5,Y+24 - mov r24,r3 - com r24 - mov r25,r23 - and r25,r24 - eor r25,r4 - mov r7,r5 - eor r7,r25 - std Y+40,r7 - mov r16,r5 - eor r16,r24 - mov r15,r23 - or r15,r4 - eor r15,r16 - mov r24,r23 - eor r24,r5 - mov r3,r25 - and r3,r16 - eor r3,r24 - mov r6,r15 - and r6,r24 - eor r6,r25 - std Y+32,r6 - std Y+9,r15 - std Y+10,r8 - std Y+11,r9 - std Y+12,r10 - std Y+13,r11 - std Y+14,r12 - std Y+15,r13 - std Y+16,r14 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - std Y+5,r12 - std Y+6,r13 - std Y+7,r14 - std Y+8,r15 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - ldd r12,Y+37 - ldd r13,Y+38 - ldd r14,Y+39 - ldd r15,Y+40 - lsl r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r8,r1 - std Y+17,r13 - std Y+18,r14 - std Y+19,r15 - std Y+20,r8 - std Y+21,r9 - std Y+22,r10 - std Y+23,r11 - std Y+24,r12 - dec r22 - breq 5322f - rjmp 59b -5322: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - std Z+4,r26 - std Z+5,r27 - std Z+6,r2 - std Z+7,r3 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - std Z+16,r8 - std Z+17,r9 - std Z+18,r10 - std Z+19,r11 - std Z+20,r12 - std Z+21,r13 - std Z+22,r14 - std Z+23,r15 - ldd r8,Y+17 - ldd r9,Y+18 - ldd r10,Y+19 - ldd r11,Y+20 - ldd r12,Y+21 - ldd r13,Y+22 - ldd r14,Y+23 - ldd r15,Y+24 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - adiw r28,40 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot256_permute_7, .-knot256_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-384-avr.S deleted file mode 100644 index 4d15898..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-384-avr.S +++ /dev/null @@ -1,833 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot384_permute_7 - .type knot384_permute_7, @function -knot384_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,72 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 87 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - ldd r4,Z+16 - ldd r5,Z+17 - ldd r6,Z+18 - ldd r7,Z+19 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r4,Z+28 - ldd r5,Z+29 - ldd r6,Z+30 - ldd r7,Z+31 - ldd r8,Z+32 - ldd r9,Z+33 - ldd r10,Z+34 - ldd r11,Z+35 - std Y+25,r26 - std Y+26,r27 - std Y+27,r2 - std Y+28,r3 - std Y+29,r4 - std Y+30,r5 - std Y+31,r6 - std Y+32,r7 - std Y+33,r8 - std Y+34,r9 - std Y+35,r10 - std Y+36,r11 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+37,r26 - std Y+38,r27 - std Y+39,r2 - std Y+40,r3 - std Y+41,r4 - std Y+42,r5 - std Y+43,r6 - std Y+44,r7 - std Y+45,r8 - std Y+46,r9 - std Y+47,r10 - std Y+48,r11 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r24,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif -99: - ldd r12,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r30 - ldd r18,Y+13 - ldd r19,Y+25 - ldd r20,Y+37 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+61,r23 - mov r14,r20 - eor r14,r12 - mov r26,r18 - or r26,r19 - eor r26,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+1,r21 - mov r21,r26 - and r21,r12 - eor r21,r13 - std Y+49,r21 - ldd r12,Y+2 - ldd r18,Y+14 - ldd r19,Y+26 - ldd r20,Y+38 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+62,r23 - mov r14,r20 - eor r14,r12 - mov r27,r18 - or r27,r19 - eor r27,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+2,r21 - mov r21,r27 - and r21,r12 - eor r21,r13 - std Y+50,r21 - ldd r12,Y+3 - ldd r18,Y+15 - ldd r19,Y+27 - ldd r20,Y+39 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - std Y+63,r23 - mov r14,r20 - eor r14,r12 - mov r2,r18 - or r2,r19 - eor r2,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+3,r21 - mov r21,r2 - and r21,r12 - eor r21,r13 - std Y+51,r21 - ldd r12,Y+4 - ldd r18,Y+16 - ldd r19,Y+28 - ldd r20,Y+40 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,192 - sbci r29,255 - st Y,r23 - subi r28,64 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r3,r18 - or r3,r19 - eor r3,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+4,r21 - mov r21,r3 - and r21,r12 - eor r21,r13 - std Y+52,r21 - ldd r12,Y+5 - ldd r18,Y+17 - ldd r19,Y+29 - ldd r20,Y+41 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,191 - sbci r29,255 - st Y,r23 - subi r28,65 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r4,r18 - or r4,r19 - eor r4,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+5,r21 - mov r21,r4 - and r21,r12 - eor r21,r13 - std Y+53,r21 - ldd r12,Y+6 - ldd r18,Y+18 - ldd r19,Y+30 - ldd r20,Y+42 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,190 - sbci r29,255 - st Y,r23 - subi r28,66 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r5,r18 - or r5,r19 - eor r5,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+6,r21 - mov r21,r5 - and r21,r12 - eor r21,r13 - std Y+54,r21 - ldd r12,Y+7 - ldd r18,Y+19 - ldd r19,Y+31 - ldd r20,Y+43 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,189 - sbci r29,255 - st Y,r23 - subi r28,67 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r6,r18 - or r6,r19 - eor r6,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+7,r21 - mov r21,r6 - and r21,r12 - eor r21,r13 - std Y+55,r21 - ldd r12,Y+8 - ldd r18,Y+20 - ldd r19,Y+32 - ldd r20,Y+44 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,188 - sbci r29,255 - st Y,r23 - subi r28,68 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r7,r18 - or r7,r19 - eor r7,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+8,r21 - mov r21,r7 - and r21,r12 - eor r21,r13 - std Y+56,r21 - ldd r12,Y+9 - ldd r18,Y+21 - ldd r19,Y+33 - ldd r20,Y+45 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,187 - sbci r29,255 - st Y,r23 - subi r28,69 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r8,r18 - or r8,r19 - eor r8,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+9,r21 - mov r21,r8 - and r21,r12 - eor r21,r13 - std Y+57,r21 - ldd r12,Y+10 - ldd r18,Y+22 - ldd r19,Y+34 - ldd r20,Y+46 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,186 - sbci r29,255 - st Y,r23 - subi r28,70 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r9,r18 - or r9,r19 - eor r9,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+10,r21 - mov r21,r9 - and r21,r12 - eor r21,r13 - std Y+58,r21 - ldd r12,Y+11 - ldd r18,Y+23 - ldd r19,Y+35 - ldd r20,Y+47 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,185 - sbci r29,255 - st Y,r23 - subi r28,71 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r10,r18 - or r10,r19 - eor r10,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+11,r21 - mov r21,r10 - and r21,r12 - eor r21,r13 - std Y+59,r21 - ldd r12,Y+12 - ldd r18,Y+24 - ldd r19,Y+36 - ldd r20,Y+48 - com r12 - mov r13,r18 - and r13,r12 - eor r13,r19 - mov r23,r20 - eor r23,r13 - subi r28,184 - sbci r29,255 - st Y,r23 - subi r28,72 - sbc r29,r1 - mov r14,r20 - eor r14,r12 - mov r11,r18 - or r11,r19 - eor r11,r14 - mov r12,r18 - eor r12,r20 - mov r21,r13 - and r21,r14 - eor r21,r12 - std Y+12,r21 - mov r21,r11 - and r21,r12 - eor r21,r13 - std Y+60,r21 - std Y+25,r11 - std Y+26,r26 - std Y+27,r27 - std Y+28,r2 - std Y+29,r3 - std Y+30,r4 - std Y+31,r5 - std Y+32,r6 - std Y+33,r7 - std Y+34,r8 - std Y+35,r9 - std Y+36,r10 - ldd r26,Y+49 - ldd r27,Y+50 - ldd r2,Y+51 - ldd r3,Y+52 - ldd r4,Y+53 - ldd r5,Y+54 - ldd r6,Y+55 - ldd r7,Y+56 - ldd r8,Y+57 - ldd r9,Y+58 - ldd r10,Y+59 - ldd r11,Y+60 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - adc r26,r1 - std Y+13,r26 - std Y+14,r27 - std Y+15,r2 - std Y+16,r3 - std Y+17,r4 - std Y+18,r5 - std Y+19,r6 - std Y+20,r7 - std Y+21,r8 - std Y+22,r9 - std Y+23,r10 - std Y+24,r11 - adiw r28,61 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y - subi r28,72 - sbc r29,r1 - bst r26,0 - lsr r11 - ror r10 - ror r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - ror r27 - ror r26 - bld r11,7 - std Y+37,r5 - std Y+38,r6 - std Y+39,r7 - std Y+40,r8 - std Y+41,r9 - std Y+42,r10 - std Y+43,r11 - std Y+44,r26 - std Y+45,r27 - std Y+46,r2 - std Y+47,r3 - std Y+48,r4 - dec r22 - breq 5542f - rjmp 99b -5542: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - ldd r4,Y+17 - ldd r5,Y+18 - ldd r6,Y+19 - ldd r7,Y+20 - ldd r8,Y+21 - ldd r9,Y+22 - ldd r10,Y+23 - ldd r11,Y+24 - std Z+12,r26 - std Z+13,r27 - std Z+14,r2 - std Z+15,r3 - std Z+16,r4 - std Z+17,r5 - std Z+18,r6 - std Z+19,r7 - std Z+20,r8 - std Z+21,r9 - std Z+22,r10 - std Z+23,r11 - ldd r26,Y+25 - ldd r27,Y+26 - ldd r2,Y+27 - ldd r3,Y+28 - ldd r4,Y+29 - ldd r5,Y+30 - ldd r6,Y+31 - ldd r7,Y+32 - ldd r8,Y+33 - ldd r9,Y+34 - ldd r10,Y+35 - ldd r11,Y+36 - std Z+24,r26 - std Z+25,r27 - std Z+26,r2 - std Z+27,r3 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+32,r8 - std Z+33,r9 - std Z+34,r10 - std Z+35,r11 - ldd r26,Y+37 - ldd r27,Y+38 - ldd r2,Y+39 - ldd r3,Y+40 - ldd r4,Y+41 - ldd r5,Y+42 - ldd r6,Y+43 - ldd r7,Y+44 - ldd r8,Y+45 - ldd r9,Y+46 - ldd r10,Y+47 - ldd r11,Y+48 - std Z+36,r26 - std Z+37,r27 - std Z+38,r2 - std Z+39,r3 - std Z+40,r4 - std Z+41,r5 - std Z+42,r6 - std Z+43,r7 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - subi r28,184 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot384_permute_7, .-knot384_permute_7 - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-512-avr.S deleted file mode 100644 index 6f92ac3..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot-512-avr.S +++ /dev/null @@ -1,2315 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_7, @object - .size table_7, 104 -table_7: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 16 - .byte 32 - .byte 65 - .byte 3 - .byte 6 - .byte 12 - .byte 24 - .byte 48 - .byte 97 - .byte 66 - .byte 5 - .byte 10 - .byte 20 - .byte 40 - .byte 81 - .byte 35 - .byte 71 - .byte 15 - .byte 30 - .byte 60 - .byte 121 - .byte 114 - .byte 100 - .byte 72 - .byte 17 - .byte 34 - .byte 69 - .byte 11 - .byte 22 - .byte 44 - .byte 89 - .byte 51 - .byte 103 - .byte 78 - .byte 29 - .byte 58 - .byte 117 - .byte 106 - .byte 84 - .byte 41 - .byte 83 - .byte 39 - .byte 79 - .byte 31 - .byte 62 - .byte 125 - .byte 122 - .byte 116 - .byte 104 - .byte 80 - .byte 33 - .byte 67 - .byte 7 - .byte 14 - .byte 28 - .byte 56 - .byte 113 - .byte 98 - .byte 68 - .byte 9 - .byte 18 - .byte 36 - .byte 73 - .byte 19 - .byte 38 - .byte 77 - .byte 27 - .byte 54 - .byte 109 - .byte 90 - .byte 53 - .byte 107 - .byte 86 - .byte 45 - .byte 91 - .byte 55 - .byte 111 - .byte 94 - .byte 61 - .byte 123 - .byte 118 - .byte 108 - .byte 88 - .byte 49 - .byte 99 - .byte 70 - .byte 13 - .byte 26 - .byte 52 - .byte 105 - .byte 82 - .byte 37 - .byte 75 - .byte 23 - .byte 46 - .byte 93 - .byte 59 - .byte 119 - .byte 110 - .byte 92 - - .text -.global knot512_permute_7 - .type knot512_permute_7, @function -knot512_permute_7: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_7) - ldi r31,hi8(table_7) -#if defined(RAMPZ) - ldi r17,hh8(table_7) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_7, .-knot512_permute_7 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_8, @object - .size table_8, 140 -table_8: - .byte 1 - .byte 2 - .byte 4 - .byte 8 - .byte 17 - .byte 35 - .byte 71 - .byte 142 - .byte 28 - .byte 56 - .byte 113 - .byte 226 - .byte 196 - .byte 137 - .byte 18 - .byte 37 - .byte 75 - .byte 151 - .byte 46 - .byte 92 - .byte 184 - .byte 112 - .byte 224 - .byte 192 - .byte 129 - .byte 3 - .byte 6 - .byte 12 - .byte 25 - .byte 50 - .byte 100 - .byte 201 - .byte 146 - .byte 36 - .byte 73 - .byte 147 - .byte 38 - .byte 77 - .byte 155 - .byte 55 - .byte 110 - .byte 220 - .byte 185 - .byte 114 - .byte 228 - .byte 200 - .byte 144 - .byte 32 - .byte 65 - .byte 130 - .byte 5 - .byte 10 - .byte 21 - .byte 43 - .byte 86 - .byte 173 - .byte 91 - .byte 182 - .byte 109 - .byte 218 - .byte 181 - .byte 107 - .byte 214 - .byte 172 - .byte 89 - .byte 178 - .byte 101 - .byte 203 - .byte 150 - .byte 44 - .byte 88 - .byte 176 - .byte 97 - .byte 195 - .byte 135 - .byte 15 - .byte 31 - .byte 62 - .byte 125 - .byte 251 - .byte 246 - .byte 237 - .byte 219 - .byte 183 - .byte 111 - .byte 222 - .byte 189 - .byte 122 - .byte 245 - .byte 235 - .byte 215 - .byte 174 - .byte 93 - .byte 186 - .byte 116 - .byte 232 - .byte 209 - .byte 162 - .byte 68 - .byte 136 - .byte 16 - .byte 33 - .byte 67 - .byte 134 - .byte 13 - .byte 27 - .byte 54 - .byte 108 - .byte 216 - .byte 177 - .byte 99 - .byte 199 - .byte 143 - .byte 30 - .byte 60 - .byte 121 - .byte 243 - .byte 231 - .byte 206 - .byte 156 - .byte 57 - .byte 115 - .byte 230 - .byte 204 - .byte 152 - .byte 49 - .byte 98 - .byte 197 - .byte 139 - .byte 22 - .byte 45 - .byte 90 - .byte 180 - .byte 105 - .byte 210 - .byte 164 - .byte 72 - .byte 145 - .byte 34 - .byte 69 - - .text -.global knot512_permute_8 - .type knot512_permute_8, @function -knot512_permute_8: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - movw r30,r24 - in r28,0x3d - in r29,0x3e - subi r28,96 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 113 - ld r26,Z - ldd r27,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - std Y+1,r26 - std Y+2,r27 - std Y+3,r2 - std Y+4,r3 - std Y+5,r4 - std Y+6,r5 - std Y+7,r6 - std Y+8,r7 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - std Y+13,r12 - std Y+14,r13 - std Y+15,r14 - std Y+16,r15 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r8,Z+24 - ldd r9,Z+25 - ldd r10,Z+26 - ldd r11,Z+27 - ldd r12,Z+28 - ldd r13,Z+29 - ldd r14,Z+30 - ldd r15,Z+31 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - ldd r26,Z+32 - ldd r27,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r8,Z+40 - ldd r9,Z+41 - ldd r10,Z+42 - ldd r11,Z+43 - ldd r12,Z+44 - ldd r13,Z+45 - ldd r14,Z+46 - ldd r15,Z+47 - std Y+33,r26 - std Y+34,r27 - std Y+35,r2 - std Y+36,r3 - std Y+37,r4 - std Y+38,r5 - std Y+39,r6 - std Y+40,r7 - std Y+41,r8 - std Y+42,r9 - std Y+43,r10 - std Y+44,r11 - std Y+45,r12 - std Y+46,r13 - std Y+47,r14 - std Y+48,r15 - ldd r26,Z+48 - ldd r27,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r8,Z+56 - ldd r9,Z+57 - ldd r10,Z+58 - ldd r11,Z+59 - ldd r12,Z+60 - ldd r13,Z+61 - ldd r14,Z+62 - ldd r15,Z+63 - adiw r28,49 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y+,r12 - st Y+,r13 - st Y+,r14 - st Y,r15 - subi r28,64 - sbc r29,r1 - push r31 - push r30 - ldi r30,lo8(table_8) - ldi r31,hi8(table_8) -#if defined(RAMPZ) - ldi r17,hh8(table_8) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif -134: - ldd r24,Y+1 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r24,r18 - inc r30 - ldd r18,Y+17 - ldd r19,Y+33 - ldd r20,Y+49 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,175 - sbci r29,255 - st Y,r23 - subi r28,81 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r26,r18 - or r26,r19 - eor r26,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+1,r21 - mov r21,r26 - and r21,r24 - eor r21,r25 - subi r28,191 - sbci r29,255 - st Y,r21 - subi r28,65 - sbc r29,r1 - ldd r24,Y+2 - ldd r18,Y+18 - ldd r19,Y+34 - ldd r20,Y+50 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,174 - sbci r29,255 - st Y,r23 - subi r28,82 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r27,r18 - or r27,r19 - eor r27,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+2,r21 - mov r21,r27 - and r21,r24 - eor r21,r25 - subi r28,190 - sbci r29,255 - st Y,r21 - subi r28,66 - sbc r29,r1 - ldd r24,Y+3 - ldd r18,Y+19 - ldd r19,Y+35 - ldd r20,Y+51 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,173 - sbci r29,255 - st Y,r23 - subi r28,83 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r2,r18 - or r2,r19 - eor r2,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+3,r21 - mov r21,r2 - and r21,r24 - eor r21,r25 - subi r28,189 - sbci r29,255 - st Y,r21 - subi r28,67 - sbc r29,r1 - ldd r24,Y+4 - ldd r18,Y+20 - ldd r19,Y+36 - ldd r20,Y+52 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,172 - sbci r29,255 - st Y,r23 - subi r28,84 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r3,r18 - or r3,r19 - eor r3,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+4,r21 - mov r21,r3 - and r21,r24 - eor r21,r25 - subi r28,188 - sbci r29,255 - st Y,r21 - subi r28,68 - sbc r29,r1 - ldd r24,Y+5 - ldd r18,Y+21 - ldd r19,Y+37 - ldd r20,Y+53 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,171 - sbci r29,255 - st Y,r23 - subi r28,85 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r4,r18 - or r4,r19 - eor r4,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+5,r21 - mov r21,r4 - and r21,r24 - eor r21,r25 - subi r28,187 - sbci r29,255 - st Y,r21 - subi r28,69 - sbc r29,r1 - ldd r24,Y+6 - ldd r18,Y+22 - ldd r19,Y+38 - ldd r20,Y+54 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,170 - sbci r29,255 - st Y,r23 - subi r28,86 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r5,r18 - or r5,r19 - eor r5,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+6,r21 - mov r21,r5 - and r21,r24 - eor r21,r25 - subi r28,186 - sbci r29,255 - st Y,r21 - subi r28,70 - sbc r29,r1 - ldd r24,Y+7 - ldd r18,Y+23 - ldd r19,Y+39 - ldd r20,Y+55 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,169 - sbci r29,255 - st Y,r23 - subi r28,87 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r6,r18 - or r6,r19 - eor r6,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+7,r21 - mov r21,r6 - and r21,r24 - eor r21,r25 - subi r28,185 - sbci r29,255 - st Y,r21 - subi r28,71 - sbc r29,r1 - ldd r24,Y+8 - ldd r18,Y+24 - ldd r19,Y+40 - ldd r20,Y+56 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,168 - sbci r29,255 - st Y,r23 - subi r28,88 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r7,r18 - or r7,r19 - eor r7,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+8,r21 - mov r21,r7 - and r21,r24 - eor r21,r25 - subi r28,184 - sbci r29,255 - st Y,r21 - subi r28,72 - sbc r29,r1 - ldd r24,Y+9 - ldd r18,Y+25 - ldd r19,Y+41 - ldd r20,Y+57 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,167 - sbci r29,255 - st Y,r23 - subi r28,89 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r8,r18 - or r8,r19 - eor r8,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+9,r21 - mov r21,r8 - and r21,r24 - eor r21,r25 - subi r28,183 - sbci r29,255 - st Y,r21 - subi r28,73 - sbc r29,r1 - ldd r24,Y+10 - ldd r18,Y+26 - ldd r19,Y+42 - ldd r20,Y+58 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,166 - sbci r29,255 - st Y,r23 - subi r28,90 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r9,r18 - or r9,r19 - eor r9,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+10,r21 - mov r21,r9 - and r21,r24 - eor r21,r25 - subi r28,182 - sbci r29,255 - st Y,r21 - subi r28,74 - sbc r29,r1 - ldd r24,Y+11 - ldd r18,Y+27 - ldd r19,Y+43 - ldd r20,Y+59 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,165 - sbci r29,255 - st Y,r23 - subi r28,91 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r10,r18 - or r10,r19 - eor r10,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+11,r21 - mov r21,r10 - and r21,r24 - eor r21,r25 - subi r28,181 - sbci r29,255 - st Y,r21 - subi r28,75 - sbc r29,r1 - ldd r24,Y+12 - ldd r18,Y+28 - ldd r19,Y+44 - ldd r20,Y+60 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,164 - sbci r29,255 - st Y,r23 - subi r28,92 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r11,r18 - or r11,r19 - eor r11,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+12,r21 - mov r21,r11 - and r21,r24 - eor r21,r25 - subi r28,180 - sbci r29,255 - st Y,r21 - subi r28,76 - sbc r29,r1 - ldd r24,Y+13 - ldd r18,Y+29 - ldd r19,Y+45 - ldd r20,Y+61 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,163 - sbci r29,255 - st Y,r23 - subi r28,93 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r12,r18 - or r12,r19 - eor r12,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+13,r21 - mov r21,r12 - and r21,r24 - eor r21,r25 - subi r28,179 - sbci r29,255 - st Y,r21 - subi r28,77 - sbc r29,r1 - ldd r24,Y+14 - ldd r18,Y+30 - ldd r19,Y+46 - ldd r20,Y+62 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,162 - sbci r29,255 - st Y,r23 - subi r28,94 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r13,r18 - or r13,r19 - eor r13,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+14,r21 - mov r21,r13 - and r21,r24 - eor r21,r25 - subi r28,178 - sbci r29,255 - st Y,r21 - subi r28,78 - sbc r29,r1 - ldd r24,Y+15 - ldd r18,Y+31 - ldd r19,Y+47 - ldd r20,Y+63 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,161 - sbci r29,255 - st Y,r23 - subi r28,95 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r14,r18 - or r14,r19 - eor r14,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+15,r21 - mov r21,r14 - and r21,r24 - eor r21,r25 - subi r28,177 - sbci r29,255 - st Y,r21 - subi r28,79 - sbc r29,r1 - ldd r24,Y+16 - ldd r18,Y+32 - ldd r19,Y+48 - subi r28,192 - sbci r29,255 - ld r20,Y - subi r28,64 - sbc r29,r1 - com r24 - mov r25,r18 - and r25,r24 - eor r25,r19 - mov r23,r20 - eor r23,r25 - subi r28,160 - sbci r29,255 - st Y,r23 - subi r28,96 - sbc r29,r1 - mov r16,r20 - eor r16,r24 - mov r15,r18 - or r15,r19 - eor r15,r16 - mov r24,r18 - eor r24,r20 - mov r21,r25 - and r21,r16 - eor r21,r24 - std Y+16,r21 - mov r21,r15 - and r21,r24 - eor r21,r25 - subi r28,176 - sbci r29,255 - st Y,r21 - subi r28,80 - sbc r29,r1 - std Y+33,r14 - std Y+34,r15 - std Y+35,r26 - std Y+36,r27 - std Y+37,r2 - std Y+38,r3 - std Y+39,r4 - std Y+40,r5 - std Y+41,r6 - std Y+42,r7 - std Y+43,r8 - std Y+44,r9 - std Y+45,r10 - std Y+46,r11 - std Y+47,r12 - std Y+48,r13 - subi r28,191 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,80 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - std Y+17,r26 - std Y+18,r27 - std Y+19,r2 - std Y+20,r3 - std Y+21,r4 - std Y+22,r5 - std Y+23,r6 - std Y+24,r7 - std Y+25,r8 - std Y+26,r9 - std Y+27,r10 - std Y+28,r11 - std Y+29,r12 - std Y+30,r13 - std Y+31,r14 - std Y+32,r15 - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,96 - sbc r29,r1 - lsl r26 - rol r27 - rol r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - rol r10 - rol r11 - rol r12 - rol r13 - rol r14 - rol r15 - adc r26,r1 - adiw r28,49 - st Y+,r13 - st Y+,r14 - st Y+,r15 - st Y+,r26 - st Y+,r27 - st Y+,r2 - st Y+,r3 - st Y+,r4 - st Y+,r5 - st Y+,r6 - st Y+,r7 - st Y+,r8 - st Y+,r9 - st Y+,r10 - st Y+,r11 - st Y,r12 - subi r28,64 - sbc r29,r1 - dec r22 - breq 5812f - rjmp 134b -5812: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r2,Y+3 - ldd r3,Y+4 - ldd r4,Y+5 - ldd r5,Y+6 - ldd r6,Y+7 - ldd r7,Y+8 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - ldd r12,Y+13 - ldd r13,Y+14 - ldd r14,Y+15 - ldd r15,Y+16 - st Z,r26 - std Z+1,r27 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - ldd r26,Y+17 - ldd r27,Y+18 - ldd r2,Y+19 - ldd r3,Y+20 - ldd r4,Y+21 - ldd r5,Y+22 - ldd r6,Y+23 - ldd r7,Y+24 - ldd r8,Y+25 - ldd r9,Y+26 - ldd r10,Y+27 - ldd r11,Y+28 - ldd r12,Y+29 - ldd r13,Y+30 - ldd r14,Y+31 - ldd r15,Y+32 - std Z+16,r26 - std Z+17,r27 - std Z+18,r2 - std Z+19,r3 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r8 - std Z+25,r9 - std Z+26,r10 - std Z+27,r11 - std Z+28,r12 - std Z+29,r13 - std Z+30,r14 - std Z+31,r15 - ldd r26,Y+33 - ldd r27,Y+34 - ldd r2,Y+35 - ldd r3,Y+36 - ldd r4,Y+37 - ldd r5,Y+38 - ldd r6,Y+39 - ldd r7,Y+40 - ldd r8,Y+41 - ldd r9,Y+42 - ldd r10,Y+43 - ldd r11,Y+44 - ldd r12,Y+45 - ldd r13,Y+46 - ldd r14,Y+47 - ldd r15,Y+48 - std Z+32,r26 - std Z+33,r27 - std Z+34,r2 - std Z+35,r3 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r8 - std Z+41,r9 - std Z+42,r10 - std Z+43,r11 - std Z+44,r12 - std Z+45,r13 - std Z+46,r14 - std Z+47,r15 - adiw r28,49 - ld r26,Y+ - ld r27,Y+ - ld r2,Y+ - ld r3,Y+ - ld r4,Y+ - ld r5,Y+ - ld r6,Y+ - ld r7,Y+ - ld r8,Y+ - ld r9,Y+ - ld r10,Y+ - ld r11,Y+ - ld r12,Y+ - ld r13,Y+ - ld r14,Y+ - ld r15,Y - subi r28,64 - sbc r29,r1 - std Z+48,r26 - std Z+49,r27 - std Z+50,r2 - std Z+51,r3 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - std Z+56,r8 - std Z+57,r9 - std Z+58,r10 - std Z+59,r11 - std Z+60,r12 - std Z+61,r13 - std Z+62,r14 - std Z+63,r15 - subi r28,160 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size knot512_permute_8, .-knot512_permute_8 - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.c b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.c deleted file mode 100644 index f8b378e..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-knot.h" - -#if !defined(__AVR__) - -/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ -static uint8_t const rc6[52] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, - 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, - 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, - 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, - 0x0d, 0x1a, 0x35, 0x2a -}; -static uint8_t const rc7[104] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, - 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, - 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, - 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, - 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, - 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, - 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, - 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, - 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c -}; -static uint8_t const rc8[140] = { - 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, - 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, - 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, - 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, - 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, - 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, - 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, - 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, - 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, - 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, - 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, - 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 -}; - -/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ -#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint64_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ -#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ - do { \ - uint32_t t1, t3, t6; \ - t1 = ~(a0); \ - t3 = (a2) ^ ((a1) & t1); \ - (b3) = (a3) ^ t3; \ - t6 = (a3) ^ t1; \ - (b2) = ((a1) | (a2)) ^ t6; \ - t1 = (a1) ^ (a3); \ - (a0) = t1 ^ (t3 & t6); \ - (b1) = t3 ^ ((b2) & t1); \ - } while (0) - -static void knot256_permute - (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b1, b2, b3; - - /* Load the input state into local variables; each row is 64 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x1, x2, x3, b1, b2, b3); - - /* Linear diffusion layer */ - x1 = leftRotate1_64(b1); - x2 = leftRotate8_64(b2); - x3 = leftRotate25_64(b3); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); -#endif -} - -void knot256_permute_6(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc6, rounds); -} - -void knot256_permute_7(knot256_state_t *state, uint8_t rounds) -{ - knot256_permute(state, rc7, rounds); -} - -void knot384_permute_7(knot384_state_t *state, uint8_t rounds) -{ - const uint8_t *rc = rc7; - uint64_t b2, b4, b6; - uint32_t b3, b5, b7; - - /* Load the input state into local variables; each row is 96 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint32_t x1 = state->W[2]; - uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); - uint32_t x3 = state->W[5]; - uint64_t x4 = state->S[3]; - uint32_t x5 = state->W[8]; - uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); - uint32_t x7 = state->W[11]; -#else - uint64_t x0 = le_load_word64(state->B); - uint32_t x1 = le_load_word32(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 12); - uint32_t x3 = le_load_word32(state->B + 20); - uint64_t x4 = le_load_word64(state->B + 24); - uint32_t x5 = le_load_word32(state->B + 32); - uint64_t x6 = le_load_word64(state->B + 36); - uint32_t x7 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox32(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotateShort_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - #define leftRotateLong_96(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | \ - (((uint64_t)(b1)) << ((bits) - 32)) | \ - ((b0) >> (96 - (bits))); \ - (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ - } while (0) - leftRotateShort_96(x2, x3, b2, b3, 1); - leftRotateShort_96(x4, x5, b4, b5, 8); - leftRotateLong_96(x6, x7, b6, b7, 55); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->W[2] = x1; - state->W[3] = (uint32_t)x2; - state->W[4] = (uint32_t)(x2 >> 32); - state->W[5] = x3; - state->S[3] = x4; - state->W[8] = x5; - state->W[9] = (uint32_t)x6; - state->W[10] = (uint32_t)(x6 >> 32); - state->W[11] = x7; -#else - le_store_word64(state->B, x0); - le_store_word32(state->B + 8, x1); - le_store_word64(state->B + 12, x2); - le_store_word32(state->B + 20, x3); - le_store_word64(state->B + 24, x4); - le_store_word32(state->B + 32, x5); - le_store_word64(state->B + 36, x6); - le_store_word32(state->B + 44, x7); -#endif -} - -static void knot512_permute - (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) -{ - uint64_t b2, b3, b4, b5, b6, b7; - - /* Load the input state into local variables; each row is 128 bits */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - uint64_t x0 = state->S[0]; - uint64_t x1 = state->S[1]; - uint64_t x2 = state->S[2]; - uint64_t x3 = state->S[3]; - uint64_t x4 = state->S[4]; - uint64_t x5 = state->S[5]; - uint64_t x6 = state->S[6]; - uint64_t x7 = state->S[7]; -#else - uint64_t x0 = le_load_word64(state->B); - uint64_t x1 = le_load_word64(state->B + 8); - uint64_t x2 = le_load_word64(state->B + 16); - uint64_t x3 = le_load_word64(state->B + 24); - uint64_t x4 = le_load_word64(state->B + 32); - uint64_t x5 = le_load_word64(state->B + 40); - uint64_t x6 = le_load_word64(state->B + 48); - uint64_t x7 = le_load_word64(state->B + 56); -#endif - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds) { - /* Add the next round constant to the state */ - x0 ^= *rc++; - - /* Substitution layer */ - knot_sbox64(x0, x2, x4, x6, b2, b4, b6); - knot_sbox64(x1, x3, x5, x7, b3, b5, b7); - - /* Linear diffusion layer */ - #define leftRotate_128(a0, a1, b0, b1, bits) \ - do { \ - (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ - (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ - } while (0) - leftRotate_128(x2, x3, b2, b3, 1); - leftRotate_128(x4, x5, b4, b5, 16); - leftRotate_128(x6, x7, b6, b7, 25); - } - - /* Store the local variables to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0] = x0; - state->S[1] = x1; - state->S[2] = x2; - state->S[3] = x3; - state->S[4] = x4; - state->S[5] = x5; - state->S[6] = x6; - state->S[7] = x7; -#else - le_store_word64(state->B, x0); - le_store_word64(state->B + 8, x1); - le_store_word64(state->B + 16, x2); - le_store_word64(state->B + 24, x3); - le_store_word64(state->B + 32, x4); - le_store_word64(state->B + 40, x5); - le_store_word64(state->B + 48, x6); - le_store_word64(state->B + 56, x7); -#endif -} - -void knot512_permute_7(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc7, rounds); -} - -void knot512_permute_8(knot512_state_t *state, uint8_t rounds) -{ - knot512_permute(state, rc8, rounds); -} - -#endif /* !__AVR__ */ diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.h b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.h deleted file mode 100644 index 88a782c..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-knot.h +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_KNOT_H -#define LW_INTERNAL_KNOT_H - -#include "internal-util.h" - -/** - * \file internal-knot.h - * \brief Permutations that are used by the KNOT AEAD and hash algorithms. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Internal state of the KNOT-256 permutation. - */ -typedef union -{ - uint64_t S[4]; /**< Words of the state */ - uint8_t B[32]; /**< Bytes of the state */ - -} knot256_state_t; - -/** - * \brief Internal state of the KNOT-384 permutation. - */ -typedef union -{ - uint64_t S[6]; /**< 64-bit words of the state */ - uint32_t W[12]; /**< 32-bit words of the state */ - uint8_t B[48]; /**< Bytes of the state */ - -} knot384_state_t; - -/** - * \brief Internal state of the KNOT-512 permutation. - */ -typedef union -{ - uint64_t S[8]; /**< Words of the state */ - uint8_t B[64]; /**< Bytes of the state */ - -} knot512_state_t; - -/** - * \brief Permutes the KNOT-256 state, using 6-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 52. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_6(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-256 state, using 7-bit round constants. - * - * \param state The KNOT-256 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot256_permute_7(knot256_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-384 state, using 7-bit round constants. - * - * \param state The KNOT-384 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot384_permute_7(knot384_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 7-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 104. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_7(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Permutes the KNOT-512 state, using 8-bit round constants. - * - * \param state The KNOT-512 state to be permuted. - * \param rounds The number of rounds to be performed, 1 to 140. - * - * The input and output \a state will be in little-endian byte order. - */ -void knot512_permute_8(knot512_state_t *state, uint8_t rounds); - -/** - * \brief Generic pointer to a function that performs a KNOT permutation. - * - * \param state Points to the permutation state. - * \param round Number of rounds to perform. - */ -typedef void (*knot_permute_t)(void *state, uint8_t rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/knot-hash.c b/knot/Implementations/crypto_hash/knot512/rhys-avr/knot-hash.c deleted file mode 100644 index a4edecd..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/knot-hash.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "knot.h" -#include "internal-knot.h" -#include - -aead_hash_algorithm_t const knot_hash_256_256_algorithm = { - "KNOT-HASH-256-256", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_256, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_256_384_algorithm = { - "KNOT-HASH-256-384", - sizeof(int), - KNOT_HASH_256_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_256_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_384_384_algorithm = { - "KNOT-HASH-384-384", - sizeof(int), - KNOT_HASH_384_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_384_384, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const knot_hash_512_512_algorithm = { - "KNOT-HASH-512-512", - sizeof(int), - KNOT_HASH_512_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - knot_hash_512_512, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Input rate for KNOT-HASH-256-256. - */ -#define KNOT_HASH_256_256_RATE 4 - -/** - * \brief Input rate for KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_384_RATE 16 - -/** - * \brief Input rate for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_384_RATE 6 - -/** - * \brief Input rate for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_512_RATE 8 - -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot256_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_256_256_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); - knot256_permute_7(&state, 68); - in += KNOT_HASH_256_256_RATE; - inlen -= KNOT_HASH_256_256_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot256_permute_7(&state, 68); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot256_permute_7(&state, 68); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - state.B[sizeof(state.B) - 1] ^= 0x80; - while (inlen >= KNOT_HASH_256_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); - knot384_permute_7(&state, 80); - in += KNOT_HASH_256_384_RATE; - inlen -= KNOT_HASH_256_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 80); - memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); - knot384_permute_7(&state, 80); - memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); - return 0; -} - -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot384_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_384_384_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); - knot384_permute_7(&state, 104); - in += KNOT_HASH_384_384_RATE; - inlen -= KNOT_HASH_384_384_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot384_permute_7(&state, 104); - memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); - knot384_permute_7(&state, 104); - memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); - return 0; -} - -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - knot512_state_t state; - unsigned temp; - memset(state.B, 0, sizeof(state.B)); - while (inlen >= KNOT_HASH_512_512_RATE) { - lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); - knot512_permute_8(&state, 140); - in += KNOT_HASH_512_512_RATE; - inlen -= KNOT_HASH_512_512_RATE; - } - temp = (unsigned)inlen; - lw_xor_block(state.B, in, temp); - state.B[temp] ^= 0x01; - knot512_permute_8(&state, 140); - memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); - knot512_permute_8(&state, 140); - memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); - return 0; -} diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/knot.h b/knot/Implementations/crypto_hash/knot512/rhys-avr/knot.h deleted file mode 100644 index e2c5198..0000000 --- a/knot/Implementations/crypto_hash/knot512/rhys-avr/knot.h +++ /dev/null @@ -1,459 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_KNOT_H -#define LWCRYPTO_KNOT_H - -#include "aead-common.h" - -/** - * \file knot.h - * \brief KNOT authenticated encryption and hash algorithms. - * - * KNOT is a family of authenticated encryption and hash algorithms built - * around a permutation and the MonkeyDuplex sponge construction. The - * family members are: - * - * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 256-bit permutation. This is the primary - * encryption member of the family. - * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a - * 192-bit tag, built around a 384-bit permutation. - * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a - * 256-bit tag, built around a 512-bit permutation. - * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a - * 256-bit permutation. This is the primary hashing member of the family. - * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a - * 384-bit permutation. - * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a - * 512-bit permutation. - * - * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-128-256 and - * KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. - */ -#define KNOT_AEAD_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for KNOT-AEAD-256-512. - */ -#define KNOT_AEAD_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. - */ -#define KNOT_AEAD_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. - */ -#define KNOT_HASH_256_SIZE 32 - -/** - * \brief Size of the hash for KNOT-HASH-384-384. - */ -#define KNOT_HASH_384_SIZE 48 - -/** - * \brief Size of the hash for KNOT-HASH-512-512. - */ -#define KNOT_HASH_512_SIZE 64 - -/** - * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. - */ -extern aead_cipher_t const knot_aead_128_256_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. - */ -extern aead_cipher_t const knot_aead_128_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. - */ -extern aead_cipher_t const knot_aead_192_384_cipher; - -/** - * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. - */ -extern aead_cipher_t const knot_aead_256_512_cipher; - -/** - * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; - -/** - * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. - */ -extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_256_decrypt() - */ -int knot_aead_128_256_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_256_encrypt() - */ -int knot_aead_128_256_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_128_384_decrypt() - */ -int knot_aead_128_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_128_384_encrypt() - */ -int knot_aead_128_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_192_384_decrypt() - */ -int knot_aead_192_384_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_192_384_encrypt() - */ -int knot_aead_192_384_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa knot_aead_256_512_decrypt() - */ -int knot_aead_256_512_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa knot_aead_256_512_encrypt() - */ -int knot_aead_256_512_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-256. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_256 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-256-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_256_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_256_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-384-384. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_384_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_384_384 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with KNOT-HASH-512-512. - * - * \param out Buffer to receive the hash output which must be at least - * KNOT_HASH_512_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int knot_hash_512_512 - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/aead-common.c b/knot/Implementations/crypto_hash/knot512/rhys/aead-common.c similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/aead-common.c rename to knot/Implementations/crypto_hash/knot512/rhys/aead-common.c diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/aead-common.h b/knot/Implementations/crypto_hash/knot512/rhys/aead-common.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/aead-common.h rename to knot/Implementations/crypto_hash/knot512/rhys/aead-common.h diff --git a/knot/Implementations/crypto_hash/knot512/rhys/api.h b/knot/Implementations/crypto_hash/knot512/rhys/api.h new file mode 100644 index 0000000..de9380d --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 64 diff --git a/knot/Implementations/crypto_hash/knot512/rhys-avr/hash.c b/knot/Implementations/crypto_hash/knot512/rhys/hash.c similarity index 100% rename from knot/Implementations/crypto_hash/knot512/rhys-avr/hash.c rename to knot/Implementations/crypto_hash/knot512/rhys/hash.c diff --git a/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-256-avr.S b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-256-avr.S new file mode 100644 index 0000000..15e6389 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-256-avr.S @@ -0,0 +1,1093 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_6, @object + .size table_6, 52 +table_6: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 33 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 49 + .byte 34 + .byte 5 + .byte 10 + .byte 20 + .byte 41 + .byte 19 + .byte 39 + .byte 15 + .byte 30 + .byte 61 + .byte 58 + .byte 52 + .byte 40 + .byte 17 + .byte 35 + .byte 7 + .byte 14 + .byte 28 + .byte 57 + .byte 50 + .byte 36 + .byte 9 + .byte 18 + .byte 37 + .byte 11 + .byte 22 + .byte 45 + .byte 27 + .byte 55 + .byte 46 + .byte 29 + .byte 59 + .byte 54 + .byte 44 + .byte 25 + .byte 51 + .byte 38 + .byte 13 + .byte 26 + .byte 53 + .byte 42 + + .text +.global knot256_permute_6 + .type knot256_permute_6, @function +knot256_permute_6: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_6) + ldi r31,hi8(table_6) +#if defined(RAMPZ) + ldi r17,hh8(table_6) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_6, .-knot256_permute_6 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot256_permute_7 + .type knot256_permute_7, @function +knot256_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 57 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Z+16 + ldd r9,Z+17 + ldd r10,Z+18 + ldd r11,Z+19 + ldd r12,Z+20 + ldd r13,Z+21 + ldd r14,Z+22 + ldd r15,Z+23 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r8 + std Y+18,r9 + std Y+19,r10 + std Y+20,r11 + std Y+21,r12 + std Y+22,r13 + std Y+23,r14 + std Y+24,r15 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +59: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r18,r23 + inc r30 + ldd r23,Y+1 + ldd r4,Y+9 + ldd r5,Y+17 + mov r24,r18 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+33,r7 + mov r16,r5 + eor r16,r24 + mov r8,r23 + or r8,r4 + eor r8,r16 + mov r24,r23 + eor r24,r5 + mov r18,r25 + and r18,r16 + eor r18,r24 + mov r6,r8 + and r6,r24 + eor r6,r25 + std Y+25,r6 + ldd r23,Y+2 + ldd r4,Y+10 + ldd r5,Y+18 + mov r24,r19 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+34,r7 + mov r16,r5 + eor r16,r24 + mov r9,r23 + or r9,r4 + eor r9,r16 + mov r24,r23 + eor r24,r5 + mov r19,r25 + and r19,r16 + eor r19,r24 + mov r6,r9 + and r6,r24 + eor r6,r25 + std Y+26,r6 + ldd r23,Y+3 + ldd r4,Y+11 + ldd r5,Y+19 + mov r24,r20 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+35,r7 + mov r16,r5 + eor r16,r24 + mov r10,r23 + or r10,r4 + eor r10,r16 + mov r24,r23 + eor r24,r5 + mov r20,r25 + and r20,r16 + eor r20,r24 + mov r6,r10 + and r6,r24 + eor r6,r25 + std Y+27,r6 + ldd r23,Y+4 + ldd r4,Y+12 + ldd r5,Y+20 + mov r24,r21 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+36,r7 + mov r16,r5 + eor r16,r24 + mov r11,r23 + or r11,r4 + eor r11,r16 + mov r24,r23 + eor r24,r5 + mov r21,r25 + and r21,r16 + eor r21,r24 + mov r6,r11 + and r6,r24 + eor r6,r25 + std Y+28,r6 + ldd r23,Y+5 + ldd r4,Y+13 + ldd r5,Y+21 + mov r24,r26 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+37,r7 + mov r16,r5 + eor r16,r24 + mov r12,r23 + or r12,r4 + eor r12,r16 + mov r24,r23 + eor r24,r5 + mov r26,r25 + and r26,r16 + eor r26,r24 + mov r6,r12 + and r6,r24 + eor r6,r25 + std Y+29,r6 + ldd r23,Y+6 + ldd r4,Y+14 + ldd r5,Y+22 + mov r24,r27 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+38,r7 + mov r16,r5 + eor r16,r24 + mov r13,r23 + or r13,r4 + eor r13,r16 + mov r24,r23 + eor r24,r5 + mov r27,r25 + and r27,r16 + eor r27,r24 + mov r6,r13 + and r6,r24 + eor r6,r25 + std Y+30,r6 + ldd r23,Y+7 + ldd r4,Y+15 + ldd r5,Y+23 + mov r24,r2 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+39,r7 + mov r16,r5 + eor r16,r24 + mov r14,r23 + or r14,r4 + eor r14,r16 + mov r24,r23 + eor r24,r5 + mov r2,r25 + and r2,r16 + eor r2,r24 + mov r6,r14 + and r6,r24 + eor r6,r25 + std Y+31,r6 + ldd r23,Y+8 + ldd r4,Y+16 + ldd r5,Y+24 + mov r24,r3 + com r24 + mov r25,r23 + and r25,r24 + eor r25,r4 + mov r7,r5 + eor r7,r25 + std Y+40,r7 + mov r16,r5 + eor r16,r24 + mov r15,r23 + or r15,r4 + eor r15,r16 + mov r24,r23 + eor r24,r5 + mov r3,r25 + and r3,r16 + eor r3,r24 + mov r6,r15 + and r6,r24 + eor r6,r25 + std Y+32,r6 + std Y+9,r15 + std Y+10,r8 + std Y+11,r9 + std Y+12,r10 + std Y+13,r11 + std Y+14,r12 + std Y+15,r13 + std Y+16,r14 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + std Y+5,r12 + std Y+6,r13 + std Y+7,r14 + std Y+8,r15 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + ldd r12,Y+37 + ldd r13,Y+38 + ldd r14,Y+39 + ldd r15,Y+40 + lsl r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r8,r1 + std Y+17,r13 + std Y+18,r14 + std Y+19,r15 + std Y+20,r8 + std Y+21,r9 + std Y+22,r10 + std Y+23,r11 + std Y+24,r12 + dec r22 + breq 5322f + rjmp 59b +5322: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + std Z+4,r26 + std Z+5,r27 + std Z+6,r2 + std Z+7,r3 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + std Z+16,r8 + std Z+17,r9 + std Z+18,r10 + std Z+19,r11 + std Z+20,r12 + std Z+21,r13 + std Z+22,r14 + std Z+23,r15 + ldd r8,Y+17 + ldd r9,Y+18 + ldd r10,Y+19 + ldd r11,Y+20 + ldd r12,Y+21 + ldd r13,Y+22 + ldd r14,Y+23 + ldd r15,Y+24 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + adiw r28,40 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot256_permute_7, .-knot256_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-384-avr.S b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-384-avr.S new file mode 100644 index 0000000..4d15898 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-384-avr.S @@ -0,0 +1,833 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot384_permute_7 + .type knot384_permute_7, @function +knot384_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,72 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 87 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + ldd r4,Z+16 + ldd r5,Z+17 + ldd r6,Z+18 + ldd r7,Z+19 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r4,Z+28 + ldd r5,Z+29 + ldd r6,Z+30 + ldd r7,Z+31 + ldd r8,Z+32 + ldd r9,Z+33 + ldd r10,Z+34 + ldd r11,Z+35 + std Y+25,r26 + std Y+26,r27 + std Y+27,r2 + std Y+28,r3 + std Y+29,r4 + std Y+30,r5 + std Y+31,r6 + std Y+32,r7 + std Y+33,r8 + std Y+34,r9 + std Y+35,r10 + std Y+36,r11 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+37,r26 + std Y+38,r27 + std Y+39,r2 + std Y+40,r3 + std Y+41,r4 + std Y+42,r5 + std Y+43,r6 + std Y+44,r7 + std Y+45,r8 + std Y+46,r9 + std Y+47,r10 + std Y+48,r11 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r24,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif +99: + ldd r12,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + inc r30 + ldd r18,Y+13 + ldd r19,Y+25 + ldd r20,Y+37 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+61,r23 + mov r14,r20 + eor r14,r12 + mov r26,r18 + or r26,r19 + eor r26,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+1,r21 + mov r21,r26 + and r21,r12 + eor r21,r13 + std Y+49,r21 + ldd r12,Y+2 + ldd r18,Y+14 + ldd r19,Y+26 + ldd r20,Y+38 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+62,r23 + mov r14,r20 + eor r14,r12 + mov r27,r18 + or r27,r19 + eor r27,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+2,r21 + mov r21,r27 + and r21,r12 + eor r21,r13 + std Y+50,r21 + ldd r12,Y+3 + ldd r18,Y+15 + ldd r19,Y+27 + ldd r20,Y+39 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + std Y+63,r23 + mov r14,r20 + eor r14,r12 + mov r2,r18 + or r2,r19 + eor r2,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+3,r21 + mov r21,r2 + and r21,r12 + eor r21,r13 + std Y+51,r21 + ldd r12,Y+4 + ldd r18,Y+16 + ldd r19,Y+28 + ldd r20,Y+40 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,192 + sbci r29,255 + st Y,r23 + subi r28,64 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r3,r18 + or r3,r19 + eor r3,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+4,r21 + mov r21,r3 + and r21,r12 + eor r21,r13 + std Y+52,r21 + ldd r12,Y+5 + ldd r18,Y+17 + ldd r19,Y+29 + ldd r20,Y+41 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,191 + sbci r29,255 + st Y,r23 + subi r28,65 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r4,r18 + or r4,r19 + eor r4,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+5,r21 + mov r21,r4 + and r21,r12 + eor r21,r13 + std Y+53,r21 + ldd r12,Y+6 + ldd r18,Y+18 + ldd r19,Y+30 + ldd r20,Y+42 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,190 + sbci r29,255 + st Y,r23 + subi r28,66 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r5,r18 + or r5,r19 + eor r5,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+6,r21 + mov r21,r5 + and r21,r12 + eor r21,r13 + std Y+54,r21 + ldd r12,Y+7 + ldd r18,Y+19 + ldd r19,Y+31 + ldd r20,Y+43 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,189 + sbci r29,255 + st Y,r23 + subi r28,67 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r6,r18 + or r6,r19 + eor r6,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+7,r21 + mov r21,r6 + and r21,r12 + eor r21,r13 + std Y+55,r21 + ldd r12,Y+8 + ldd r18,Y+20 + ldd r19,Y+32 + ldd r20,Y+44 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,188 + sbci r29,255 + st Y,r23 + subi r28,68 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r7,r18 + or r7,r19 + eor r7,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+8,r21 + mov r21,r7 + and r21,r12 + eor r21,r13 + std Y+56,r21 + ldd r12,Y+9 + ldd r18,Y+21 + ldd r19,Y+33 + ldd r20,Y+45 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,187 + sbci r29,255 + st Y,r23 + subi r28,69 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r8,r18 + or r8,r19 + eor r8,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+9,r21 + mov r21,r8 + and r21,r12 + eor r21,r13 + std Y+57,r21 + ldd r12,Y+10 + ldd r18,Y+22 + ldd r19,Y+34 + ldd r20,Y+46 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,186 + sbci r29,255 + st Y,r23 + subi r28,70 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r9,r18 + or r9,r19 + eor r9,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+10,r21 + mov r21,r9 + and r21,r12 + eor r21,r13 + std Y+58,r21 + ldd r12,Y+11 + ldd r18,Y+23 + ldd r19,Y+35 + ldd r20,Y+47 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,185 + sbci r29,255 + st Y,r23 + subi r28,71 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r10,r18 + or r10,r19 + eor r10,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+11,r21 + mov r21,r10 + and r21,r12 + eor r21,r13 + std Y+59,r21 + ldd r12,Y+12 + ldd r18,Y+24 + ldd r19,Y+36 + ldd r20,Y+48 + com r12 + mov r13,r18 + and r13,r12 + eor r13,r19 + mov r23,r20 + eor r23,r13 + subi r28,184 + sbci r29,255 + st Y,r23 + subi r28,72 + sbc r29,r1 + mov r14,r20 + eor r14,r12 + mov r11,r18 + or r11,r19 + eor r11,r14 + mov r12,r18 + eor r12,r20 + mov r21,r13 + and r21,r14 + eor r21,r12 + std Y+12,r21 + mov r21,r11 + and r21,r12 + eor r21,r13 + std Y+60,r21 + std Y+25,r11 + std Y+26,r26 + std Y+27,r27 + std Y+28,r2 + std Y+29,r3 + std Y+30,r4 + std Y+31,r5 + std Y+32,r6 + std Y+33,r7 + std Y+34,r8 + std Y+35,r9 + std Y+36,r10 + ldd r26,Y+49 + ldd r27,Y+50 + ldd r2,Y+51 + ldd r3,Y+52 + ldd r4,Y+53 + ldd r5,Y+54 + ldd r6,Y+55 + ldd r7,Y+56 + ldd r8,Y+57 + ldd r9,Y+58 + ldd r10,Y+59 + ldd r11,Y+60 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + adc r26,r1 + std Y+13,r26 + std Y+14,r27 + std Y+15,r2 + std Y+16,r3 + std Y+17,r4 + std Y+18,r5 + std Y+19,r6 + std Y+20,r7 + std Y+21,r8 + std Y+22,r9 + std Y+23,r10 + std Y+24,r11 + adiw r28,61 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y + subi r28,72 + sbc r29,r1 + bst r26,0 + lsr r11 + ror r10 + ror r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + ror r27 + ror r26 + bld r11,7 + std Y+37,r5 + std Y+38,r6 + std Y+39,r7 + std Y+40,r8 + std Y+41,r9 + std Y+42,r10 + std Y+43,r11 + std Y+44,r26 + std Y+45,r27 + std Y+46,r2 + std Y+47,r3 + std Y+48,r4 + dec r22 + breq 5542f + rjmp 99b +5542: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + ldd r4,Y+17 + ldd r5,Y+18 + ldd r6,Y+19 + ldd r7,Y+20 + ldd r8,Y+21 + ldd r9,Y+22 + ldd r10,Y+23 + ldd r11,Y+24 + std Z+12,r26 + std Z+13,r27 + std Z+14,r2 + std Z+15,r3 + std Z+16,r4 + std Z+17,r5 + std Z+18,r6 + std Z+19,r7 + std Z+20,r8 + std Z+21,r9 + std Z+22,r10 + std Z+23,r11 + ldd r26,Y+25 + ldd r27,Y+26 + ldd r2,Y+27 + ldd r3,Y+28 + ldd r4,Y+29 + ldd r5,Y+30 + ldd r6,Y+31 + ldd r7,Y+32 + ldd r8,Y+33 + ldd r9,Y+34 + ldd r10,Y+35 + ldd r11,Y+36 + std Z+24,r26 + std Z+25,r27 + std Z+26,r2 + std Z+27,r3 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+32,r8 + std Z+33,r9 + std Z+34,r10 + std Z+35,r11 + ldd r26,Y+37 + ldd r27,Y+38 + ldd r2,Y+39 + ldd r3,Y+40 + ldd r4,Y+41 + ldd r5,Y+42 + ldd r6,Y+43 + ldd r7,Y+44 + ldd r8,Y+45 + ldd r9,Y+46 + ldd r10,Y+47 + ldd r11,Y+48 + std Z+36,r26 + std Z+37,r27 + std Z+38,r2 + std Z+39,r3 + std Z+40,r4 + std Z+41,r5 + std Z+42,r6 + std Z+43,r7 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + subi r28,184 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot384_permute_7, .-knot384_permute_7 + +#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-512-avr.S b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-512-avr.S new file mode 100644 index 0000000..6f92ac3 --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot-512-avr.S @@ -0,0 +1,2315 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_7, @object + .size table_7, 104 +table_7: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 16 + .byte 32 + .byte 65 + .byte 3 + .byte 6 + .byte 12 + .byte 24 + .byte 48 + .byte 97 + .byte 66 + .byte 5 + .byte 10 + .byte 20 + .byte 40 + .byte 81 + .byte 35 + .byte 71 + .byte 15 + .byte 30 + .byte 60 + .byte 121 + .byte 114 + .byte 100 + .byte 72 + .byte 17 + .byte 34 + .byte 69 + .byte 11 + .byte 22 + .byte 44 + .byte 89 + .byte 51 + .byte 103 + .byte 78 + .byte 29 + .byte 58 + .byte 117 + .byte 106 + .byte 84 + .byte 41 + .byte 83 + .byte 39 + .byte 79 + .byte 31 + .byte 62 + .byte 125 + .byte 122 + .byte 116 + .byte 104 + .byte 80 + .byte 33 + .byte 67 + .byte 7 + .byte 14 + .byte 28 + .byte 56 + .byte 113 + .byte 98 + .byte 68 + .byte 9 + .byte 18 + .byte 36 + .byte 73 + .byte 19 + .byte 38 + .byte 77 + .byte 27 + .byte 54 + .byte 109 + .byte 90 + .byte 53 + .byte 107 + .byte 86 + .byte 45 + .byte 91 + .byte 55 + .byte 111 + .byte 94 + .byte 61 + .byte 123 + .byte 118 + .byte 108 + .byte 88 + .byte 49 + .byte 99 + .byte 70 + .byte 13 + .byte 26 + .byte 52 + .byte 105 + .byte 82 + .byte 37 + .byte 75 + .byte 23 + .byte 46 + .byte 93 + .byte 59 + .byte 119 + .byte 110 + .byte 92 + + .text +.global knot512_permute_7 + .type knot512_permute_7, @function +knot512_permute_7: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_7) + ldi r31,hi8(table_7) +#if defined(RAMPZ) + ldi r17,hh8(table_7) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_7, .-knot512_permute_7 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_8, @object + .size table_8, 140 +table_8: + .byte 1 + .byte 2 + .byte 4 + .byte 8 + .byte 17 + .byte 35 + .byte 71 + .byte 142 + .byte 28 + .byte 56 + .byte 113 + .byte 226 + .byte 196 + .byte 137 + .byte 18 + .byte 37 + .byte 75 + .byte 151 + .byte 46 + .byte 92 + .byte 184 + .byte 112 + .byte 224 + .byte 192 + .byte 129 + .byte 3 + .byte 6 + .byte 12 + .byte 25 + .byte 50 + .byte 100 + .byte 201 + .byte 146 + .byte 36 + .byte 73 + .byte 147 + .byte 38 + .byte 77 + .byte 155 + .byte 55 + .byte 110 + .byte 220 + .byte 185 + .byte 114 + .byte 228 + .byte 200 + .byte 144 + .byte 32 + .byte 65 + .byte 130 + .byte 5 + .byte 10 + .byte 21 + .byte 43 + .byte 86 + .byte 173 + .byte 91 + .byte 182 + .byte 109 + .byte 218 + .byte 181 + .byte 107 + .byte 214 + .byte 172 + .byte 89 + .byte 178 + .byte 101 + .byte 203 + .byte 150 + .byte 44 + .byte 88 + .byte 176 + .byte 97 + .byte 195 + .byte 135 + .byte 15 + .byte 31 + .byte 62 + .byte 125 + .byte 251 + .byte 246 + .byte 237 + .byte 219 + .byte 183 + .byte 111 + .byte 222 + .byte 189 + .byte 122 + .byte 245 + .byte 235 + .byte 215 + .byte 174 + .byte 93 + .byte 186 + .byte 116 + .byte 232 + .byte 209 + .byte 162 + .byte 68 + .byte 136 + .byte 16 + .byte 33 + .byte 67 + .byte 134 + .byte 13 + .byte 27 + .byte 54 + .byte 108 + .byte 216 + .byte 177 + .byte 99 + .byte 199 + .byte 143 + .byte 30 + .byte 60 + .byte 121 + .byte 243 + .byte 231 + .byte 206 + .byte 156 + .byte 57 + .byte 115 + .byte 230 + .byte 204 + .byte 152 + .byte 49 + .byte 98 + .byte 197 + .byte 139 + .byte 22 + .byte 45 + .byte 90 + .byte 180 + .byte 105 + .byte 210 + .byte 164 + .byte 72 + .byte 145 + .byte 34 + .byte 69 + + .text +.global knot512_permute_8 + .type knot512_permute_8, @function +knot512_permute_8: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + movw r30,r24 + in r28,0x3d + in r29,0x3e + subi r28,96 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 113 + ld r26,Z + ldd r27,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + std Y+1,r26 + std Y+2,r27 + std Y+3,r2 + std Y+4,r3 + std Y+5,r4 + std Y+6,r5 + std Y+7,r6 + std Y+8,r7 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + std Y+13,r12 + std Y+14,r13 + std Y+15,r14 + std Y+16,r15 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r8,Z+24 + ldd r9,Z+25 + ldd r10,Z+26 + ldd r11,Z+27 + ldd r12,Z+28 + ldd r13,Z+29 + ldd r14,Z+30 + ldd r15,Z+31 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + ldd r26,Z+32 + ldd r27,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r8,Z+40 + ldd r9,Z+41 + ldd r10,Z+42 + ldd r11,Z+43 + ldd r12,Z+44 + ldd r13,Z+45 + ldd r14,Z+46 + ldd r15,Z+47 + std Y+33,r26 + std Y+34,r27 + std Y+35,r2 + std Y+36,r3 + std Y+37,r4 + std Y+38,r5 + std Y+39,r6 + std Y+40,r7 + std Y+41,r8 + std Y+42,r9 + std Y+43,r10 + std Y+44,r11 + std Y+45,r12 + std Y+46,r13 + std Y+47,r14 + std Y+48,r15 + ldd r26,Z+48 + ldd r27,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r8,Z+56 + ldd r9,Z+57 + ldd r10,Z+58 + ldd r11,Z+59 + ldd r12,Z+60 + ldd r13,Z+61 + ldd r14,Z+62 + ldd r15,Z+63 + adiw r28,49 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y+,r12 + st Y+,r13 + st Y+,r14 + st Y,r15 + subi r28,64 + sbc r29,r1 + push r31 + push r30 + ldi r30,lo8(table_8) + ldi r31,hi8(table_8) +#if defined(RAMPZ) + ldi r17,hh8(table_8) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif +134: + ldd r24,Y+1 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r24,r18 + inc r30 + ldd r18,Y+17 + ldd r19,Y+33 + ldd r20,Y+49 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,175 + sbci r29,255 + st Y,r23 + subi r28,81 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r26,r18 + or r26,r19 + eor r26,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+1,r21 + mov r21,r26 + and r21,r24 + eor r21,r25 + subi r28,191 + sbci r29,255 + st Y,r21 + subi r28,65 + sbc r29,r1 + ldd r24,Y+2 + ldd r18,Y+18 + ldd r19,Y+34 + ldd r20,Y+50 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,174 + sbci r29,255 + st Y,r23 + subi r28,82 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r27,r18 + or r27,r19 + eor r27,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+2,r21 + mov r21,r27 + and r21,r24 + eor r21,r25 + subi r28,190 + sbci r29,255 + st Y,r21 + subi r28,66 + sbc r29,r1 + ldd r24,Y+3 + ldd r18,Y+19 + ldd r19,Y+35 + ldd r20,Y+51 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,173 + sbci r29,255 + st Y,r23 + subi r28,83 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r2,r18 + or r2,r19 + eor r2,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+3,r21 + mov r21,r2 + and r21,r24 + eor r21,r25 + subi r28,189 + sbci r29,255 + st Y,r21 + subi r28,67 + sbc r29,r1 + ldd r24,Y+4 + ldd r18,Y+20 + ldd r19,Y+36 + ldd r20,Y+52 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,172 + sbci r29,255 + st Y,r23 + subi r28,84 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r3,r18 + or r3,r19 + eor r3,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+4,r21 + mov r21,r3 + and r21,r24 + eor r21,r25 + subi r28,188 + sbci r29,255 + st Y,r21 + subi r28,68 + sbc r29,r1 + ldd r24,Y+5 + ldd r18,Y+21 + ldd r19,Y+37 + ldd r20,Y+53 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,171 + sbci r29,255 + st Y,r23 + subi r28,85 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r4,r18 + or r4,r19 + eor r4,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+5,r21 + mov r21,r4 + and r21,r24 + eor r21,r25 + subi r28,187 + sbci r29,255 + st Y,r21 + subi r28,69 + sbc r29,r1 + ldd r24,Y+6 + ldd r18,Y+22 + ldd r19,Y+38 + ldd r20,Y+54 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,170 + sbci r29,255 + st Y,r23 + subi r28,86 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r5,r18 + or r5,r19 + eor r5,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+6,r21 + mov r21,r5 + and r21,r24 + eor r21,r25 + subi r28,186 + sbci r29,255 + st Y,r21 + subi r28,70 + sbc r29,r1 + ldd r24,Y+7 + ldd r18,Y+23 + ldd r19,Y+39 + ldd r20,Y+55 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,169 + sbci r29,255 + st Y,r23 + subi r28,87 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r6,r18 + or r6,r19 + eor r6,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+7,r21 + mov r21,r6 + and r21,r24 + eor r21,r25 + subi r28,185 + sbci r29,255 + st Y,r21 + subi r28,71 + sbc r29,r1 + ldd r24,Y+8 + ldd r18,Y+24 + ldd r19,Y+40 + ldd r20,Y+56 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,168 + sbci r29,255 + st Y,r23 + subi r28,88 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r7,r18 + or r7,r19 + eor r7,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+8,r21 + mov r21,r7 + and r21,r24 + eor r21,r25 + subi r28,184 + sbci r29,255 + st Y,r21 + subi r28,72 + sbc r29,r1 + ldd r24,Y+9 + ldd r18,Y+25 + ldd r19,Y+41 + ldd r20,Y+57 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,167 + sbci r29,255 + st Y,r23 + subi r28,89 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r8,r18 + or r8,r19 + eor r8,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+9,r21 + mov r21,r8 + and r21,r24 + eor r21,r25 + subi r28,183 + sbci r29,255 + st Y,r21 + subi r28,73 + sbc r29,r1 + ldd r24,Y+10 + ldd r18,Y+26 + ldd r19,Y+42 + ldd r20,Y+58 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,166 + sbci r29,255 + st Y,r23 + subi r28,90 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r9,r18 + or r9,r19 + eor r9,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+10,r21 + mov r21,r9 + and r21,r24 + eor r21,r25 + subi r28,182 + sbci r29,255 + st Y,r21 + subi r28,74 + sbc r29,r1 + ldd r24,Y+11 + ldd r18,Y+27 + ldd r19,Y+43 + ldd r20,Y+59 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,165 + sbci r29,255 + st Y,r23 + subi r28,91 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r10,r18 + or r10,r19 + eor r10,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+11,r21 + mov r21,r10 + and r21,r24 + eor r21,r25 + subi r28,181 + sbci r29,255 + st Y,r21 + subi r28,75 + sbc r29,r1 + ldd r24,Y+12 + ldd r18,Y+28 + ldd r19,Y+44 + ldd r20,Y+60 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,164 + sbci r29,255 + st Y,r23 + subi r28,92 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r11,r18 + or r11,r19 + eor r11,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+12,r21 + mov r21,r11 + and r21,r24 + eor r21,r25 + subi r28,180 + sbci r29,255 + st Y,r21 + subi r28,76 + sbc r29,r1 + ldd r24,Y+13 + ldd r18,Y+29 + ldd r19,Y+45 + ldd r20,Y+61 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,163 + sbci r29,255 + st Y,r23 + subi r28,93 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r12,r18 + or r12,r19 + eor r12,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+13,r21 + mov r21,r12 + and r21,r24 + eor r21,r25 + subi r28,179 + sbci r29,255 + st Y,r21 + subi r28,77 + sbc r29,r1 + ldd r24,Y+14 + ldd r18,Y+30 + ldd r19,Y+46 + ldd r20,Y+62 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,162 + sbci r29,255 + st Y,r23 + subi r28,94 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r13,r18 + or r13,r19 + eor r13,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+14,r21 + mov r21,r13 + and r21,r24 + eor r21,r25 + subi r28,178 + sbci r29,255 + st Y,r21 + subi r28,78 + sbc r29,r1 + ldd r24,Y+15 + ldd r18,Y+31 + ldd r19,Y+47 + ldd r20,Y+63 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,161 + sbci r29,255 + st Y,r23 + subi r28,95 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r14,r18 + or r14,r19 + eor r14,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+15,r21 + mov r21,r14 + and r21,r24 + eor r21,r25 + subi r28,177 + sbci r29,255 + st Y,r21 + subi r28,79 + sbc r29,r1 + ldd r24,Y+16 + ldd r18,Y+32 + ldd r19,Y+48 + subi r28,192 + sbci r29,255 + ld r20,Y + subi r28,64 + sbc r29,r1 + com r24 + mov r25,r18 + and r25,r24 + eor r25,r19 + mov r23,r20 + eor r23,r25 + subi r28,160 + sbci r29,255 + st Y,r23 + subi r28,96 + sbc r29,r1 + mov r16,r20 + eor r16,r24 + mov r15,r18 + or r15,r19 + eor r15,r16 + mov r24,r18 + eor r24,r20 + mov r21,r25 + and r21,r16 + eor r21,r24 + std Y+16,r21 + mov r21,r15 + and r21,r24 + eor r21,r25 + subi r28,176 + sbci r29,255 + st Y,r21 + subi r28,80 + sbc r29,r1 + std Y+33,r14 + std Y+34,r15 + std Y+35,r26 + std Y+36,r27 + std Y+37,r2 + std Y+38,r3 + std Y+39,r4 + std Y+40,r5 + std Y+41,r6 + std Y+42,r7 + std Y+43,r8 + std Y+44,r9 + std Y+45,r10 + std Y+46,r11 + std Y+47,r12 + std Y+48,r13 + subi r28,191 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,80 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + std Y+17,r26 + std Y+18,r27 + std Y+19,r2 + std Y+20,r3 + std Y+21,r4 + std Y+22,r5 + std Y+23,r6 + std Y+24,r7 + std Y+25,r8 + std Y+26,r9 + std Y+27,r10 + std Y+28,r11 + std Y+29,r12 + std Y+30,r13 + std Y+31,r14 + std Y+32,r15 + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,96 + sbc r29,r1 + lsl r26 + rol r27 + rol r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + rol r10 + rol r11 + rol r12 + rol r13 + rol r14 + rol r15 + adc r26,r1 + adiw r28,49 + st Y+,r13 + st Y+,r14 + st Y+,r15 + st Y+,r26 + st Y+,r27 + st Y+,r2 + st Y+,r3 + st Y+,r4 + st Y+,r5 + st Y+,r6 + st Y+,r7 + st Y+,r8 + st Y+,r9 + st Y+,r10 + st Y+,r11 + st Y,r12 + subi r28,64 + sbc r29,r1 + dec r22 + breq 5812f + rjmp 134b +5812: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r2,Y+3 + ldd r3,Y+4 + ldd r4,Y+5 + ldd r5,Y+6 + ldd r6,Y+7 + ldd r7,Y+8 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + ldd r12,Y+13 + ldd r13,Y+14 + ldd r14,Y+15 + ldd r15,Y+16 + st Z,r26 + std Z+1,r27 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + ldd r26,Y+17 + ldd r27,Y+18 + ldd r2,Y+19 + ldd r3,Y+20 + ldd r4,Y+21 + ldd r5,Y+22 + ldd r6,Y+23 + ldd r7,Y+24 + ldd r8,Y+25 + ldd r9,Y+26 + ldd r10,Y+27 + ldd r11,Y+28 + ldd r12,Y+29 + ldd r13,Y+30 + ldd r14,Y+31 + ldd r15,Y+32 + std Z+16,r26 + std Z+17,r27 + std Z+18,r2 + std Z+19,r3 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r8 + std Z+25,r9 + std Z+26,r10 + std Z+27,r11 + std Z+28,r12 + std Z+29,r13 + std Z+30,r14 + std Z+31,r15 + ldd r26,Y+33 + ldd r27,Y+34 + ldd r2,Y+35 + ldd r3,Y+36 + ldd r4,Y+37 + ldd r5,Y+38 + ldd r6,Y+39 + ldd r7,Y+40 + ldd r8,Y+41 + ldd r9,Y+42 + ldd r10,Y+43 + ldd r11,Y+44 + ldd r12,Y+45 + ldd r13,Y+46 + ldd r14,Y+47 + ldd r15,Y+48 + std Z+32,r26 + std Z+33,r27 + std Z+34,r2 + std Z+35,r3 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r8 + std Z+41,r9 + std Z+42,r10 + std Z+43,r11 + std Z+44,r12 + std Z+45,r13 + std Z+46,r14 + std Z+47,r15 + adiw r28,49 + ld r26,Y+ + ld r27,Y+ + ld r2,Y+ + ld r3,Y+ + ld r4,Y+ + ld r5,Y+ + ld r6,Y+ + ld r7,Y+ + ld r8,Y+ + ld r9,Y+ + ld r10,Y+ + ld r11,Y+ + ld r12,Y+ + ld r13,Y+ + ld r14,Y+ + ld r15,Y + subi r28,64 + sbc r29,r1 + std Z+48,r26 + std Z+49,r27 + std Z+50,r2 + std Z+51,r3 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + std Z+56,r8 + std Z+57,r9 + std Z+58,r10 + std Z+59,r11 + std Z+60,r12 + std Z+61,r13 + std Z+62,r14 + std Z+63,r15 + subi r28,160 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size knot512_permute_8, .-knot512_permute_8 + +#endif diff --git a/knot/Implementations/crypto_hash/knot512/rhys/internal-knot.c b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot.c new file mode 100644 index 0000000..f8b378e --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot.c @@ -0,0 +1,301 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-knot.h" + +#if !defined(__AVR__) + +/* Round constants for the KNOT-256, KNOT-384, and KNOT-512 permutations */ +static uint8_t const rc6[52] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x21, 0x03, 0x06, 0x0c, 0x18, 0x31, 0x22, + 0x05, 0x0a, 0x14, 0x29, 0x13, 0x27, 0x0f, 0x1e, 0x3d, 0x3a, 0x34, 0x28, + 0x11, 0x23, 0x07, 0x0e, 0x1c, 0x39, 0x32, 0x24, 0x09, 0x12, 0x25, 0x0b, + 0x16, 0x2d, 0x1b, 0x37, 0x2e, 0x1d, 0x3b, 0x36, 0x2c, 0x19, 0x33, 0x26, + 0x0d, 0x1a, 0x35, 0x2a +}; +static uint8_t const rc7[104] = { + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x41, 0x03, 0x06, 0x0c, 0x18, 0x30, + 0x61, 0x42, 0x05, 0x0a, 0x14, 0x28, 0x51, 0x23, 0x47, 0x0f, 0x1e, 0x3c, + 0x79, 0x72, 0x64, 0x48, 0x11, 0x22, 0x45, 0x0b, 0x16, 0x2c, 0x59, 0x33, + 0x67, 0x4e, 0x1d, 0x3a, 0x75, 0x6a, 0x54, 0x29, 0x53, 0x27, 0x4f, 0x1f, + 0x3e, 0x7d, 0x7a, 0x74, 0x68, 0x50, 0x21, 0x43, 0x07, 0x0e, 0x1c, 0x38, + 0x71, 0x62, 0x44, 0x09, 0x12, 0x24, 0x49, 0x13, 0x26, 0x4d, 0x1b, 0x36, + 0x6d, 0x5a, 0x35, 0x6b, 0x56, 0x2d, 0x5b, 0x37, 0x6f, 0x5e, 0x3d, 0x7b, + 0x76, 0x6c, 0x58, 0x31, 0x63, 0x46, 0x0d, 0x1a, 0x34, 0x69, 0x52, 0x25, + 0x4b, 0x17, 0x2e, 0x5d, 0x3b, 0x77, 0x6e, 0x5c +}; +static uint8_t const rc8[140] = { + 0x01, 0x02, 0x04, 0x08, 0x11, 0x23, 0x47, 0x8e, 0x1c, 0x38, 0x71, 0xe2, + 0xc4, 0x89, 0x12, 0x25, 0x4b, 0x97, 0x2e, 0x5c, 0xb8, 0x70, 0xe0, 0xc0, + 0x81, 0x03, 0x06, 0x0c, 0x19, 0x32, 0x64, 0xc9, 0x92, 0x24, 0x49, 0x93, + 0x26, 0x4d, 0x9b, 0x37, 0x6e, 0xdc, 0xb9, 0x72, 0xe4, 0xc8, 0x90, 0x20, + 0x41, 0x82, 0x05, 0x0a, 0x15, 0x2b, 0x56, 0xad, 0x5b, 0xb6, 0x6d, 0xda, + 0xb5, 0x6b, 0xd6, 0xac, 0x59, 0xb2, 0x65, 0xcb, 0x96, 0x2c, 0x58, 0xb0, + 0x61, 0xc3, 0x87, 0x0f, 0x1f, 0x3e, 0x7d, 0xfb, 0xf6, 0xed, 0xdb, 0xb7, + 0x6f, 0xde, 0xbd, 0x7a, 0xf5, 0xeb, 0xd7, 0xae, 0x5d, 0xba, 0x74, 0xe8, + 0xd1, 0xa2, 0x44, 0x88, 0x10, 0x21, 0x43, 0x86, 0x0d, 0x1b, 0x36, 0x6c, + 0xd8, 0xb1, 0x63, 0xc7, 0x8f, 0x1e, 0x3c, 0x79, 0xf3, 0xe7, 0xce, 0x9c, + 0x39, 0x73, 0xe6, 0xcc, 0x98, 0x31, 0x62, 0xc5, 0x8b, 0x16, 0x2d, 0x5a, + 0xb4, 0x69, 0xd2, 0xa4, 0x48, 0x91, 0x22, 0x45 +}; + +/* Applies the KNOT S-box to four 64-bit words in bit-sliced mode */ +#define knot_sbox64(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint64_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +/* Applies the KNOT S-box to four 32-bit words in bit-sliced mode */ +#define knot_sbox32(a0, a1, a2, a3, b1, b2, b3) \ + do { \ + uint32_t t1, t3, t6; \ + t1 = ~(a0); \ + t3 = (a2) ^ ((a1) & t1); \ + (b3) = (a3) ^ t3; \ + t6 = (a3) ^ t1; \ + (b2) = ((a1) | (a2)) ^ t6; \ + t1 = (a1) ^ (a3); \ + (a0) = t1 ^ (t3 & t6); \ + (b1) = t3 ^ ((b2) & t1); \ + } while (0) + +static void knot256_permute + (knot256_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b1, b2, b3; + + /* Load the input state into local variables; each row is 64 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x1, x2, x3, b1, b2, b3); + + /* Linear diffusion layer */ + x1 = leftRotate1_64(b1); + x2 = leftRotate8_64(b2); + x3 = leftRotate25_64(b3); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); +#endif +} + +void knot256_permute_6(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc6, rounds); +} + +void knot256_permute_7(knot256_state_t *state, uint8_t rounds) +{ + knot256_permute(state, rc7, rounds); +} + +void knot384_permute_7(knot384_state_t *state, uint8_t rounds) +{ + const uint8_t *rc = rc7; + uint64_t b2, b4, b6; + uint32_t b3, b5, b7; + + /* Load the input state into local variables; each row is 96 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint32_t x1 = state->W[2]; + uint64_t x2 = state->W[3] | (((uint64_t)(state->W[4])) << 32); + uint32_t x3 = state->W[5]; + uint64_t x4 = state->S[3]; + uint32_t x5 = state->W[8]; + uint64_t x6 = state->W[9] | (((uint64_t)(state->W[10])) << 32); + uint32_t x7 = state->W[11]; +#else + uint64_t x0 = le_load_word64(state->B); + uint32_t x1 = le_load_word32(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 12); + uint32_t x3 = le_load_word32(state->B + 20); + uint64_t x4 = le_load_word64(state->B + 24); + uint32_t x5 = le_load_word32(state->B + 32); + uint64_t x6 = le_load_word64(state->B + 36); + uint32_t x7 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox32(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotateShort_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (32 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + #define leftRotateLong_96(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | \ + (((uint64_t)(b1)) << ((bits) - 32)) | \ + ((b0) >> (96 - (bits))); \ + (a1) = (uint32_t)(((b0) << ((bits) - 32)) >> 32); \ + } while (0) + leftRotateShort_96(x2, x3, b2, b3, 1); + leftRotateShort_96(x4, x5, b4, b5, 8); + leftRotateLong_96(x6, x7, b6, b7, 55); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->W[2] = x1; + state->W[3] = (uint32_t)x2; + state->W[4] = (uint32_t)(x2 >> 32); + state->W[5] = x3; + state->S[3] = x4; + state->W[8] = x5; + state->W[9] = (uint32_t)x6; + state->W[10] = (uint32_t)(x6 >> 32); + state->W[11] = x7; +#else + le_store_word64(state->B, x0); + le_store_word32(state->B + 8, x1); + le_store_word64(state->B + 12, x2); + le_store_word32(state->B + 20, x3); + le_store_word64(state->B + 24, x4); + le_store_word32(state->B + 32, x5); + le_store_word64(state->B + 36, x6); + le_store_word32(state->B + 44, x7); +#endif +} + +static void knot512_permute + (knot512_state_t *state, const uint8_t *rc, uint8_t rounds) +{ + uint64_t b2, b3, b4, b5, b6, b7; + + /* Load the input state into local variables; each row is 128 bits */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + uint64_t x0 = state->S[0]; + uint64_t x1 = state->S[1]; + uint64_t x2 = state->S[2]; + uint64_t x3 = state->S[3]; + uint64_t x4 = state->S[4]; + uint64_t x5 = state->S[5]; + uint64_t x6 = state->S[6]; + uint64_t x7 = state->S[7]; +#else + uint64_t x0 = le_load_word64(state->B); + uint64_t x1 = le_load_word64(state->B + 8); + uint64_t x2 = le_load_word64(state->B + 16); + uint64_t x3 = le_load_word64(state->B + 24); + uint64_t x4 = le_load_word64(state->B + 32); + uint64_t x5 = le_load_word64(state->B + 40); + uint64_t x6 = le_load_word64(state->B + 48); + uint64_t x7 = le_load_word64(state->B + 56); +#endif + + /* Perform all permutation rounds */ + for (; rounds > 0; --rounds) { + /* Add the next round constant to the state */ + x0 ^= *rc++; + + /* Substitution layer */ + knot_sbox64(x0, x2, x4, x6, b2, b4, b6); + knot_sbox64(x1, x3, x5, x7, b3, b5, b7); + + /* Linear diffusion layer */ + #define leftRotate_128(a0, a1, b0, b1, bits) \ + do { \ + (a0) = ((b0) << (bits)) | ((b1) >> (64 - (bits))); \ + (a1) = ((b1) << (bits)) | ((b0) >> (64 - (bits))); \ + } while (0) + leftRotate_128(x2, x3, b2, b3, 1); + leftRotate_128(x4, x5, b4, b5, 16); + leftRotate_128(x6, x7, b6, b7, 25); + } + + /* Store the local variables to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0] = x0; + state->S[1] = x1; + state->S[2] = x2; + state->S[3] = x3; + state->S[4] = x4; + state->S[5] = x5; + state->S[6] = x6; + state->S[7] = x7; +#else + le_store_word64(state->B, x0); + le_store_word64(state->B + 8, x1); + le_store_word64(state->B + 16, x2); + le_store_word64(state->B + 24, x3); + le_store_word64(state->B + 32, x4); + le_store_word64(state->B + 40, x5); + le_store_word64(state->B + 48, x6); + le_store_word64(state->B + 56, x7); +#endif +} + +void knot512_permute_7(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc7, rounds); +} + +void knot512_permute_8(knot512_state_t *state, uint8_t rounds) +{ + knot512_permute(state, rc8, rounds); +} + +#endif /* !__AVR__ */ diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.h b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot.h similarity index 52% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.h rename to knot/Implementations/crypto_hash/knot512/rhys/internal-knot.h index 2ffef42..88a782c 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-keccak.h +++ b/knot/Implementations/crypto_hash/knot512/rhys/internal-knot.h @@ -20,14 +20,14 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H +#ifndef LW_INTERNAL_KNOT_H +#define LW_INTERNAL_KNOT_H #include "internal-util.h" /** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. + * \file internal-knot.h + * \brief Permutations that are used by the KNOT AEAD and hash algorithms. */ #ifdef __cplusplus @@ -35,50 +35,93 @@ extern "C" { #endif /** - * \brief Size of the state for the Keccak-p[200] permutation. + * \brief Internal state of the KNOT-256 permutation. */ -#define KECCAKP_200_STATE_SIZE 25 +typedef union +{ + uint64_t S[4]; /**< Words of the state */ + uint8_t B[32]; /**< Bytes of the state */ -/** - * \brief Size of the state for the Keccak-p[400] permutation. - */ -#define KECCAKP_400_STATE_SIZE 50 +} knot256_state_t; /** - * \brief Structure of the internal state of the Keccak-p[200] permutation. + * \brief Internal state of the KNOT-384 permutation. */ typedef union { - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ + uint64_t S[6]; /**< 64-bit words of the state */ + uint32_t W[12]; /**< 32-bit words of the state */ + uint8_t B[48]; /**< Bytes of the state */ -} keccakp_200_state_t; +} knot384_state_t; /** - * \brief Structure of the internal state of the Keccak-p[400] permutation. + * \brief Internal state of the KNOT-512 permutation. */ typedef union { - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ + uint64_t S[8]; /**< Words of the state */ + uint8_t B[64]; /**< Bytes of the state */ -} keccakp_400_state_t; +} knot512_state_t; /** - * \brief Permutes the Keccak-p[200] state. + * \brief Permutes the KNOT-256 state, using 6-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 52. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_6(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-256 state, using 7-bit round constants. + * + * \param state The KNOT-256 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot256_permute_7(knot256_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-384 state, using 7-bit round constants. + * + * \param state The KNOT-384 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot384_permute_7(knot384_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 7-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 104. + * + * The input and output \a state will be in little-endian byte order. + */ +void knot512_permute_7(knot512_state_t *state, uint8_t rounds); + +/** + * \brief Permutes the KNOT-512 state, using 8-bit round constants. + * + * \param state The KNOT-512 state to be permuted. + * \param rounds The number of rounds to be performed, 1 to 140. * - * \param state The Keccak-p[200] state to be permuted. + * The input and output \a state will be in little-endian byte order. */ -void keccakp_200_permute(keccakp_200_state_t *state); +void knot512_permute_8(knot512_state_t *state, uint8_t rounds); /** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. + * \brief Generic pointer to a function that performs a KNOT permutation. * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). + * \param state Points to the permutation state. + * \param round Number of rounds to perform. */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); +typedef void (*knot_permute_t)(void *state, uint8_t rounds); #ifdef __cplusplus } diff --git a/comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-util.h b/knot/Implementations/crypto_hash/knot512/rhys/internal-util.h similarity index 100% rename from comet/Implementations/crypto_aead/comet64speckv1/rhys-avr/internal-util.h rename to knot/Implementations/crypto_hash/knot512/rhys/internal-util.h diff --git a/knot/Implementations/crypto_hash/knot512/rhys/knot-hash.c b/knot/Implementations/crypto_hash/knot512/rhys/knot-hash.c new file mode 100644 index 0000000..a4edecd --- /dev/null +++ b/knot/Implementations/crypto_hash/knot512/rhys/knot-hash.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "knot.h" +#include "internal-knot.h" +#include + +aead_hash_algorithm_t const knot_hash_256_256_algorithm = { + "KNOT-HASH-256-256", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_256, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_256_384_algorithm = { + "KNOT-HASH-256-384", + sizeof(int), + KNOT_HASH_256_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_256_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_384_384_algorithm = { + "KNOT-HASH-384-384", + sizeof(int), + KNOT_HASH_384_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_384_384, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const knot_hash_512_512_algorithm = { + "KNOT-HASH-512-512", + sizeof(int), + KNOT_HASH_512_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + knot_hash_512_512, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Input rate for KNOT-HASH-256-256. + */ +#define KNOT_HASH_256_256_RATE 4 + +/** + * \brief Input rate for KNOT-HASH-256-384. + */ +#define KNOT_HASH_256_384_RATE 16 + +/** + * \brief Input rate for KNOT-HASH-384-384. + */ +#define KNOT_HASH_384_384_RATE 6 + +/** + * \brief Input rate for KNOT-HASH-512-512. + */ +#define KNOT_HASH_512_512_RATE 8 + +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot256_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_256_256_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_256_RATE); + knot256_permute_7(&state, 68); + in += KNOT_HASH_256_256_RATE; + inlen -= KNOT_HASH_256_256_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot256_permute_7(&state, 68); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot256_permute_7(&state, 68); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + state.B[sizeof(state.B) - 1] ^= 0x80; + while (inlen >= KNOT_HASH_256_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_256_384_RATE); + knot384_permute_7(&state, 80); + in += KNOT_HASH_256_384_RATE; + inlen -= KNOT_HASH_256_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 80); + memcpy(out, state.B, KNOT_HASH_256_SIZE / 2); + knot384_permute_7(&state, 80); + memcpy(out + KNOT_HASH_256_SIZE / 2, state.B, KNOT_HASH_256_SIZE / 2); + return 0; +} + +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot384_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_384_384_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_384_384_RATE); + knot384_permute_7(&state, 104); + in += KNOT_HASH_384_384_RATE; + inlen -= KNOT_HASH_384_384_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot384_permute_7(&state, 104); + memcpy(out, state.B, KNOT_HASH_384_SIZE / 2); + knot384_permute_7(&state, 104); + memcpy(out + KNOT_HASH_384_SIZE / 2, state.B, KNOT_HASH_384_SIZE / 2); + return 0; +} + +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + knot512_state_t state; + unsigned temp; + memset(state.B, 0, sizeof(state.B)); + while (inlen >= KNOT_HASH_512_512_RATE) { + lw_xor_block(state.B, in, KNOT_HASH_512_512_RATE); + knot512_permute_8(&state, 140); + in += KNOT_HASH_512_512_RATE; + inlen -= KNOT_HASH_512_512_RATE; + } + temp = (unsigned)inlen; + lw_xor_block(state.B, in, temp); + state.B[temp] ^= 0x01; + knot512_permute_8(&state, 140); + memcpy(out, state.B, KNOT_HASH_512_SIZE / 2); + knot512_permute_8(&state, 140); + memcpy(out + KNOT_HASH_512_SIZE / 2, state.B, KNOT_HASH_512_SIZE / 2); + return 0; +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.h b/knot/Implementations/crypto_hash/knot512/rhys/knot.h similarity index 53% rename from forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.h rename to knot/Implementations/crypto_hash/knot512/rhys/knot.h index 3e27b50..e2c5198 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/forkae.h +++ b/knot/Implementations/crypto_hash/knot512/rhys/knot.h @@ -20,50 +20,38 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H +#ifndef LWCRYPTO_KNOT_H +#define LWCRYPTO_KNOT_H #include "aead-common.h" /** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ + * \file knot.h + * \brief KNOT authenticated encryption and hash algorithms. + * + * KNOT is a family of authenticated encryption and hash algorithms built + * around a permutation and the MonkeyDuplex sponge construction. The + * family members are: + * + * \li KNOT-AEAD-128-256 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 256-bit permutation. This is the primary + * encryption member of the family. + * \li KNOT-AEAD-128-384 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-192-384 with a 192-bit key, a 192-bit nonce, and a + * 192-bit tag, built around a 384-bit permutation. + * \li KNOT-AEAD-256-512 with a 256-bit key, a 256-bit nonce, and a + * 256-bit tag, built around a 512-bit permutation. + * \li KNOT-HASH-256-256 with a 256-bit hash output, built around a + * 256-bit permutation. This is the primary hashing member of the family. + * \li KNOT-HASH-256-384 with a 256-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-384-384 with a 384-bit hash output, built around a + * 384-bit permutation. + * \li KNOT-HASH-512-512 with a 512-bit hash output, built around a + * 512-bit permutation. + * + * References: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/knot-spec-round.pdf */ #ifdef __cplusplus @@ -71,131 +59,112 @@ extern "C" { #endif /** - * \brief Size of the key for PAEF-ForkSkinny-64-192. + * \brief Size of the key for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 +#define KNOT_AEAD_128_KEY_SIZE 16 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. + * \brief Size of the authentication tag for KNOT-AEAD-128-256 and + * KNOT-AEAD-128-384. */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 +#define KNOT_AEAD_128_TAG_SIZE 16 /** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 +#define KNOT_AEAD_128_NONCE_SIZE 16 /** - * \brief Size of the key for PAEF-ForkSkinny-128-192. + * \brief Size of the key for KNOT-AEAD-192-384. */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 +#define KNOT_AEAD_192_KEY_SIZE 24 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + * \brief Size of the authentication tag for KNOT-AEAD-192-384. */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 +#define KNOT_AEAD_192_TAG_SIZE 24 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-192-384. */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 +#define KNOT_AEAD_192_NONCE_SIZE 24 /** - * \brief Size of the key for PAEF-ForkSkinny-128-256. + * \brief Size of the key for KNOT-AEAD-256-512. */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 +#define KNOT_AEAD_256_KEY_SIZE 32 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + * \brief Size of the authentication tag for KNOT-AEAD-256-512. */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 +#define KNOT_AEAD_256_TAG_SIZE 32 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + * \brief Size of the nonce for KNOT-AEAD-128-256 and KNOT-AEAD-128-384. */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 +#define KNOT_AEAD_256_NONCE_SIZE 32 /** - * \brief Size of the key for PAEF-ForkSkinny-128-288. + * \brief Size of the hash for KNOT-HASH-256-256 and KNOT-HASH-256-384. */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 +#define KNOT_HASH_256_SIZE 32 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + * \brief Size of the hash for KNOT-HASH-384-384. */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 +#define KNOT_HASH_384_SIZE 48 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + * \brief Size of the hash for KNOT-HASH-512-512. */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 +#define KNOT_HASH_512_SIZE 64 /** - * \brief Size of the key for SAEF-ForkSkinny-128-192. + * \brief Meta-information block for the KNOT-AEAD-128-256 cipher. */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 +extern aead_cipher_t const knot_aead_128_256_cipher; /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + * \brief Meta-information block for the KNOT-AEAD-128-384 cipher. */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 +extern aead_cipher_t const knot_aead_128_384_cipher; /** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + * \brief Meta-information block for the KNOT-AEAD-192-384 cipher. */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 +extern aead_cipher_t const knot_aead_192_384_cipher; /** - * \brief Size of the key for SAEF-ForkSkinny-128-256. + * \brief Meta-information block for the KNOT-AEAD-256-512 cipher. */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 +extern aead_cipher_t const knot_aead_256_512_cipher; /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + * \brief Meta-information block for the KNOT-HASH-256-256 algorithm. */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 +extern aead_hash_algorithm_t const knot_hash_256_256_algorithm; /** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + * \brief Meta-information block for the KNOT-HASH-256-384 algorithm. */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 +extern aead_hash_algorithm_t const knot_hash_256_384_algorithm; /** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + * \brief Meta-information block for the KNOT-HASH-384-384 algorithm. */ -extern aead_cipher_t const forkae_paef_64_192_cipher; +extern aead_hash_algorithm_t const knot_hash_384_384_algorithm; /** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + * \brief Meta-information block for the KNOT-HASH-512-512 algorithm. */ -extern aead_cipher_t const forkae_paef_128_192_cipher; +extern aead_hash_algorithm_t const knot_hash_512_512_algorithm; /** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_paef_128_256_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. - */ -extern aead_cipher_t const forkae_paef_128_288_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_saef_128_192_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_saef_128_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -203,15 +172,15 @@ extern aead_cipher_t const forkae_saef_128_256_cipher; * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_64_192_aead_decrypt() + * \sa knot_aead_128_256_decrypt() */ -int forkae_paef_64_192_aead_encrypt +int knot_aead_128_256_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -220,7 +189,7 @@ int forkae_paef_64_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-256. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -228,20 +197,20 @@ int forkae_paef_64_192_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_64_192_aead_encrypt() + * \sa knot_aead_128_256_encrypt() */ -int forkae_paef_64_192_aead_decrypt +int knot_aead_128_256_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -250,7 +219,7 @@ int forkae_paef_64_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -262,15 +231,15 @@ int forkae_paef_64_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_192_aead_decrypt() + * \sa knot_aead_128_384_decrypt() */ -int forkae_paef_128_192_aead_encrypt +int knot_aead_128_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -279,7 +248,7 @@ int forkae_paef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-128-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -292,15 +261,15 @@ int forkae_paef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_192_aead_encrypt() + * \sa knot_aead_128_384_encrypt() */ -int forkae_paef_128_192_aead_decrypt +int knot_aead_128_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -308,8 +277,9 @@ int forkae_paef_128_192_aead_decrypt const unsigned char *npub, const unsigned char *k); + /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -321,15 +291,15 @@ int forkae_paef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_256_aead_decrypt() + * \sa knot_aead_192_384_decrypt() */ -int forkae_paef_128_256_aead_encrypt +int knot_aead_192_384_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -338,7 +308,7 @@ int forkae_paef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-192-384. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -351,15 +321,15 @@ int forkae_paef_128_256_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_256_aead_encrypt() + * \sa knot_aead_192_384_encrypt() */ -int forkae_paef_128_256_aead_decrypt +int knot_aead_192_384_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -368,7 +338,7 @@ int forkae_paef_128_256_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Encrypts and authenticates a packet with KNOT-AEAD-256-512. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -380,15 +350,15 @@ int forkae_paef_128_256_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_288_aead_decrypt() + * \sa knot_aead_256_512_decrypt() */ -int forkae_paef_128_288_aead_encrypt +int knot_aead_256_512_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -397,7 +367,7 @@ int forkae_paef_128_288_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Decrypts and authenticates a packet with KNOT-AEAD-256-512. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -410,15 +380,15 @@ int forkae_paef_128_288_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_288_aead_encrypt() + * \sa knot_aead_256_512_encrypt() */ -int forkae_paef_128_288_aead_decrypt +int knot_aead_256_512_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -427,122 +397,60 @@ int forkae_paef_128_288_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \brief Hashes a block of input data with KNOT-HASH-256-256. * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa forkae_saef_128_192_aead_decrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int forkae_saef_128_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +int knot_hash_256_256 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \brief Hashes a block of input data with KNOT-HASH-256-384. * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_256_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa forkae_saef_128_192_aead_encrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int forkae_saef_128_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +int knot_hash_256_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Hashes a block of input data with KNOT-HASH-384-384. * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_384_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa forkae_saef_128_256_aead_decrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int forkae_saef_128_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +int knot_hash_384_384 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Hashes a block of input data with KNOT-HASH-512-512. * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \param out Buffer to receive the hash output which must be at least + * KNOT_HASH_512_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa forkae_saef_128_256_aead_encrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int forkae_saef_128_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +int knot_hash_512_512 + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/api.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/api.h deleted file mode 100644 index 4bf8f5c..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/encrypt.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/encrypt.c deleted file mode 100644 index 1573370..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "lotus-locus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return locus_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return locus_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64-avr.S b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64-avr.S deleted file mode 100644 index fdb668d..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64-avr.S +++ /dev/null @@ -1,6047 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global gift64n_init - .type gift64n_init, @function -gift64n_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ret - .size gift64n_init, .-gift64n_init - - .text -.global gift64n_encrypt - .type gift64n_encrypt, @function -gift64n_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 28 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Z+4 - ldd r7,Z+5 - ldd r8,Z+6 - ldd r9,Z+7 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Z+8 - ldd r7,Z+9 - ldd r8,Z+10 - ldd r9,Z+11 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,0 - bst r18,1 - bld r22,0 - bst r18,2 - bld r2,0 - bst r18,3 - bld r4,0 - bst r18,4 - bld r20,1 - bst r18,5 - bld r22,1 - bst r18,6 - bld r2,1 - bst r18,7 - bld r4,1 - bst r19,0 - bld r20,2 - bst r19,1 - bld r22,2 - bst r19,2 - bld r2,2 - bst r19,3 - bld r4,2 - bst r19,4 - bld r20,3 - bst r19,5 - bld r22,3 - bst r19,6 - bld r2,3 - bst r19,7 - bld r4,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,4 - bst r18,1 - bld r22,4 - bst r18,2 - bld r2,4 - bst r18,3 - bld r4,4 - bst r18,4 - bld r20,5 - bst r18,5 - bld r22,5 - bst r18,6 - bld r2,5 - bst r18,7 - bld r4,5 - bst r19,0 - bld r20,6 - bst r19,1 - bld r22,6 - bst r19,2 - bld r2,6 - bst r19,3 - bld r4,6 - bst r19,4 - bld r20,7 - bst r19,5 - bld r22,7 - bst r19,6 - bld r2,7 - bst r19,7 - bld r4,7 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,0 - bst r18,1 - bld r23,0 - bst r18,2 - bld r3,0 - bst r18,3 - bld r5,0 - bst r18,4 - bld r21,1 - bst r18,5 - bld r23,1 - bst r18,6 - bld r3,1 - bst r18,7 - bld r5,1 - bst r19,0 - bld r21,2 - bst r19,1 - bld r23,2 - bst r19,2 - bld r3,2 - bst r19,3 - bld r5,2 - bst r19,4 - bld r21,3 - bst r19,5 - bld r23,3 - bst r19,6 - bld r3,3 - bst r19,7 - bld r5,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,4 - bst r18,1 - bld r23,4 - bst r18,2 - bld r3,4 - bst r18,3 - bld r5,4 - bst r18,4 - bld r21,5 - bst r18,5 - bld r23,5 - bst r18,6 - bld r3,5 - bst r18,7 - bld r5,5 - bst r19,0 - bld r21,6 - bst r19,1 - bld r23,6 - bst r19,2 - bld r3,6 - bst r19,3 - bld r5,6 - bst r19,4 - bld r21,7 - bst r19,5 - bld r23,7 - bst r19,6 - bld r3,7 - bst r19,7 - bld r5,7 - rcall 1061f - ldi r18,1 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,3 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,7 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,15 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,31 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,62 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,61 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,59 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,55 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,47 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,30 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,60 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,57 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,51 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,39 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,14 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,29 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,58 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,53 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,43 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,22 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,44 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,24 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,48 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,33 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,2 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,5 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,11 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rjmp 1252f -1061: - mov r0,r20 - and r0,r2 - eor r22,r0 - mov r0,r21 - and r0,r3 - eor r23,r0 - mov r0,r22 - and r0,r4 - eor r20,r0 - mov r0,r23 - and r0,r5 - eor r21,r0 - mov r0,r20 - or r0,r22 - eor r2,r0 - mov r0,r21 - or r0,r23 - eor r3,r0 - eor r4,r2 - eor r5,r3 - eor r22,r4 - eor r23,r5 - com r4 - com r5 - movw r18,r20 - mov r0,r22 - and r0,r18 - eor r2,r0 - mov r0,r23 - and r0,r19 - eor r3,r0 - movw r20,r4 - movw r4,r18 - bst r20,1 - bld r0,0 - bst r20,4 - bld r20,1 - bst r20,3 - bld r20,4 - bst r21,4 - bld r20,3 - bst r0,0 - bld r21,4 - bst r20,2 - bld r0,0 - bst r21,0 - bld r20,2 - bst r0,0 - bld r21,0 - bst r20,5 - bld r0,0 - bst r20,7 - bld r20,5 - bst r21,7 - bld r20,7 - bst r21,5 - bld r21,7 - bst r0,0 - bld r21,5 - bst r20,6 - bld r0,0 - bst r21,3 - bld r20,6 - bst r21,6 - bld r21,3 - bst r21,1 - bld r21,6 - bst r0,0 - bld r21,1 - bst r22,0 - bld r0,0 - bst r22,1 - bld r22,0 - bst r22,5 - bld r22,1 - bst r22,4 - bld r22,5 - bst r0,0 - bld r22,4 - bst r22,2 - bld r0,0 - bst r23,1 - bld r22,2 - bst r22,7 - bld r23,1 - bst r23,4 - bld r22,7 - bst r0,0 - bld r23,4 - bst r22,3 - bld r0,0 - bst r23,5 - bld r22,3 - bst r22,6 - bld r23,5 - bst r23,0 - bld r22,6 - bst r0,0 - bld r23,0 - bst r23,2 - bld r0,0 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r23,6 - bld r23,7 - bst r0,0 - bld r23,6 - bst r2,0 - bld r0,0 - bst r2,2 - bld r2,0 - bst r3,2 - bld r2,2 - bst r3,0 - bld r3,2 - bst r0,0 - bld r3,0 - bst r2,1 - bld r0,0 - bst r2,6 - bld r2,1 - bst r3,1 - bld r2,6 - bst r2,4 - bld r3,1 - bst r0,0 - bld r2,4 - bst r2,3 - bld r0,0 - bst r3,6 - bld r2,3 - bst r3,3 - bld r3,6 - bst r3,4 - bld r3,3 - bst r0,0 - bld r3,4 - bst r2,7 - bld r0,0 - bst r3,5 - bld r2,7 - bst r0,0 - bld r3,5 - bst r4,0 - bld r0,0 - bst r4,3 - bld r4,0 - bst r5,7 - bld r4,3 - bst r5,4 - bld r5,7 - bst r0,0 - bld r5,4 - bst r4,1 - bld r0,0 - bst r4,7 - bld r4,1 - bst r5,6 - bld r4,7 - bst r5,0 - bld r5,6 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,3 - bld r4,2 - bst r5,5 - bld r5,3 - bst r4,4 - bld r5,5 - bst r0,0 - bld r4,4 - bst r4,5 - bld r0,0 - bst r4,6 - bld r4,5 - bst r5,2 - bld r4,6 - bst r5,1 - bld r5,2 - bst r0,0 - bld r5,1 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - ret -1252: - ldd r26,Y+17 - ldd r27,Y+18 - bst r20,0 - bld r18,0 - bst r22,0 - bld r18,1 - bst r2,0 - bld r18,2 - bst r4,0 - bld r18,3 - bst r20,1 - bld r18,4 - bst r22,1 - bld r18,5 - bst r2,1 - bld r18,6 - bst r4,1 - bld r18,7 - bst r20,2 - bld r19,0 - bst r22,2 - bld r19,1 - bst r2,2 - bld r19,2 - bst r4,2 - bld r19,3 - bst r20,3 - bld r19,4 - bst r22,3 - bld r19,5 - bst r2,3 - bld r19,6 - bst r4,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r20,4 - bld r18,0 - bst r22,4 - bld r18,1 - bst r2,4 - bld r18,2 - bst r4,4 - bld r18,3 - bst r20,5 - bld r18,4 - bst r22,5 - bld r18,5 - bst r2,5 - bld r18,6 - bst r4,5 - bld r18,7 - bst r20,6 - bld r19,0 - bst r22,6 - bld r19,1 - bst r2,6 - bld r19,2 - bst r4,6 - bld r19,3 - bst r20,7 - bld r19,4 - bst r22,7 - bld r19,5 - bst r2,7 - bld r19,6 - bst r4,7 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,0 - bld r18,0 - bst r23,0 - bld r18,1 - bst r3,0 - bld r18,2 - bst r5,0 - bld r18,3 - bst r21,1 - bld r18,4 - bst r23,1 - bld r18,5 - bst r3,1 - bld r18,6 - bst r5,1 - bld r18,7 - bst r21,2 - bld r19,0 - bst r23,2 - bld r19,1 - bst r3,2 - bld r19,2 - bst r5,2 - bld r19,3 - bst r21,3 - bld r19,4 - bst r23,3 - bld r19,5 - bst r3,3 - bld r19,6 - bst r5,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,4 - bld r18,0 - bst r23,4 - bld r18,1 - bst r3,4 - bld r18,2 - bst r5,4 - bld r18,3 - bst r21,5 - bld r18,4 - bst r23,5 - bld r18,5 - bst r3,5 - bld r18,6 - bst r5,5 - bld r18,7 - bst r21,6 - bld r19,0 - bst r23,6 - bld r19,1 - bst r3,6 - bld r19,2 - bst r5,6 - bld r19,3 - bst r21,7 - bld r19,4 - bst r23,7 - bld r19,5 - bst r3,7 - bld r19,6 - bst r5,7 - bld r19,7 - st X+,r18 - st X+,r19 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64n_encrypt, .-gift64n_encrypt - - .text -.global gift64n_decrypt - .type gift64n_decrypt, @function -gift64n_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 28 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Z+4 - ldd r7,Z+5 - ldd r8,Z+6 - ldd r9,Z+7 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Z+8 - ldd r7,Z+9 - ldd r8,Z+10 - ldd r9,Z+11 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,0 - bst r18,1 - bld r22,0 - bst r18,2 - bld r2,0 - bst r18,3 - bld r4,0 - bst r18,4 - bld r20,1 - bst r18,5 - bld r22,1 - bst r18,6 - bld r2,1 - bst r18,7 - bld r4,1 - bst r19,0 - bld r20,2 - bst r19,1 - bld r22,2 - bst r19,2 - bld r2,2 - bst r19,3 - bld r4,2 - bst r19,4 - bld r20,3 - bst r19,5 - bld r22,3 - bst r19,6 - bld r2,3 - bst r19,7 - bld r4,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,4 - bst r18,1 - bld r22,4 - bst r18,2 - bld r2,4 - bst r18,3 - bld r4,4 - bst r18,4 - bld r20,5 - bst r18,5 - bld r22,5 - bst r18,6 - bld r2,5 - bst r18,7 - bld r4,5 - bst r19,0 - bld r20,6 - bst r19,1 - bld r22,6 - bst r19,2 - bld r2,6 - bst r19,3 - bld r4,6 - bst r19,4 - bld r20,7 - bst r19,5 - bld r22,7 - bst r19,6 - bld r2,7 - bst r19,7 - bld r4,7 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,0 - bst r18,1 - bld r23,0 - bst r18,2 - bld r3,0 - bst r18,3 - bld r5,0 - bst r18,4 - bld r21,1 - bst r18,5 - bld r23,1 - bst r18,6 - bld r3,1 - bst r18,7 - bld r5,1 - bst r19,0 - bld r21,2 - bst r19,1 - bld r23,2 - bst r19,2 - bld r3,2 - bst r19,3 - bld r5,2 - bst r19,4 - bld r21,3 - bst r19,5 - bld r23,3 - bst r19,6 - bld r3,3 - bst r19,7 - bld r5,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,4 - bst r18,1 - bld r23,4 - bst r18,2 - bld r3,4 - bst r18,3 - bld r5,4 - bst r18,4 - bld r21,5 - bst r18,5 - bld r23,5 - bst r18,6 - bld r3,5 - bst r18,7 - bld r5,5 - bst r19,0 - bld r21,6 - bst r19,1 - bld r23,6 - bst r19,2 - bld r3,6 - bst r19,3 - bld r5,6 - bst r19,4 - bld r21,7 - bst r19,5 - bld r23,7 - bst r19,6 - bld r3,7 - bst r19,7 - bld r5,7 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,11 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,5 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,2 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,33 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,48 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,24 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,44 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,22 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,43 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,53 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,58 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,29 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,14 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,39 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,51 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,57 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,60 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,30 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,47 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,55 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,59 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,61 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,62 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,31 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,15 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,7 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,3 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,1 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - rjmp 1362f -1173: - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - bst r20,1 - bld r0,0 - bst r21,4 - bld r20,1 - bst r20,3 - bld r21,4 - bst r20,4 - bld r20,3 - bst r0,0 - bld r20,4 - bst r20,2 - bld r0,0 - bst r21,0 - bld r20,2 - bst r0,0 - bld r21,0 - bst r20,5 - bld r0,0 - bst r21,5 - bld r20,5 - bst r21,7 - bld r21,5 - bst r20,7 - bld r21,7 - bst r0,0 - bld r20,7 - bst r20,6 - bld r0,0 - bst r21,1 - bld r20,6 - bst r21,6 - bld r21,1 - bst r21,3 - bld r21,6 - bst r0,0 - bld r21,3 - bst r22,0 - bld r0,0 - bst r22,4 - bld r22,0 - bst r22,5 - bld r22,4 - bst r22,1 - bld r22,5 - bst r0,0 - bld r22,1 - bst r22,2 - bld r0,0 - bst r23,4 - bld r22,2 - bst r22,7 - bld r23,4 - bst r23,1 - bld r22,7 - bst r0,0 - bld r23,1 - bst r22,3 - bld r0,0 - bst r23,0 - bld r22,3 - bst r22,6 - bld r23,0 - bst r23,5 - bld r22,6 - bst r0,0 - bld r23,5 - bst r23,2 - bld r0,0 - bst r23,6 - bld r23,2 - bst r23,7 - bld r23,6 - bst r23,3 - bld r23,7 - bst r0,0 - bld r23,3 - bst r2,0 - bld r0,0 - bst r3,0 - bld r2,0 - bst r3,2 - bld r3,0 - bst r2,2 - bld r3,2 - bst r0,0 - bld r2,2 - bst r2,1 - bld r0,0 - bst r2,4 - bld r2,1 - bst r3,1 - bld r2,4 - bst r2,6 - bld r3,1 - bst r0,0 - bld r2,6 - bst r2,3 - bld r0,0 - bst r3,4 - bld r2,3 - bst r3,3 - bld r3,4 - bst r3,6 - bld r3,3 - bst r0,0 - bld r3,6 - bst r2,7 - bld r0,0 - bst r3,5 - bld r2,7 - bst r0,0 - bld r3,5 - bst r4,0 - bld r0,0 - bst r5,4 - bld r4,0 - bst r5,7 - bld r5,4 - bst r4,3 - bld r5,7 - bst r0,0 - bld r4,3 - bst r4,1 - bld r0,0 - bst r5,0 - bld r4,1 - bst r5,6 - bld r5,0 - bst r4,7 - bld r5,6 - bst r0,0 - bld r4,7 - bst r4,2 - bld r0,0 - bst r4,4 - bld r4,2 - bst r5,5 - bld r4,4 - bst r5,3 - bld r5,5 - bst r0,0 - bld r5,3 - bst r4,5 - bld r0,0 - bst r5,1 - bld r4,5 - bst r5,2 - bld r5,1 - bst r4,6 - bld r5,2 - bst r0,0 - bld r4,6 - movw r18,r4 - movw r4,r20 - movw r20,r18 - and r18,r22 - and r19,r23 - eor r2,r18 - eor r3,r19 - com r4 - com r5 - eor r22,r4 - eor r23,r5 - eor r4,r2 - eor r5,r3 - mov r0,r20 - or r0,r22 - eor r2,r0 - mov r0,r21 - or r0,r23 - eor r3,r0 - mov r0,r22 - and r0,r4 - eor r20,r0 - mov r0,r23 - and r0,r5 - eor r21,r0 - mov r0,r20 - and r0,r2 - eor r22,r0 - mov r0,r21 - and r0,r3 - eor r23,r0 - ret -1362: - ldd r26,Y+17 - ldd r27,Y+18 - bst r20,0 - bld r18,0 - bst r22,0 - bld r18,1 - bst r2,0 - bld r18,2 - bst r4,0 - bld r18,3 - bst r20,1 - bld r18,4 - bst r22,1 - bld r18,5 - bst r2,1 - bld r18,6 - bst r4,1 - bld r18,7 - bst r20,2 - bld r19,0 - bst r22,2 - bld r19,1 - bst r2,2 - bld r19,2 - bst r4,2 - bld r19,3 - bst r20,3 - bld r19,4 - bst r22,3 - bld r19,5 - bst r2,3 - bld r19,6 - bst r4,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r20,4 - bld r18,0 - bst r22,4 - bld r18,1 - bst r2,4 - bld r18,2 - bst r4,4 - bld r18,3 - bst r20,5 - bld r18,4 - bst r22,5 - bld r18,5 - bst r2,5 - bld r18,6 - bst r4,5 - bld r18,7 - bst r20,6 - bld r19,0 - bst r22,6 - bld r19,1 - bst r2,6 - bld r19,2 - bst r4,6 - bld r19,3 - bst r20,7 - bld r19,4 - bst r22,7 - bld r19,5 - bst r2,7 - bld r19,6 - bst r4,7 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,0 - bld r18,0 - bst r23,0 - bld r18,1 - bst r3,0 - bld r18,2 - bst r5,0 - bld r18,3 - bst r21,1 - bld r18,4 - bst r23,1 - bld r18,5 - bst r3,1 - bld r18,6 - bst r5,1 - bld r18,7 - bst r21,2 - bld r19,0 - bst r23,2 - bld r19,1 - bst r3,2 - bld r19,2 - bst r5,2 - bld r19,3 - bst r21,3 - bld r19,4 - bst r23,3 - bld r19,5 - bst r3,3 - bld r19,6 - bst r5,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,4 - bld r18,0 - bst r23,4 - bld r18,1 - bst r3,4 - bld r18,2 - bst r5,4 - bld r18,3 - bst r21,5 - bld r18,4 - bst r23,5 - bld r18,5 - bst r3,5 - bld r18,6 - bst r5,5 - bld r18,7 - bst r21,6 - bld r19,0 - bst r23,6 - bld r19,1 - bst r3,6 - bld r19,2 - bst r5,6 - bld r19,3 - bst r21,7 - bld r19,4 - bst r23,7 - bld r19,5 - bst r3,7 - bld r19,6 - bst r5,7 - bld r19,7 - st X+,r18 - st X+,r19 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64n_decrypt, .-gift64n_decrypt - - .text -.global gift64t_encrypt - .type gift64t_encrypt, @function -gift64t_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 30 - ld r8,Z - ldd r9,Z+1 - ldd r10,Z+2 - ldd r11,Z+3 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,0 - bst r20,1 - bld r2,0 - bst r20,2 - bld r4,0 - bst r20,3 - bld r6,0 - bst r20,4 - bld r22,1 - bst r20,5 - bld r2,1 - bst r20,6 - bld r4,1 - bst r20,7 - bld r6,1 - bst r21,0 - bld r22,2 - bst r21,1 - bld r2,2 - bst r21,2 - bld r4,2 - bst r21,3 - bld r6,2 - bst r21,4 - bld r22,3 - bst r21,5 - bld r2,3 - bst r21,6 - bld r4,3 - bst r21,7 - bld r6,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,4 - bst r20,1 - bld r2,4 - bst r20,2 - bld r4,4 - bst r20,3 - bld r6,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r2,5 - bst r20,6 - bld r4,5 - bst r20,7 - bld r6,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r2,6 - bst r21,2 - bld r4,6 - bst r21,3 - bld r6,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r2,7 - bst r21,6 - bld r4,7 - bst r21,7 - bld r6,7 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,0 - bst r20,1 - bld r3,0 - bst r20,2 - bld r5,0 - bst r20,3 - bld r7,0 - bst r20,4 - bld r23,1 - bst r20,5 - bld r3,1 - bst r20,6 - bld r5,1 - bst r20,7 - bld r7,1 - bst r21,0 - bld r23,2 - bst r21,1 - bld r3,2 - bst r21,2 - bld r5,2 - bst r21,3 - bld r7,2 - bst r21,4 - bld r23,3 - bst r21,5 - bld r3,3 - bst r21,6 - bld r5,3 - bst r21,7 - bld r7,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,4 - bst r20,1 - bld r3,4 - bst r20,2 - bld r5,4 - bst r20,3 - bld r7,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r3,5 - bst r20,6 - bld r5,5 - bst r20,7 - bld r7,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r3,6 - bst r21,2 - bld r5,6 - bst r21,3 - bld r7,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r3,7 - bst r21,6 - bld r5,7 - bst r21,7 - bld r7,7 - rcall 1073f - ldi r20,1 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,3 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,7 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,15 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,31 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,62 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,61 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,59 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,55 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,47 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,30 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,60 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,57 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,51 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,39 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,14 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,29 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,58 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,53 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,43 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,22 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,44 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,24 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,48 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,33 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,2 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,5 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,11 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rjmp 1264f -1073: - mov r0,r22 - and r0,r4 - eor r2,r0 - mov r0,r23 - and r0,r5 - eor r3,r0 - mov r0,r2 - and r0,r6 - eor r22,r0 - mov r0,r3 - and r0,r7 - eor r23,r0 - mov r0,r22 - or r0,r2 - eor r4,r0 - mov r0,r23 - or r0,r3 - eor r5,r0 - eor r6,r4 - eor r7,r5 - eor r2,r6 - eor r3,r7 - com r6 - com r7 - movw r20,r22 - mov r0,r2 - and r0,r20 - eor r4,r0 - mov r0,r3 - and r0,r21 - eor r5,r0 - movw r22,r6 - movw r6,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r22,3 - bld r22,4 - bst r23,4 - bld r22,3 - bst r0,0 - bld r23,4 - bst r22,2 - bld r0,0 - bst r23,0 - bld r22,2 - bst r0,0 - bld r23,0 - bst r22,5 - bld r0,0 - bst r22,7 - bld r22,5 - bst r23,7 - bld r22,7 - bst r23,5 - bld r23,7 - bst r0,0 - bld r23,5 - bst r22,6 - bld r0,0 - bst r23,3 - bld r22,6 - bst r23,6 - bld r23,3 - bst r23,1 - bld r23,6 - bst r0,0 - bld r23,1 - bst r2,0 - bld r0,0 - bst r2,1 - bld r2,0 - bst r2,5 - bld r2,1 - bst r2,4 - bld r2,5 - bst r0,0 - bld r2,4 - bst r2,2 - bld r0,0 - bst r3,1 - bld r2,2 - bst r2,7 - bld r3,1 - bst r3,4 - bld r2,7 - bst r0,0 - bld r3,4 - bst r2,3 - bld r0,0 - bst r3,5 - bld r2,3 - bst r2,6 - bld r3,5 - bst r3,0 - bld r2,6 - bst r0,0 - bld r3,0 - bst r3,2 - bld r0,0 - bst r3,3 - bld r3,2 - bst r3,7 - bld r3,3 - bst r3,6 - bld r3,7 - bst r0,0 - bld r3,6 - bst r4,0 - bld r0,0 - bst r4,2 - bld r4,0 - bst r5,2 - bld r4,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,1 - bld r0,0 - bst r4,6 - bld r4,1 - bst r5,1 - bld r4,6 - bst r4,4 - bld r5,1 - bst r0,0 - bld r4,4 - bst r4,3 - bld r0,0 - bst r5,6 - bld r4,3 - bst r5,3 - bld r5,6 - bst r5,4 - bld r5,3 - bst r0,0 - bld r5,4 - bst r4,7 - bld r0,0 - bst r5,5 - bld r4,7 - bst r0,0 - bld r5,5 - bst r6,0 - bld r0,0 - bst r6,3 - bld r6,0 - bst r7,7 - bld r6,3 - bst r7,4 - bld r7,7 - bst r0,0 - bld r7,4 - bst r6,1 - bld r0,0 - bst r6,7 - bld r6,1 - bst r7,6 - bld r6,7 - bst r7,0 - bld r7,6 - bst r0,0 - bld r7,0 - bst r6,2 - bld r0,0 - bst r7,3 - bld r6,2 - bst r7,5 - bld r7,3 - bst r6,4 - bld r7,5 - bst r0,0 - bld r6,4 - bst r6,5 - bld r0,0 - bst r6,6 - bld r6,5 - bst r7,2 - bld r6,6 - bst r7,1 - bld r7,2 - bst r0,0 - bld r7,1 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - ret -1264: - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r20,0 - bst r2,0 - bld r20,1 - bst r4,0 - bld r20,2 - bst r6,0 - bld r20,3 - bst r22,1 - bld r20,4 - bst r2,1 - bld r20,5 - bst r4,1 - bld r20,6 - bst r6,1 - bld r20,7 - bst r22,2 - bld r21,0 - bst r2,2 - bld r21,1 - bst r4,2 - bld r21,2 - bst r6,2 - bld r21,3 - bst r22,3 - bld r21,4 - bst r2,3 - bld r21,5 - bst r4,3 - bld r21,6 - bst r6,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r22,4 - bld r20,0 - bst r2,4 - bld r20,1 - bst r4,4 - bld r20,2 - bst r6,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r2,5 - bld r20,5 - bst r4,5 - bld r20,6 - bst r6,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r2,6 - bld r21,1 - bst r4,6 - bld r21,2 - bst r6,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r2,7 - bld r21,5 - bst r4,7 - bld r21,6 - bst r6,7 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,0 - bld r20,0 - bst r3,0 - bld r20,1 - bst r5,0 - bld r20,2 - bst r7,0 - bld r20,3 - bst r23,1 - bld r20,4 - bst r3,1 - bld r20,5 - bst r5,1 - bld r20,6 - bst r7,1 - bld r20,7 - bst r23,2 - bld r21,0 - bst r3,2 - bld r21,1 - bst r5,2 - bld r21,2 - bst r7,2 - bld r21,3 - bst r23,3 - bld r21,4 - bst r3,3 - bld r21,5 - bst r5,3 - bld r21,6 - bst r7,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,4 - bld r20,0 - bst r3,4 - bld r20,1 - bst r5,4 - bld r20,2 - bst r7,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r3,5 - bld r20,5 - bst r5,5 - bld r20,6 - bst r7,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r3,6 - bld r21,1 - bst r5,6 - bld r21,2 - bst r7,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r3,7 - bld r21,5 - bst r5,7 - bld r21,6 - bst r7,7 - bld r21,7 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64t_encrypt, .-gift64t_encrypt - - .text -.global gift64t_decrypt - .type gift64t_decrypt, @function -gift64t_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 30 - ld r8,Z - ldd r9,Z+1 - ldd r10,Z+2 - ldd r11,Z+3 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,0 - bst r20,1 - bld r2,0 - bst r20,2 - bld r4,0 - bst r20,3 - bld r6,0 - bst r20,4 - bld r22,1 - bst r20,5 - bld r2,1 - bst r20,6 - bld r4,1 - bst r20,7 - bld r6,1 - bst r21,0 - bld r22,2 - bst r21,1 - bld r2,2 - bst r21,2 - bld r4,2 - bst r21,3 - bld r6,2 - bst r21,4 - bld r22,3 - bst r21,5 - bld r2,3 - bst r21,6 - bld r4,3 - bst r21,7 - bld r6,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,4 - bst r20,1 - bld r2,4 - bst r20,2 - bld r4,4 - bst r20,3 - bld r6,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r2,5 - bst r20,6 - bld r4,5 - bst r20,7 - bld r6,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r2,6 - bst r21,2 - bld r4,6 - bst r21,3 - bld r6,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r2,7 - bst r21,6 - bld r4,7 - bst r21,7 - bld r6,7 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,0 - bst r20,1 - bld r3,0 - bst r20,2 - bld r5,0 - bst r20,3 - bld r7,0 - bst r20,4 - bld r23,1 - bst r20,5 - bld r3,1 - bst r20,6 - bld r5,1 - bst r20,7 - bld r7,1 - bst r21,0 - bld r23,2 - bst r21,1 - bld r3,2 - bst r21,2 - bld r5,2 - bst r21,3 - bld r7,2 - bst r21,4 - bld r23,3 - bst r21,5 - bld r3,3 - bst r21,6 - bld r5,3 - bst r21,7 - bld r7,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,4 - bst r20,1 - bld r3,4 - bst r20,2 - bld r5,4 - bst r20,3 - bld r7,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r3,5 - bst r20,6 - bld r5,5 - bst r20,7 - bld r7,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r3,6 - bst r21,2 - bld r5,6 - bst r21,3 - bld r7,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r3,7 - bst r21,6 - bld r5,7 - bst r21,7 - bld r7,7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,11 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,5 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,2 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,33 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,48 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,24 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,44 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,22 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,43 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,53 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,58 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,29 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,14 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,39 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,51 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,57 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,60 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,30 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,47 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,55 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,59 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,61 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,62 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,31 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,15 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,7 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,3 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,1 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - rjmp 1374f -1185: - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - bst r22,1 - bld r0,0 - bst r23,4 - bld r22,1 - bst r22,3 - bld r23,4 - bst r22,4 - bld r22,3 - bst r0,0 - bld r22,4 - bst r22,2 - bld r0,0 - bst r23,0 - bld r22,2 - bst r0,0 - bld r23,0 - bst r22,5 - bld r0,0 - bst r23,5 - bld r22,5 - bst r23,7 - bld r23,5 - bst r22,7 - bld r23,7 - bst r0,0 - bld r22,7 - bst r22,6 - bld r0,0 - bst r23,1 - bld r22,6 - bst r23,6 - bld r23,1 - bst r23,3 - bld r23,6 - bst r0,0 - bld r23,3 - bst r2,0 - bld r0,0 - bst r2,4 - bld r2,0 - bst r2,5 - bld r2,4 - bst r2,1 - bld r2,5 - bst r0,0 - bld r2,1 - bst r2,2 - bld r0,0 - bst r3,4 - bld r2,2 - bst r2,7 - bld r3,4 - bst r3,1 - bld r2,7 - bst r0,0 - bld r3,1 - bst r2,3 - bld r0,0 - bst r3,0 - bld r2,3 - bst r2,6 - bld r3,0 - bst r3,5 - bld r2,6 - bst r0,0 - bld r3,5 - bst r3,2 - bld r0,0 - bst r3,6 - bld r3,2 - bst r3,7 - bld r3,6 - bst r3,3 - bld r3,7 - bst r0,0 - bld r3,3 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r4,2 - bld r5,2 - bst r0,0 - bld r4,2 - bst r4,1 - bld r0,0 - bst r4,4 - bld r4,1 - bst r5,1 - bld r4,4 - bst r4,6 - bld r5,1 - bst r0,0 - bld r4,6 - bst r4,3 - bld r0,0 - bst r5,4 - bld r4,3 - bst r5,3 - bld r5,4 - bst r5,6 - bld r5,3 - bst r0,0 - bld r5,6 - bst r4,7 - bld r0,0 - bst r5,5 - bld r4,7 - bst r0,0 - bld r5,5 - bst r6,0 - bld r0,0 - bst r7,4 - bld r6,0 - bst r7,7 - bld r7,4 - bst r6,3 - bld r7,7 - bst r0,0 - bld r6,3 - bst r6,1 - bld r0,0 - bst r7,0 - bld r6,1 - bst r7,6 - bld r7,0 - bst r6,7 - bld r7,6 - bst r0,0 - bld r6,7 - bst r6,2 - bld r0,0 - bst r6,4 - bld r6,2 - bst r7,5 - bld r6,4 - bst r7,3 - bld r7,5 - bst r0,0 - bld r7,3 - bst r6,5 - bld r0,0 - bst r7,1 - bld r6,5 - bst r7,2 - bld r7,1 - bst r6,6 - bld r7,2 - bst r0,0 - bld r6,6 - movw r20,r6 - movw r6,r22 - movw r22,r20 - and r20,r2 - and r21,r3 - eor r4,r20 - eor r5,r21 - com r6 - com r7 - eor r2,r6 - eor r3,r7 - eor r6,r4 - eor r7,r5 - mov r0,r22 - or r0,r2 - eor r4,r0 - mov r0,r23 - or r0,r3 - eor r5,r0 - mov r0,r2 - and r0,r6 - eor r22,r0 - mov r0,r3 - and r0,r7 - eor r23,r0 - mov r0,r22 - and r0,r4 - eor r2,r0 - mov r0,r23 - and r0,r5 - eor r3,r0 - ret -1374: - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r20,0 - bst r2,0 - bld r20,1 - bst r4,0 - bld r20,2 - bst r6,0 - bld r20,3 - bst r22,1 - bld r20,4 - bst r2,1 - bld r20,5 - bst r4,1 - bld r20,6 - bst r6,1 - bld r20,7 - bst r22,2 - bld r21,0 - bst r2,2 - bld r21,1 - bst r4,2 - bld r21,2 - bst r6,2 - bld r21,3 - bst r22,3 - bld r21,4 - bst r2,3 - bld r21,5 - bst r4,3 - bld r21,6 - bst r6,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r22,4 - bld r20,0 - bst r2,4 - bld r20,1 - bst r4,4 - bld r20,2 - bst r6,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r2,5 - bld r20,5 - bst r4,5 - bld r20,6 - bst r6,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r2,6 - bld r21,1 - bst r4,6 - bld r21,2 - bst r6,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r2,7 - bld r21,5 - bst r4,7 - bld r21,6 - bst r6,7 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,0 - bld r20,0 - bst r3,0 - bld r20,1 - bst r5,0 - bld r20,2 - bst r7,0 - bld r20,3 - bst r23,1 - bld r20,4 - bst r3,1 - bld r20,5 - bst r5,1 - bld r20,6 - bst r7,1 - bld r20,7 - bst r23,2 - bld r21,0 - bst r3,2 - bld r21,1 - bst r5,2 - bld r21,2 - bst r7,2 - bld r21,3 - bst r23,3 - bld r21,4 - bst r3,3 - bld r21,5 - bst r5,3 - bld r21,6 - bst r7,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,4 - bld r20,0 - bst r3,4 - bld r20,1 - bst r5,4 - bld r20,2 - bst r7,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r3,5 - bld r20,5 - bst r5,5 - bld r20,6 - bst r7,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r3,6 - bld r21,1 - bst r5,6 - bld r21,2 - bst r7,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r3,7 - bld r21,5 - bst r5,7 - bld r21,6 - bst r7,7 - bld r21,7 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64t_decrypt, .-gift64t_decrypt - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.c deleted file mode 100644 index 81bc8a3..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.c +++ /dev/null @@ -1,1205 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift64.h" -#include "internal-util.h" -#include - -#if !GIFT64_LOW_MEMORY - -/* Round constants for GIFT-64 in the fixsliced representation */ -static uint32_t const GIFT64_RC[28] = { - 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, - 0x22119933, 0x880033bb, 0x22119999, 0x880022ff, 0x11119922, 0x880033cc, - 0x33008899, 0x99002299, 0x33118811, 0x880000ee, 0x33110099, 0x990022aa, - 0x22118833, 0x880022bb, 0x22111188, 0x88002266, 0x00009922, 0x88003300, - 0x22008811, 0x00002288, 0x00118811, 0x880000bb -}; - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift64b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t t = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= t; \ - (a) ^= t << (shift); \ - } while (0) - -/** - * \brief Performs the GIFT-64 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift64b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-64 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift64b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/* Rotates a state word left by 1 position in the fixsliced representation: - * - * 0 1 2 3 1 2 3 0 - * 4 5 6 7 ==> 5 6 7 4 - * 8 9 10 11 9 10 11 8 - * 12 13 14 15 13 14 14 12 - */ -#define gift64b_rotate_left_1(x) \ - ((((x) >> 1) & 0x77777777U) | (((x) & 0x11111111U) << 3)) - -/* Rotates a state word left by 2 positions in the fixsliced representation: - * - * 0 1 2 3 2 3 0 1 - * 4 5 6 7 ==> 6 7 4 5 - * 8 9 10 11 10 11 8 9 - * 12 13 14 15 14 15 12 13 - */ -#define gift64b_rotate_left_2(x) \ - ((((x) >> 2) & 0x33333333U) | (((x) & 0x33333333U) << 2)) - -/* Rotates a state word left by 3 positions in the fixsliced representation: - * - * 0 1 2 3 3 0 1 2 - * 4 5 6 7 ==> 7 4 5 6 - * 8 9 10 11 11 8 9 10 - * 12 13 14 15 15 12 13 14 - */ -#define gift64b_rotate_left_3(x) \ - ((((x) >> 3) & 0x11111111U) | (((x) & 0x77777777U) << 1)) - -/* Rotates a state word right by 1 position in the fixsliced representation */ -#define gift64b_rotate_right_1(x) gift64b_rotate_left_3(x) - -/* Rotates a state word right by 2 positions in the fixsliced representation */ -#define gift64b_rotate_right_2(x) gift64b_rotate_left_2(x) - -/* Rotates a state word right by 3 positions in the fixsliced representation */ -#define gift64b_rotate_right_3(x) gift64b_rotate_left_1(x) - -/* Rotates a state word up by 1 position in the fixsliced representation: - * - * 0 1 2 3 4 5 6 7 - * 4 5 6 7 ==> 8 9 10 11 - * 8 9 10 11 12 13 14 15 - * 12 13 14 15 0 1 2 3 - */ -#define gift64b_rotate_up_1(x) (rightRotate8((x))) - -/* Rotates a state word up by 2 positions in the fixsliced representation: - * - * 0 1 2 3 8 9 10 11 - * 4 5 6 7 ==> 12 13 14 15 - * 8 9 10 11 0 1 2 3 - * 12 13 14 15 4 5 6 7 - */ -#define gift64b_rotate_up_2(x) (rightRotate16((x))) - -/* Rotates a state word up by 3 positions in the fixsliced representation: - * - * 0 1 2 3 12 13 14 15 - * 4 5 6 7 ==> 0 1 2 3 - * 8 9 10 11 4 5 6 7 - * 12 13 14 15 8 9 10 11 - */ -#define gift64b_rotate_up_3(x) (rightRotate24((x))) - -/* Rotates a state word down by 1 position in the fixsliced representation */ -#define gift64b_rotate_down_1(x) gift64b_rotate_up_3(x) - -/* Rotates a state word down by 2 positions in the fixsliced representation */ -#define gift64b_rotate_down_2(x) gift64b_rotate_up_2(x) - -/* Rotates a state word down by 3 positions in the fixsliced representation */ -#define gift64b_rotate_down_3(x) gift64b_rotate_up_1(x) - -/* Permutation code to rearrange key bits into fixsliced form. Permutations - * generated wth "http://programming.sirrida.de/calcperm.php" */ -#define gift64b_rearrange1_transpose_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ - bit_permute_step(out, 0x0000CCCCU, 16); \ - bit_permute_step(out, 0x30030330U, 2); \ - bit_permute_step(out, 0x00960096U, 8); \ - bit_permute_step(out, 0x05500550U, 1); \ - bit_permute_step(out, 0x0A0A0A0AU, 4); \ - } while (0) -#define gift64b_rearrange1_transpose_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ - bit_permute_step(out, 0x0000CCCCU, 16); \ - bit_permute_step(out, 0x30030330U, 2); \ - bit_permute_step(out, 0x00960096U, 8); \ - bit_permute_step(out, 0x05500550U, 1); \ - bit_permute_step(out, 0x0A0A0A0AU, 4); \ - } while (0) -#define gift64b_rearrange1_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ - out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ - ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ - } while (0) -#define gift64b_rearrange1_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ - out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ - ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ - } while (0) -#define gift64b_rearrange2_transpose_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ - bit_permute_step(out, 0x0A0A0A0AU, 3); \ - bit_permute_step(out, 0x00CC00CCU, 6); \ - bit_permute_step(out, 0x0000F0F0U, 12); \ - bit_permute_step(out, 0x0000FF00U, 8); \ - } while (0) -#define gift64b_rearrange2_transpose_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ - bit_permute_step(out, 0x0A0A0A0AU, 3); \ - bit_permute_step(out, 0x00CC00CCU, 6); \ - bit_permute_step(out, 0x0000F0F0U, 12); \ - bit_permute_step(out, 0x0000FF00U, 8); \ - } while (0) -#define gift64b_rearrange2_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ - out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ - ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ - } while (0) -#define gift64b_rearrange2_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ - out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ - ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ - } while (0) - -void gift64n_update_round_keys(gift64n_key_schedule_t *ks) -{ - uint32_t x; - - /* First round */ - gift64b_rearrange1_transpose_low(x, ks->k[3]); - ks->rk[0] = ~(x | (x << 4)); - gift64b_rearrange1_transpose_high(x, ks->k[3]); - ks->rk[1] = x | (x << 4); - - /* Second round */ - gift64b_rearrange1_low(x, ks->k[2]); - x = x | (x << 4); - gift64b_swap_move(x, x, 0x22222222U, 2); - ks->rk[2] = ~x; - gift64b_rearrange1_high(x, ks->k[2]); - x = x | (x << 4); - gift64b_swap_move(x, x, 0x22222222U, 2); - ks->rk[3] = x; - - /* Third round */ - gift64b_rearrange2_transpose_low(x, ks->k[1]); - gift64b_swap_move(x, x, 0x00000F00U, 16); - ks->rk[4] = ~(x | (x << 4)); - gift64b_rearrange2_transpose_high(x, ks->k[1]); - gift64b_swap_move(x, x, 0x00000F00U, 16); - ks->rk[5] = x | (x << 4); - - /* Fourth round */ - gift64b_rearrange2_low(x, ks->k[0]); - ks->rk[6] = ~(x | (x << 4)); - gift64b_rearrange2_high(x, ks->k[0]); - ks->rk[7] = x | (x << 4); -} - -/** - * \brief Perform the core of GIFT-64 encryption on two blocks in parallel. - * - * \param ks Points to the key schedule to use to encrypt the blocks. - * \param state Buffer containing the two blocks in bit-sliced form, - * on input and output. - * \param Tweak value or zero if there is no tweak. - */ -static void gift64b_encrypt_core - (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) -{ - const uint32_t *rc = GIFT64_RC; - uint32_t s0, s1, s2, s3, temp; - uint32_t rk[8]; - uint8_t round; - - /* Start with the pre-computed round keys for the first four rounds */ - memcpy(rk, ks->rk, sizeof(ks->rk)); - - /* Load the state into local variables */ - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - - /* Perform all 28 rounds four at a time. We use the "fixslicing" method. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of four rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 4 rounds. - */ - for (round = 0; round < 28; round += 4, rc += 4) { - /* 1st round - S-box, rotate left, add round key */ - gift64b_sbox(s0, s1, s2, s3); - s1 = gift64b_rotate_left_1(s1); - s2 = gift64b_rotate_left_2(s2); - s0 = gift64b_rotate_left_3(s0); - s3 ^= rk[0]; - s1 ^= rk[1]; - s0 ^= rc[0]; - - /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ - gift64b_sbox(s3, s1, s2, s0); - s1 = gift64b_rotate_up_1(s1); - s2 = gift64b_rotate_up_2(s2); - s3 = gift64b_rotate_up_3(s3); - s0 ^= rk[2]; - s1 ^= rk[3]; - s3 ^= rc[1]; - - /* 3rd round - S-box, rotate right, add round key */ - gift64b_sbox(s0, s1, s2, s3); - s1 = gift64b_rotate_right_1(s1); - s2 = gift64b_rotate_right_2(s2); - s0 = gift64b_rotate_right_3(s0); - s3 ^= rk[4]; - s1 ^= rk[5]; - s0 ^= rc[2]; - - /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ - gift64b_sbox(s3, s1, s2, s0); - s1 = gift64b_rotate_down_1(s1); - s2 = gift64b_rotate_down_2(s2); - s3 = gift64b_rotate_down_3(s3); - s0 ^= rk[6]; - s1 ^= rk[7]; - s3 ^= rc[3]; - - /* Add the tweak every four encryption rounds except the last */ - if (round < 24) - s2 ^= tweak; - - /* Derive the round keys for the next 4 rounds */ - rk[0] = gift64b_rotate_left_1(rk[0]); - rk[1] = (gift64b_rotate_left_3(rk[1]) << 16) | (rk[1] >> 16); - rk[2] = rightRotate8(rk[2]); - temp = gift64b_rotate_left_2(rk[3]); - rk[3] = (temp & 0x99999999U) | leftRotate8(temp & 0x66666666U); - rk[4] = gift64b_rotate_left_3(rk[4]); - temp = rightRotate16(rk[5]); - rk[5] = (gift64b_rotate_left_1(temp) & 0x00FFFF00U) | - (temp & 0xFF0000FFU); - rk[6] = leftRotate8(rk[6]); - temp = gift64b_rotate_left_2(rk[7]); - rk[7] = (temp & 0x33333333U) | rightRotate8(temp & 0xCCCCCCCCU); - } - - /* Copy the local variables to the output state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -/** - * \brief Perform the core of GIFT-64 decryption on two blocks in parallel. - * - * \param ks Points to the key schedule to use to encrypt the blocks. - * \param state Buffer containing the two blocks in bit-sliced form, - * on input and output. - * \param Tweak value or zero if there is no tweak. - */ -static void gift64b_decrypt_core - (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) -{ - const uint32_t *rc = GIFT64_RC + 28 - 4; - uint32_t s0, s1, s2, s3, temp; - uint32_t rk[8]; - uint8_t round; - - /* Start with the pre-computed round keys for the first four rounds */ - memcpy(rk, ks->rk, sizeof(ks->rk)); - - /* Fast forward the key schedule to the end by permuting each round - * key by the amount it would see under the full set of rounds. - * Generated with "http://programming.sirrida.de/calcperm.php" */ - /* P0: 1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12 17 18 - * 19 16 21 22 23 20 25 26 27 24 29 30 31 28 */ - rk[0] = ((rk[0] & 0x77777777U) << 1) | ((rk[0] & 0x88888888U) >> 3); - /* P1: 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 - * 31 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 */ - rk[1] = ((rk[1] & 0xEEEE0000U) >> 17) | ((rk[1] & 0x0000FFFFU) << 16) | - ((rk[1] & 0x11110000U) >> 13); - /* P2: 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 - * 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 */ - rk[2] = leftRotate8(rk[2]); - /* P3: 2 27 24 1 6 31 28 5 10 3 0 9 14 7 4 13 18 11 - * 8 17 22 15 12 21 26 19 16 25 30 23 20 29 */ - rk[3] = ((rk[3] & 0x11111111U) << 2) | leftRotate22(rk[3] & 0x44444444U) | - leftRotate26(rk[3] & 0x22222222U) | ((rk[3] & 0x88888888U) >> 2); - /* P4: 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 19 16 - * 17 18 23 20 21 22 27 24 25 26 31 28 29 30 */ - rk[4] = ((rk[4] & 0x11111111U) << 3) | ((rk[4] & 0xEEEEEEEEU) >> 1); - /* P5: 16 17 18 19 20 21 22 23 25 26 27 24 29 30 31 - * 28 1 2 3 0 5 6 7 4 8 9 10 11 12 13 14 15 */ - rk[5] = leftRotate13(rk[5] & 0x00888800U) | - leftRotate16(rk[5] & 0xFF0000FFU) | - leftRotate17(rk[5] & 0x00777700U); - /* P6: 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 8 9 10 - * 11 12 13 14 15 16 17 18 19 20 21 22 23 */ - rk[6] = leftRotate24(rk[6]); - /* P7: 2 3 8 9 6 7 12 13 10 11 16 17 14 15 20 21 18 19 - * 24 25 22 23 28 29 26 27 0 1 30 31 4 5 */ - rk[7] = ((rk[7] & 0x33333333U) << 2) | leftRotate6(rk[7] & 0xCCCCCCCCU); - - /* Load the state into local variables */ - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - - /* Perform all 28 rounds four at a time. We use the "fixslicing" method. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of four rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 4 rounds. - */ - for (round = 0; round < 28; round += 4, rc -= 4) { - /* Derive the round keys for the previous 4 rounds */ - rk[0] = gift64b_rotate_right_1(rk[0]); - temp = rk[1] >> 16; - rk[1] = gift64b_rotate_right_3(temp) | (rk[1] << 16); - rk[2] = leftRotate8(rk[2]); - temp = (rk[3] & 0x99999999U) | rightRotate8(rk[3] & 0x66666666U); - rk[3] = gift64b_rotate_right_2(temp); - rk[4] = gift64b_rotate_right_3(rk[4]); - temp = (gift64b_rotate_right_1(rk[5]) & 0x00FFFF00U) | - (rk[5] & 0xFF0000FFU); - rk[5] = leftRotate16(temp); - rk[6] = rightRotate8(rk[6]); - temp = (rk[7] & 0x33333333U) | leftRotate8(rk[7] & 0xCCCCCCCCU); - rk[7] = gift64b_rotate_right_2(temp); - - /* Add the tweak every four decryption rounds except the first */ - if (round != 0) - s2 ^= tweak; - - /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ - s0 ^= rk[6]; - s1 ^= rk[7]; - s3 ^= rc[3]; - s1 = gift64b_rotate_up_1(s1); - s2 = gift64b_rotate_up_2(s2); - s3 = gift64b_rotate_up_3(s3); - gift64b_inv_sbox(s0, s1, s2, s3); - - /* 3rd round - S-box, rotate right, add round key */ - s3 ^= rk[4]; - s1 ^= rk[5]; - s0 ^= rc[2]; - s1 = gift64b_rotate_left_1(s1); - s2 = gift64b_rotate_left_2(s2); - s0 = gift64b_rotate_left_3(s0); - gift64b_inv_sbox(s3, s1, s2, s0); - - /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ - s0 ^= rk[2]; - s1 ^= rk[3]; - s3 ^= rc[1]; - s1 = gift64b_rotate_down_1(s1); - s2 = gift64b_rotate_down_2(s2); - s3 = gift64b_rotate_down_3(s3); - gift64b_inv_sbox(s0, s1, s2, s3); - - /* 1st round - S-box, rotate left, add round key */ - s3 ^= rk[0]; - s1 ^= rk[1]; - s0 ^= rc[0]; - s1 = gift64b_rotate_right_1(s1); - s2 = gift64b_rotate_right_2(s2); - s0 = gift64b_rotate_right_3(s0); - gift64b_inv_sbox(s3, s1, s2, s0); - } - - /* Copy the local variables to the output state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian byte order from the LOTUS-AEAD submission */ - ks->k[0] = le_load_word32(key + 12); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key); - gift64n_update_round_keys(ks); -} - -/** - * \brief Converts the GIFT-64 nibble-based representation into word-based - * (littlen-endian version). - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The output words will be in fixsliced form. Technically the output will - * contain two blocks for gift64b_encrypt_core() to process in parallel but - * both blocks will have the same value. - */ -static void gift64n_to_words(uint32_t output[4], const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input block into 32-bit words */ - s0 = le_load_word32(input); - s2 = le_load_word32(input + 4); - - /* Rearrange the bits in the block */ - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - - /* Split into two identical blocks in fixsliced form */ - s1 = s0; - s3 = s2; - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -/** - * \brief Converts the GIFT-64 word-based representation into nibble-based - * (little-endian version). - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - * - * The input words are in fixsliced form. Technically there are two - * identical blocks in the input. We drop one when we write to the output. - */ -static void gift64n_to_nibbles(unsigned char *output, const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Load the state and split the two blocks into separate words */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - - /* Rearrange the bits in the first block back into nibble form */ - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - le_store_word32(output, s0); - le_store_word32(output + 4, s2); -} - -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, 0); - gift64n_to_nibbles(output, state); -} - -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, 0); - gift64n_to_nibbles(output, state); -} - -/* 4-bit tweak values expanded to 32-bit in fixsliced form */ -static uint32_t const GIFT64_tweaks[16] = { - 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, - 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, - 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff -}; - -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); - gift64n_to_nibbles(output, state); -} - -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); - gift64n_to_nibbles(output, state); -} - -#elif !defined(__AVR__) /* GIFT64_LOW_MEMORY */ - -/* Round constants for GIFT-64 */ -static uint8_t const GIFT64_RC[28] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B -}; - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint16_t y = (_y); \ - uint16_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ -#define bit_permute_step_simple(_y, mask, shift) \ - do { \ - (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 4 bits with respect to the next: - * - * P0: 0 12 8 4 1 13 9 5 2 14 10 6 3 15 11 7 - * P1: 4 0 12 8 5 1 13 9 6 2 14 10 7 3 15 11 - * P2: 8 4 0 12 9 5 1 13 10 6 2 14 11 7 3 15 - * P3: 12 8 4 0 13 9 5 1 14 10 6 2 15 11 7 3 - * - * The most efficient permutation from the online generator was P1, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P1 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM1_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a, 3); \ - bit_permute_step(x, 0x00cc, 6); \ - bit_permute_step_simple(x, 0x0f0f, 4); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate12_16(_x); \ - } while (0) -#define PERM1(x) PERM1_INNER(x) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate4_16(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate8_16(_x); \ - } while (0) - -#define INV_PERM1_INNER(x) \ - do { \ - bit_permute_step(x, 0x0505, 5); \ - bit_permute_step(x, 0x00cc, 6); \ - bit_permute_step_simple(x, 0x0f0f, 4); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate12_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) INV_PERM1_INNER(x) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate4_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = rightRotate8_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with GIFT-64 (bit-sliced). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -static void gift64b_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word16(input); - s1 = be_load_word16(input + 2); - s2 = be_load_word16(input + 4); - s3 = be_load_word16(input + 6); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - - /* Perform all 28 rounds */ - for (round = 0; round < 28; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 64-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); -} - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (bit-sliced). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -static void gift64b_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word16(input); - s1 = be_load_word16(input + 2); - s2 = be_load_word16(input + 4); - s3 = be_load_word16(input + 6); - - /* Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 28; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 7 times for the full 28 rounds. The overall - * effect is to apply a "14 right and 28 left" bit-rotation to every word - * in the key schedule. That is equivalent to "14 right and 12 left" - * on the 16-bit sub-words. - */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | - ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); - w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | - ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); - w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | - ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); - w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | - ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); - - /* Perform all 28 rounds */ - for (round = 28; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); -} - -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian byte order from the LOTUS-AEAD submission */ - ks->k[0] = le_load_word32(key + 12); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key); -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step_32(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts the GIFT-64 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift64n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1; - - /* Load the input buffer into 32-bit words. We use the nibble order from - * the LOTUS-AEAD submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-64 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 4); - s1 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step_32(x, 0x0a0a0a0a, 3); \ - bit_permute_step_32(x, 0x00cc00cc, 6); \ - bit_permute_step_32(x, 0x0000f0f0, 12); \ - bit_permute_step_32(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)(s0 >> 8); - output[3] = (uint8_t)(s1 >> 8); - output[4] = (uint8_t)(s0 >> 16); - output[5] = (uint8_t)(s1 >> 16); - output[6] = (uint8_t)(s0 >> 24); - output[7] = (uint8_t)(s1 >> 24); -} - -/** - * \brief Converts the GIFT-64 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift64n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s1 contains the least significant */ - s0 = (((uint32_t)(input[6])) << 24) | - (((uint32_t)(input[4])) << 16) | - (((uint32_t)(input[2])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[7])) << 24) | - (((uint32_t)(input[5])) << 16) | - (((uint32_t)(input[3])) << 8) | - ((uint32_t)(input[1])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step_32(x, 0x00aa00aa, 7); \ - bit_permute_step_32(x, 0x0000cccc, 14); \ - bit_permute_step_32(x, 0x00f000f0, 4); \ - bit_permute_step_32(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 4, s0); - le_store_word32(output, s1); -} - -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift64n_to_words(output, input); - gift64b_encrypt(ks, output, output); - gift64n_to_nibbles(output, output); -} - -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift64n_to_words(output, input); - gift64b_decrypt(ks, output, output); - gift64n_to_nibbles(output, output); -} - -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift64n_to_words(output, input); - s0 = be_load_word16(output); - s1 = be_load_word16(output + 2); - s2 = be_load_word16(output + 4); - s3 = be_load_word16(output + 6); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - - /* Perform all 28 rounds */ - for (round = 0; round < 28; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 64-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round]; - - /* AddTweak - XOR in the tweak every 4 rounds except the last */ - if (((round + 1) % 4) == 0 && round < 27) - s2 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); - gift64n_to_nibbles(output, output); -} - -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift64n_to_words(output, input); - s0 = be_load_word16(output); - s1 = be_load_word16(output + 2); - s2 = be_load_word16(output + 4); - s3 = be_load_word16(output + 6); - - /* Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 28; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 7 times for the full 28 rounds. The overall - * effect is to apply a "14 right and 28 left" bit-rotation to every word - * in the key schedule. That is equivalent to "14 right and 12 left" - * on the 16-bit sub-words. - */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | - ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); - w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | - ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); - w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | - ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); - w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | - ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); - - /* Perform all 28 rounds */ - for (round = 28; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 4 rounds except the last */ - if ((round % 4) == 0 && round != 28) - s2 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); - gift64n_to_nibbles(output, output); -} - -#endif /* GIFT64_LOW_MEMORY */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.h deleted file mode 100644 index 010359b..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-gift64.h +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT64_H -#define LW_INTERNAL_GIFT64_H - -/** - * \file internal-gift64.h - * \brief GIFT-64 block cipher. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \var GIFT64_LOW_MEMORY - * \brief Define this to 1 to use a low memory version of the key schedule. - * - * The default is to use the fix-sliced version of GIFT-64 which is very - * fast on 32-bit platforms but requires 48 bytes to store the key schedule. - * The large key schedule may be a problem on 8-bit and 16-bit platforms. - * The fix-sliced version also encrypts two blocks at a time in 32-bit - * words which is an unnecessary optimization for 8-bit platforms. - * - * GIFT64_LOW_MEMORY can be defined to 1 to select the original non - * fix-sliced version which only requires 16 bytes to store the key, - * with the rest of the key schedule expanded on the fly. - */ -#if !defined(GIFT64_LOW_MEMORY) -#if defined(__AVR__) -#define GIFT64_LOW_MEMORY 1 -#else -#define GIFT64_LOW_MEMORY 0 -#endif -#endif - -/** - * \brief Size of a GIFT-64 block in bytes. - */ -#define GIFT64_BLOCK_SIZE 8 - -/** - * \brief Structure of the key schedule for GIFT-64. - */ -typedef struct -{ - uint32_t k[4]; /**< Words of the key schedule */ -#if !GIFT64_LOW_MEMORY - uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ -#endif - -} gift64n_key_schedule_t; - -/** - * \fn void gift64n_update_round_keys(gift64n_key_schedule_t *ks); - * \brief Updates the round keys after a change in the base key. - * - * \param ks Points to the key schedule to update. - */ -#if GIFT64_LOW_MEMORY -#define gift64n_update_round_keys(ks) do { ; } while (0) /* Not needed */ -#else -void gift64n_update_round_keys(gift64n_key_schedule_t *ks); -#endif - -/** - * \brief Initializes the key schedule for GIFT-64 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 16-bit for TweGIFT-64 */ -#define GIFT64T_TWEAK_0 0x0000 /**< TweGIFT-64 tweak value 0 */ -#define GIFT64T_TWEAK_1 0xe1e1 /**< TweGIFT-64 tweak value 1 */ -#define GIFT64T_TWEAK_2 0xd2d2 /**< TweGIFT-64 tweak value 2 */ -#define GIFT64T_TWEAK_3 0x3333 /**< TweGIFT-64 tweak value 3 */ -#define GIFT64T_TWEAK_4 0xb4b4 /**< TweGIFT-64 tweak value 4 */ -#define GIFT64T_TWEAK_5 0x5555 /**< TweGIFT-64 tweak value 5 */ -#define GIFT64T_TWEAK_6 0x6666 /**< TweGIFT-64 tweak value 6 */ -#define GIFT64T_TWEAK_7 0x8787 /**< TweGIFT-64 tweak value 7 */ -#define GIFT64T_TWEAK_8 0x7878 /**< TweGIFT-64 tweak value 8 */ -#define GIFT64T_TWEAK_9 0x9999 /**< TweGIFT-64 tweak value 9 */ -#define GIFT64T_TWEAK_10 0xaaaa /**< TweGIFT-64 tweak value 10 */ -#define GIFT64T_TWEAK_11 0x4b4b /**< TweGIFT-64 tweak value 11 */ -#define GIFT64T_TWEAK_12 0xcccc /**< TweGIFT-64 tweak value 12 */ -#define GIFT64T_TWEAK_13 0x2d2d /**< TweGIFT-64 tweak value 13 */ -#define GIFT64T_TWEAK_14 0x1e1e /**< TweGIFT-64 tweak value 14 */ -#define GIFT64T_TWEAK_15 0xffff /**< TweGIFT-64 tweak value 15 */ - -/** - * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value expanded to 16-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift64n_encrypt(). - */ -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak); - -/** - * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value expanded to 16-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift64n_decrypt(). - */ -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.c deleted file mode 100644 index 4a1efd0..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.c +++ /dev/null @@ -1,436 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "lotus-locus.h" -#include "internal-gift64.h" -#include "internal-util.h" -#include - -aead_cipher_t const lotus_aead_cipher = { - "LOTUS-AEAD", - LOTUS_AEAD_KEY_SIZE, - LOTUS_AEAD_NONCE_SIZE, - LOTUS_AEAD_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - lotus_aead_encrypt, - lotus_aead_decrypt -}; - -aead_cipher_t const locus_aead_cipher = { - "LOCUS-AEAD", - LOCUS_AEAD_KEY_SIZE, - LOCUS_AEAD_NONCE_SIZE, - LOCUS_AEAD_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - locus_aead_encrypt, - locus_aead_decrypt -}; - -/** - * \brief Multiplies a key by 2 in the GF(128) field. - * - * \param ks The key schedule structure containing the key in host byte order. - */ -STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) -{ - uint32_t mask = (uint32_t)(((int32_t)(ks->k[0])) >> 31); - ks->k[0] = (ks->k[0] << 1) | (ks->k[1] >> 31); - ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); - ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); - ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); - gift64n_update_round_keys(ks); -} - -/** - * \brief Initializes a LOTUS-AEAD or LOCUS-AEAD cipher instance. - * - * \param ks Key schedule to initialize. - * \param deltaN Delta-N value for the cipher state. - * \param key Points to the 16-byte key for the cipher instance. - * \param nonce Points to the 16-byte key for the cipher instance. - * \param T Points to a temporary buffer of LOTUS_AEAD_KEY_SIZE bytes - * that will be destroyed during this function. - */ -static void lotus_or_locus_init - (gift64n_key_schedule_t *ks, - unsigned char deltaN[GIFT64_BLOCK_SIZE], - const unsigned char *key, - const unsigned char *nonce, - unsigned char *T) -{ - gift64n_init(ks, key); - memset(deltaN, 0, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_0); - lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); - gift64n_init(ks, T); - gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_1); -} - -/** - * \brief Processes associated data for LOTUS-AEAD or LOCUS-AEAD. - * - * \param ks Points to the key schedule. - * \param deltaN Points to the Delta-N value from the state. - * \param V Points to the V value from the state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void lotus_or_locus_process_ad - (gift64n_key_schedule_t *ks, - const unsigned char deltaN[GIFT64_BLOCK_SIZE], - unsigned char V[GIFT64_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned char temp; - while (adlen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(ks); - lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); - lw_xor_block(V, X, GIFT64_BLOCK_SIZE); - ad += GIFT64_BLOCK_SIZE; - adlen -= GIFT64_BLOCK_SIZE; - } - lotus_or_locus_mul_2(ks); - temp = (unsigned)adlen; - if (temp < GIFT64_BLOCK_SIZE) { - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(X, ad, temp); - X[temp] ^= 0x01; - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_3); - } else { - lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); - } - lw_xor_block(V, X, GIFT64_BLOCK_SIZE); -} - -/** - * \brief Generates the authentication tag for LOTUS-AEAD or LOCUS-AEAD. - * - * \param ks Points to the key schedule. - * \param tag Points to the buffer to receive the authentication tag. - * \param deltaN Points to the Delta-N value from the state. - * \param W Points to the W value from the state. - * \param V Points to the V value from the state. - */ -static void lotus_or_locus_gen_tag - (gift64n_key_schedule_t *ks, unsigned char *tag, - unsigned char deltaN[GIFT64_BLOCK_SIZE], - unsigned char W[GIFT64_BLOCK_SIZE], - unsigned char V[GIFT64_BLOCK_SIZE]) -{ - lotus_or_locus_mul_2(ks); - lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(W, V, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, W, W, GIFT64T_TWEAK_6); - lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); -} - -int lotus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X1[GIFT64_BLOCK_SIZE]; - unsigned char X2[GIFT64_BLOCK_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + LOTUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > (GIFT64_BLOCK_SIZE * 2)) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_4); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block_2_src - (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block_2_src - (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE * 2; - m += GIFT64_BLOCK_SIZE * 2; - mlen -= GIFT64_BLOCK_SIZE * 2; - } - temp = (unsigned)mlen; - lotus_or_locus_mul_2(&ks); - memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); - X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); - if (temp <= GIFT64_BLOCK_SIZE) { - lw_xor_block(WV, m, temp); - lw_xor_block(X2, m, temp); - lw_xor_block_2_src(c, X2, deltaN, temp); - } else { - lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, m, temp); - lw_xor_block(X1, X2, temp); - lw_xor_block_2_src(c, X1, m, temp); - } - c += temp; - } - - /* Generate the authentication tag */ - lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return 0; -} - -int lotus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X1[GIFT64_BLOCK_SIZE]; - unsigned char X2[GIFT64_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < LOTUS_AEAD_TAG_SIZE) - return -1; - *mlen = clen - LOTUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= LOTUS_AEAD_TAG_SIZE; - if (clen > 0) { - while (clen > (GIFT64_BLOCK_SIZE * 2)) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_5); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block_2_src - (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE * 2; - m += GIFT64_BLOCK_SIZE * 2; - clen -= GIFT64_BLOCK_SIZE * 2; - } - temp = (unsigned)clen; - lotus_or_locus_mul_2(&ks); - memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); - X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); - if (temp <= GIFT64_BLOCK_SIZE) { - lw_xor_block_2_src(m, X2, c, temp); - lw_xor_block(m, deltaN, temp); - lw_xor_block(X2, m, temp); - lw_xor_block(WV, m, temp); - } else { - lw_xor_block_2_src(m, X2, c, GIFT64_BLOCK_SIZE); - lw_xor_block(m, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(X1, X2, temp); - lw_xor_block_2_src(m, X1, c, temp); - lw_xor_block(WV, m, temp); - } - c += temp; - } - - /* Check the authentication tag */ - lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return aead_check_tag(mtemp, *mlen, WV, c, LOTUS_AEAD_TAG_SIZE); -} - -int locus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + LOCUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - mlen -= GIFT64_BLOCK_SIZE; - } - temp = (unsigned)mlen; - lotus_or_locus_mul_2(&ks); - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - lw_xor_block(WV, m, temp); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(X, deltaN, temp); - lw_xor_block_2_src(c, m, X, temp); - c += temp; - } - - /* Generate the authentication tag */ - lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return 0; -} - -int locus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < LOCUS_AEAD_TAG_SIZE) - return -1; - *mlen = clen - LOCUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= LOCUS_AEAD_TAG_SIZE; - if (clen > 0) { - while (clen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - clen -= GIFT64_BLOCK_SIZE; - } - temp = (unsigned)clen; - lotus_or_locus_mul_2(&ks); - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(X, deltaN, temp); - lw_xor_block_2_src(m, c, X, temp); - lw_xor_block(WV, m, temp); - c += temp; - } - - /* Check the authentication tag */ - lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return aead_check_tag(mtemp, *mlen, WV, c, LOCUS_AEAD_TAG_SIZE); -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.h deleted file mode 100644 index 85434a8..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys-avr/lotus-locus.h +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_LOTUS_LOCUS_H -#define LWCRYPTO_LOTUS_LOCUS_H - -#include "aead-common.h" - -/** - * \file lotus-locus.h - * \brief LOTUS-AEAD and LOCUS-AEAD authenticated encryption algorithms. - * - * LOTUS-AEAD and LOCUS-AEAD are authenticated encryption algorithms - * that are based around a tweakable variant of the GIFT-64 block cipher - * called TweGIFT-64. Both AEAD algorithms have a 128-bit key, a 128-bit - * nonce, and a 64-bit tag. - * - * The two algorithms have the same key initialization, associated data - * processing, and tag generation mechanisms. They differ in how the - * input is encrypted with TweGIFT-64. - * - * LOTUS-AEAD uses a method similar to the block cipher mode OTR. - * TweGIFT-64 is essentially converted into a 128-bit block cipher - * using a Feistel construction and four TweGIFT-64 block operations - * every 16 bytes of input. - * - * LOCUS-AEAD uses a method similar to the block cipher mode OCB - * with two TweGIFT-64 block operations for every 8 bytes of input. - * LOCUS-AEAD requires both the block encrypt and block decrypt - * operations of TweGIFT-64, which increases the overall code size. - * LOTUS-AEAD only needs the block encrypt operation. - * - * LOTUS-AEAD is the primary member of the family. - * - * References: https://www.isical.ac.in/~lightweight/lotus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for LOTUS-AEAD. - */ -#define LOTUS_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for LOTUS-AEAD. - */ -#define LOTUS_AEAD_TAG_SIZE 8 - -/** - * \brief Size of the nonce for LOTUS-AEAD. - */ -#define LOTUS_AEAD_NONCE_SIZE 16 - -/** - * \brief Size of the key for LOCUS-AEAD. - */ -#define LOCUS_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for LOCUS-AEAD. - */ -#define LOCUS_AEAD_TAG_SIZE 8 - -/** - * \brief Size of the nonce for LOCUS-AEAD. - */ -#define LOCUS_AEAD_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the LOTUS-AEAD cipher. - */ -extern aead_cipher_t const lotus_aead_cipher; - -/** - * \brief Meta-information block for the LOCUS-AEAD cipher. - */ -extern aead_cipher_t const locus_aead_cipher; - -/** - * \brief Encrypts and authenticates a packet with LOTUS-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa lotus_aead_decrypt() - */ -int lotus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with LOTUS-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 9 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa lotus_aead_encrypt() - */ -int lotus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with LOCUS-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa locus_aead_decrypt() - */ -int locus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with LOCUS-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 9 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa locus_aead_encrypt() - */ -int locus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64-avr.S b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64-avr.S new file mode 100644 index 0000000..fdb668d --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64-avr.S @@ -0,0 +1,6047 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global gift64n_init + .type gift64n_init, @function +gift64n_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+12,r18 + std Z+13,r19 + std Z+14,r20 + std Z+15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+8,r18 + std Z+9,r19 + std Z+10,r20 + std Z+11,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+4,r18 + std Z+5,r19 + std Z+6,r20 + std Z+7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + ret + .size gift64n_init, .-gift64n_init + + .text +.global gift64n_encrypt + .type gift64n_encrypt, @function +gift64n_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 28 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Z+4 + ldd r7,Z+5 + ldd r8,Z+6 + ldd r9,Z+7 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Z+8 + ldd r7,Z+9 + ldd r8,Z+10 + ldd r9,Z+11 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,0 + bst r18,1 + bld r22,0 + bst r18,2 + bld r2,0 + bst r18,3 + bld r4,0 + bst r18,4 + bld r20,1 + bst r18,5 + bld r22,1 + bst r18,6 + bld r2,1 + bst r18,7 + bld r4,1 + bst r19,0 + bld r20,2 + bst r19,1 + bld r22,2 + bst r19,2 + bld r2,2 + bst r19,3 + bld r4,2 + bst r19,4 + bld r20,3 + bst r19,5 + bld r22,3 + bst r19,6 + bld r2,3 + bst r19,7 + bld r4,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,4 + bst r18,1 + bld r22,4 + bst r18,2 + bld r2,4 + bst r18,3 + bld r4,4 + bst r18,4 + bld r20,5 + bst r18,5 + bld r22,5 + bst r18,6 + bld r2,5 + bst r18,7 + bld r4,5 + bst r19,0 + bld r20,6 + bst r19,1 + bld r22,6 + bst r19,2 + bld r2,6 + bst r19,3 + bld r4,6 + bst r19,4 + bld r20,7 + bst r19,5 + bld r22,7 + bst r19,6 + bld r2,7 + bst r19,7 + bld r4,7 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,0 + bst r18,1 + bld r23,0 + bst r18,2 + bld r3,0 + bst r18,3 + bld r5,0 + bst r18,4 + bld r21,1 + bst r18,5 + bld r23,1 + bst r18,6 + bld r3,1 + bst r18,7 + bld r5,1 + bst r19,0 + bld r21,2 + bst r19,1 + bld r23,2 + bst r19,2 + bld r3,2 + bst r19,3 + bld r5,2 + bst r19,4 + bld r21,3 + bst r19,5 + bld r23,3 + bst r19,6 + bld r3,3 + bst r19,7 + bld r5,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,4 + bst r18,1 + bld r23,4 + bst r18,2 + bld r3,4 + bst r18,3 + bld r5,4 + bst r18,4 + bld r21,5 + bst r18,5 + bld r23,5 + bst r18,6 + bld r3,5 + bst r18,7 + bld r5,5 + bst r19,0 + bld r21,6 + bst r19,1 + bld r23,6 + bst r19,2 + bld r3,6 + bst r19,3 + bld r5,6 + bst r19,4 + bld r21,7 + bst r19,5 + bld r23,7 + bst r19,6 + bld r3,7 + bst r19,7 + bld r5,7 + rcall 1061f + ldi r18,1 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,3 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,7 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,15 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,31 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,62 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,61 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,59 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,55 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,47 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,30 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,60 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,57 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,51 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,39 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,14 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,29 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,58 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,53 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,43 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,22 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,44 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,24 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,48 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,33 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,2 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,5 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,11 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rjmp 1252f +1061: + mov r0,r20 + and r0,r2 + eor r22,r0 + mov r0,r21 + and r0,r3 + eor r23,r0 + mov r0,r22 + and r0,r4 + eor r20,r0 + mov r0,r23 + and r0,r5 + eor r21,r0 + mov r0,r20 + or r0,r22 + eor r2,r0 + mov r0,r21 + or r0,r23 + eor r3,r0 + eor r4,r2 + eor r5,r3 + eor r22,r4 + eor r23,r5 + com r4 + com r5 + movw r18,r20 + mov r0,r22 + and r0,r18 + eor r2,r0 + mov r0,r23 + and r0,r19 + eor r3,r0 + movw r20,r4 + movw r4,r18 + bst r20,1 + bld r0,0 + bst r20,4 + bld r20,1 + bst r20,3 + bld r20,4 + bst r21,4 + bld r20,3 + bst r0,0 + bld r21,4 + bst r20,2 + bld r0,0 + bst r21,0 + bld r20,2 + bst r0,0 + bld r21,0 + bst r20,5 + bld r0,0 + bst r20,7 + bld r20,5 + bst r21,7 + bld r20,7 + bst r21,5 + bld r21,7 + bst r0,0 + bld r21,5 + bst r20,6 + bld r0,0 + bst r21,3 + bld r20,6 + bst r21,6 + bld r21,3 + bst r21,1 + bld r21,6 + bst r0,0 + bld r21,1 + bst r22,0 + bld r0,0 + bst r22,1 + bld r22,0 + bst r22,5 + bld r22,1 + bst r22,4 + bld r22,5 + bst r0,0 + bld r22,4 + bst r22,2 + bld r0,0 + bst r23,1 + bld r22,2 + bst r22,7 + bld r23,1 + bst r23,4 + bld r22,7 + bst r0,0 + bld r23,4 + bst r22,3 + bld r0,0 + bst r23,5 + bld r22,3 + bst r22,6 + bld r23,5 + bst r23,0 + bld r22,6 + bst r0,0 + bld r23,0 + bst r23,2 + bld r0,0 + bst r23,3 + bld r23,2 + bst r23,7 + bld r23,3 + bst r23,6 + bld r23,7 + bst r0,0 + bld r23,6 + bst r2,0 + bld r0,0 + bst r2,2 + bld r2,0 + bst r3,2 + bld r2,2 + bst r3,0 + bld r3,2 + bst r0,0 + bld r3,0 + bst r2,1 + bld r0,0 + bst r2,6 + bld r2,1 + bst r3,1 + bld r2,6 + bst r2,4 + bld r3,1 + bst r0,0 + bld r2,4 + bst r2,3 + bld r0,0 + bst r3,6 + bld r2,3 + bst r3,3 + bld r3,6 + bst r3,4 + bld r3,3 + bst r0,0 + bld r3,4 + bst r2,7 + bld r0,0 + bst r3,5 + bld r2,7 + bst r0,0 + bld r3,5 + bst r4,0 + bld r0,0 + bst r4,3 + bld r4,0 + bst r5,7 + bld r4,3 + bst r5,4 + bld r5,7 + bst r0,0 + bld r5,4 + bst r4,1 + bld r0,0 + bst r4,7 + bld r4,1 + bst r5,6 + bld r4,7 + bst r5,0 + bld r5,6 + bst r0,0 + bld r5,0 + bst r4,2 + bld r0,0 + bst r5,3 + bld r4,2 + bst r5,5 + bld r5,3 + bst r4,4 + bld r5,5 + bst r0,0 + bld r4,4 + bst r4,5 + bld r0,0 + bst r4,6 + bld r4,5 + bst r5,2 + bld r4,6 + bst r5,1 + bld r5,2 + bst r0,0 + bld r5,1 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + ret +1252: + ldd r26,Y+17 + ldd r27,Y+18 + bst r20,0 + bld r18,0 + bst r22,0 + bld r18,1 + bst r2,0 + bld r18,2 + bst r4,0 + bld r18,3 + bst r20,1 + bld r18,4 + bst r22,1 + bld r18,5 + bst r2,1 + bld r18,6 + bst r4,1 + bld r18,7 + bst r20,2 + bld r19,0 + bst r22,2 + bld r19,1 + bst r2,2 + bld r19,2 + bst r4,2 + bld r19,3 + bst r20,3 + bld r19,4 + bst r22,3 + bld r19,5 + bst r2,3 + bld r19,6 + bst r4,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r20,4 + bld r18,0 + bst r22,4 + bld r18,1 + bst r2,4 + bld r18,2 + bst r4,4 + bld r18,3 + bst r20,5 + bld r18,4 + bst r22,5 + bld r18,5 + bst r2,5 + bld r18,6 + bst r4,5 + bld r18,7 + bst r20,6 + bld r19,0 + bst r22,6 + bld r19,1 + bst r2,6 + bld r19,2 + bst r4,6 + bld r19,3 + bst r20,7 + bld r19,4 + bst r22,7 + bld r19,5 + bst r2,7 + bld r19,6 + bst r4,7 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,0 + bld r18,0 + bst r23,0 + bld r18,1 + bst r3,0 + bld r18,2 + bst r5,0 + bld r18,3 + bst r21,1 + bld r18,4 + bst r23,1 + bld r18,5 + bst r3,1 + bld r18,6 + bst r5,1 + bld r18,7 + bst r21,2 + bld r19,0 + bst r23,2 + bld r19,1 + bst r3,2 + bld r19,2 + bst r5,2 + bld r19,3 + bst r21,3 + bld r19,4 + bst r23,3 + bld r19,5 + bst r3,3 + bld r19,6 + bst r5,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,4 + bld r18,0 + bst r23,4 + bld r18,1 + bst r3,4 + bld r18,2 + bst r5,4 + bld r18,3 + bst r21,5 + bld r18,4 + bst r23,5 + bld r18,5 + bst r3,5 + bld r18,6 + bst r5,5 + bld r18,7 + bst r21,6 + bld r19,0 + bst r23,6 + bld r19,1 + bst r3,6 + bld r19,2 + bst r5,6 + bld r19,3 + bst r21,7 + bld r19,4 + bst r23,7 + bld r19,5 + bst r3,7 + bld r19,6 + bst r5,7 + bld r19,7 + st X+,r18 + st X+,r19 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64n_encrypt, .-gift64n_encrypt + + .text +.global gift64n_decrypt + .type gift64n_decrypt, @function +gift64n_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 28 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Z+4 + ldd r7,Z+5 + ldd r8,Z+6 + ldd r9,Z+7 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Z+8 + ldd r7,Z+9 + ldd r8,Z+10 + ldd r9,Z+11 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,0 + bst r18,1 + bld r22,0 + bst r18,2 + bld r2,0 + bst r18,3 + bld r4,0 + bst r18,4 + bld r20,1 + bst r18,5 + bld r22,1 + bst r18,6 + bld r2,1 + bst r18,7 + bld r4,1 + bst r19,0 + bld r20,2 + bst r19,1 + bld r22,2 + bst r19,2 + bld r2,2 + bst r19,3 + bld r4,2 + bst r19,4 + bld r20,3 + bst r19,5 + bld r22,3 + bst r19,6 + bld r2,3 + bst r19,7 + bld r4,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,4 + bst r18,1 + bld r22,4 + bst r18,2 + bld r2,4 + bst r18,3 + bld r4,4 + bst r18,4 + bld r20,5 + bst r18,5 + bld r22,5 + bst r18,6 + bld r2,5 + bst r18,7 + bld r4,5 + bst r19,0 + bld r20,6 + bst r19,1 + bld r22,6 + bst r19,2 + bld r2,6 + bst r19,3 + bld r4,6 + bst r19,4 + bld r20,7 + bst r19,5 + bld r22,7 + bst r19,6 + bld r2,7 + bst r19,7 + bld r4,7 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,0 + bst r18,1 + bld r23,0 + bst r18,2 + bld r3,0 + bst r18,3 + bld r5,0 + bst r18,4 + bld r21,1 + bst r18,5 + bld r23,1 + bst r18,6 + bld r3,1 + bst r18,7 + bld r5,1 + bst r19,0 + bld r21,2 + bst r19,1 + bld r23,2 + bst r19,2 + bld r3,2 + bst r19,3 + bld r5,2 + bst r19,4 + bld r21,3 + bst r19,5 + bld r23,3 + bst r19,6 + bld r3,3 + bst r19,7 + bld r5,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,4 + bst r18,1 + bld r23,4 + bst r18,2 + bld r3,4 + bst r18,3 + bld r5,4 + bst r18,4 + bld r21,5 + bst r18,5 + bld r23,5 + bst r18,6 + bld r3,5 + bst r18,7 + bld r5,5 + bst r19,0 + bld r21,6 + bst r19,1 + bld r23,6 + bst r19,2 + bld r3,6 + bst r19,3 + bld r5,6 + bst r19,4 + bld r21,7 + bst r19,5 + bld r23,7 + bst r19,6 + bld r3,7 + bst r19,7 + bld r5,7 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,11 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,5 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,2 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,33 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,48 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,24 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,44 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,22 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,43 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,53 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,58 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,29 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,14 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,39 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,51 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,57 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,60 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,30 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,47 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,55 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,59 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,61 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,62 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,31 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,15 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,7 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,3 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,1 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + rjmp 1362f +1173: + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + bst r20,1 + bld r0,0 + bst r21,4 + bld r20,1 + bst r20,3 + bld r21,4 + bst r20,4 + bld r20,3 + bst r0,0 + bld r20,4 + bst r20,2 + bld r0,0 + bst r21,0 + bld r20,2 + bst r0,0 + bld r21,0 + bst r20,5 + bld r0,0 + bst r21,5 + bld r20,5 + bst r21,7 + bld r21,5 + bst r20,7 + bld r21,7 + bst r0,0 + bld r20,7 + bst r20,6 + bld r0,0 + bst r21,1 + bld r20,6 + bst r21,6 + bld r21,1 + bst r21,3 + bld r21,6 + bst r0,0 + bld r21,3 + bst r22,0 + bld r0,0 + bst r22,4 + bld r22,0 + bst r22,5 + bld r22,4 + bst r22,1 + bld r22,5 + bst r0,0 + bld r22,1 + bst r22,2 + bld r0,0 + bst r23,4 + bld r22,2 + bst r22,7 + bld r23,4 + bst r23,1 + bld r22,7 + bst r0,0 + bld r23,1 + bst r22,3 + bld r0,0 + bst r23,0 + bld r22,3 + bst r22,6 + bld r23,0 + bst r23,5 + bld r22,6 + bst r0,0 + bld r23,5 + bst r23,2 + bld r0,0 + bst r23,6 + bld r23,2 + bst r23,7 + bld r23,6 + bst r23,3 + bld r23,7 + bst r0,0 + bld r23,3 + bst r2,0 + bld r0,0 + bst r3,0 + bld r2,0 + bst r3,2 + bld r3,0 + bst r2,2 + bld r3,2 + bst r0,0 + bld r2,2 + bst r2,1 + bld r0,0 + bst r2,4 + bld r2,1 + bst r3,1 + bld r2,4 + bst r2,6 + bld r3,1 + bst r0,0 + bld r2,6 + bst r2,3 + bld r0,0 + bst r3,4 + bld r2,3 + bst r3,3 + bld r3,4 + bst r3,6 + bld r3,3 + bst r0,0 + bld r3,6 + bst r2,7 + bld r0,0 + bst r3,5 + bld r2,7 + bst r0,0 + bld r3,5 + bst r4,0 + bld r0,0 + bst r5,4 + bld r4,0 + bst r5,7 + bld r5,4 + bst r4,3 + bld r5,7 + bst r0,0 + bld r4,3 + bst r4,1 + bld r0,0 + bst r5,0 + bld r4,1 + bst r5,6 + bld r5,0 + bst r4,7 + bld r5,6 + bst r0,0 + bld r4,7 + bst r4,2 + bld r0,0 + bst r4,4 + bld r4,2 + bst r5,5 + bld r4,4 + bst r5,3 + bld r5,5 + bst r0,0 + bld r5,3 + bst r4,5 + bld r0,0 + bst r5,1 + bld r4,5 + bst r5,2 + bld r5,1 + bst r4,6 + bld r5,2 + bst r0,0 + bld r4,6 + movw r18,r4 + movw r4,r20 + movw r20,r18 + and r18,r22 + and r19,r23 + eor r2,r18 + eor r3,r19 + com r4 + com r5 + eor r22,r4 + eor r23,r5 + eor r4,r2 + eor r5,r3 + mov r0,r20 + or r0,r22 + eor r2,r0 + mov r0,r21 + or r0,r23 + eor r3,r0 + mov r0,r22 + and r0,r4 + eor r20,r0 + mov r0,r23 + and r0,r5 + eor r21,r0 + mov r0,r20 + and r0,r2 + eor r22,r0 + mov r0,r21 + and r0,r3 + eor r23,r0 + ret +1362: + ldd r26,Y+17 + ldd r27,Y+18 + bst r20,0 + bld r18,0 + bst r22,0 + bld r18,1 + bst r2,0 + bld r18,2 + bst r4,0 + bld r18,3 + bst r20,1 + bld r18,4 + bst r22,1 + bld r18,5 + bst r2,1 + bld r18,6 + bst r4,1 + bld r18,7 + bst r20,2 + bld r19,0 + bst r22,2 + bld r19,1 + bst r2,2 + bld r19,2 + bst r4,2 + bld r19,3 + bst r20,3 + bld r19,4 + bst r22,3 + bld r19,5 + bst r2,3 + bld r19,6 + bst r4,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r20,4 + bld r18,0 + bst r22,4 + bld r18,1 + bst r2,4 + bld r18,2 + bst r4,4 + bld r18,3 + bst r20,5 + bld r18,4 + bst r22,5 + bld r18,5 + bst r2,5 + bld r18,6 + bst r4,5 + bld r18,7 + bst r20,6 + bld r19,0 + bst r22,6 + bld r19,1 + bst r2,6 + bld r19,2 + bst r4,6 + bld r19,3 + bst r20,7 + bld r19,4 + bst r22,7 + bld r19,5 + bst r2,7 + bld r19,6 + bst r4,7 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,0 + bld r18,0 + bst r23,0 + bld r18,1 + bst r3,0 + bld r18,2 + bst r5,0 + bld r18,3 + bst r21,1 + bld r18,4 + bst r23,1 + bld r18,5 + bst r3,1 + bld r18,6 + bst r5,1 + bld r18,7 + bst r21,2 + bld r19,0 + bst r23,2 + bld r19,1 + bst r3,2 + bld r19,2 + bst r5,2 + bld r19,3 + bst r21,3 + bld r19,4 + bst r23,3 + bld r19,5 + bst r3,3 + bld r19,6 + bst r5,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,4 + bld r18,0 + bst r23,4 + bld r18,1 + bst r3,4 + bld r18,2 + bst r5,4 + bld r18,3 + bst r21,5 + bld r18,4 + bst r23,5 + bld r18,5 + bst r3,5 + bld r18,6 + bst r5,5 + bld r18,7 + bst r21,6 + bld r19,0 + bst r23,6 + bld r19,1 + bst r3,6 + bld r19,2 + bst r5,6 + bld r19,3 + bst r21,7 + bld r19,4 + bst r23,7 + bld r19,5 + bst r3,7 + bld r19,6 + bst r5,7 + bld r19,7 + st X+,r18 + st X+,r19 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64n_decrypt, .-gift64n_decrypt + + .text +.global gift64t_encrypt + .type gift64t_encrypt, @function +gift64t_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 30 + ld r8,Z + ldd r9,Z+1 + ldd r10,Z+2 + ldd r11,Z+3 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,0 + bst r20,1 + bld r2,0 + bst r20,2 + bld r4,0 + bst r20,3 + bld r6,0 + bst r20,4 + bld r22,1 + bst r20,5 + bld r2,1 + bst r20,6 + bld r4,1 + bst r20,7 + bld r6,1 + bst r21,0 + bld r22,2 + bst r21,1 + bld r2,2 + bst r21,2 + bld r4,2 + bst r21,3 + bld r6,2 + bst r21,4 + bld r22,3 + bst r21,5 + bld r2,3 + bst r21,6 + bld r4,3 + bst r21,7 + bld r6,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,4 + bst r20,1 + bld r2,4 + bst r20,2 + bld r4,4 + bst r20,3 + bld r6,4 + bst r20,4 + bld r22,5 + bst r20,5 + bld r2,5 + bst r20,6 + bld r4,5 + bst r20,7 + bld r6,5 + bst r21,0 + bld r22,6 + bst r21,1 + bld r2,6 + bst r21,2 + bld r4,6 + bst r21,3 + bld r6,6 + bst r21,4 + bld r22,7 + bst r21,5 + bld r2,7 + bst r21,6 + bld r4,7 + bst r21,7 + bld r6,7 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,0 + bst r20,1 + bld r3,0 + bst r20,2 + bld r5,0 + bst r20,3 + bld r7,0 + bst r20,4 + bld r23,1 + bst r20,5 + bld r3,1 + bst r20,6 + bld r5,1 + bst r20,7 + bld r7,1 + bst r21,0 + bld r23,2 + bst r21,1 + bld r3,2 + bst r21,2 + bld r5,2 + bst r21,3 + bld r7,2 + bst r21,4 + bld r23,3 + bst r21,5 + bld r3,3 + bst r21,6 + bld r5,3 + bst r21,7 + bld r7,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,4 + bst r20,1 + bld r3,4 + bst r20,2 + bld r5,4 + bst r20,3 + bld r7,4 + bst r20,4 + bld r23,5 + bst r20,5 + bld r3,5 + bst r20,6 + bld r5,5 + bst r20,7 + bld r7,5 + bst r21,0 + bld r23,6 + bst r21,1 + bld r3,6 + bst r21,2 + bld r5,6 + bst r21,3 + bld r7,6 + bst r21,4 + bld r23,7 + bst r21,5 + bld r3,7 + bst r21,6 + bld r5,7 + bst r21,7 + bld r7,7 + rcall 1073f + ldi r20,1 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,3 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,7 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,15 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,31 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,62 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,61 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,59 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,55 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,47 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,30 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,60 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,57 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,51 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,39 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,14 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,29 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,58 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,53 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,43 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,22 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,44 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,24 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,48 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,33 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,2 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,5 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,11 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rjmp 1264f +1073: + mov r0,r22 + and r0,r4 + eor r2,r0 + mov r0,r23 + and r0,r5 + eor r3,r0 + mov r0,r2 + and r0,r6 + eor r22,r0 + mov r0,r3 + and r0,r7 + eor r23,r0 + mov r0,r22 + or r0,r2 + eor r4,r0 + mov r0,r23 + or r0,r3 + eor r5,r0 + eor r6,r4 + eor r7,r5 + eor r2,r6 + eor r3,r7 + com r6 + com r7 + movw r20,r22 + mov r0,r2 + and r0,r20 + eor r4,r0 + mov r0,r3 + and r0,r21 + eor r5,r0 + movw r22,r6 + movw r6,r20 + bst r22,1 + bld r0,0 + bst r22,4 + bld r22,1 + bst r22,3 + bld r22,4 + bst r23,4 + bld r22,3 + bst r0,0 + bld r23,4 + bst r22,2 + bld r0,0 + bst r23,0 + bld r22,2 + bst r0,0 + bld r23,0 + bst r22,5 + bld r0,0 + bst r22,7 + bld r22,5 + bst r23,7 + bld r22,7 + bst r23,5 + bld r23,7 + bst r0,0 + bld r23,5 + bst r22,6 + bld r0,0 + bst r23,3 + bld r22,6 + bst r23,6 + bld r23,3 + bst r23,1 + bld r23,6 + bst r0,0 + bld r23,1 + bst r2,0 + bld r0,0 + bst r2,1 + bld r2,0 + bst r2,5 + bld r2,1 + bst r2,4 + bld r2,5 + bst r0,0 + bld r2,4 + bst r2,2 + bld r0,0 + bst r3,1 + bld r2,2 + bst r2,7 + bld r3,1 + bst r3,4 + bld r2,7 + bst r0,0 + bld r3,4 + bst r2,3 + bld r0,0 + bst r3,5 + bld r2,3 + bst r2,6 + bld r3,5 + bst r3,0 + bld r2,6 + bst r0,0 + bld r3,0 + bst r3,2 + bld r0,0 + bst r3,3 + bld r3,2 + bst r3,7 + bld r3,3 + bst r3,6 + bld r3,7 + bst r0,0 + bld r3,6 + bst r4,0 + bld r0,0 + bst r4,2 + bld r4,0 + bst r5,2 + bld r4,2 + bst r5,0 + bld r5,2 + bst r0,0 + bld r5,0 + bst r4,1 + bld r0,0 + bst r4,6 + bld r4,1 + bst r5,1 + bld r4,6 + bst r4,4 + bld r5,1 + bst r0,0 + bld r4,4 + bst r4,3 + bld r0,0 + bst r5,6 + bld r4,3 + bst r5,3 + bld r5,6 + bst r5,4 + bld r5,3 + bst r0,0 + bld r5,4 + bst r4,7 + bld r0,0 + bst r5,5 + bld r4,7 + bst r0,0 + bld r5,5 + bst r6,0 + bld r0,0 + bst r6,3 + bld r6,0 + bst r7,7 + bld r6,3 + bst r7,4 + bld r7,7 + bst r0,0 + bld r7,4 + bst r6,1 + bld r0,0 + bst r6,7 + bld r6,1 + bst r7,6 + bld r6,7 + bst r7,0 + bld r7,6 + bst r0,0 + bld r7,0 + bst r6,2 + bld r0,0 + bst r7,3 + bld r6,2 + bst r7,5 + bld r7,3 + bst r6,4 + bld r7,5 + bst r0,0 + bld r6,4 + bst r6,5 + bld r0,0 + bst r6,6 + bld r6,5 + bst r7,2 + bld r6,6 + bst r7,1 + bld r7,2 + bst r0,0 + bld r7,1 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + ret +1264: + ldd r26,Y+17 + ldd r27,Y+18 + bst r22,0 + bld r20,0 + bst r2,0 + bld r20,1 + bst r4,0 + bld r20,2 + bst r6,0 + bld r20,3 + bst r22,1 + bld r20,4 + bst r2,1 + bld r20,5 + bst r4,1 + bld r20,6 + bst r6,1 + bld r20,7 + bst r22,2 + bld r21,0 + bst r2,2 + bld r21,1 + bst r4,2 + bld r21,2 + bst r6,2 + bld r21,3 + bst r22,3 + bld r21,4 + bst r2,3 + bld r21,5 + bst r4,3 + bld r21,6 + bst r6,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r22,4 + bld r20,0 + bst r2,4 + bld r20,1 + bst r4,4 + bld r20,2 + bst r6,4 + bld r20,3 + bst r22,5 + bld r20,4 + bst r2,5 + bld r20,5 + bst r4,5 + bld r20,6 + bst r6,5 + bld r20,7 + bst r22,6 + bld r21,0 + bst r2,6 + bld r21,1 + bst r4,6 + bld r21,2 + bst r6,6 + bld r21,3 + bst r22,7 + bld r21,4 + bst r2,7 + bld r21,5 + bst r4,7 + bld r21,6 + bst r6,7 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,0 + bld r20,0 + bst r3,0 + bld r20,1 + bst r5,0 + bld r20,2 + bst r7,0 + bld r20,3 + bst r23,1 + bld r20,4 + bst r3,1 + bld r20,5 + bst r5,1 + bld r20,6 + bst r7,1 + bld r20,7 + bst r23,2 + bld r21,0 + bst r3,2 + bld r21,1 + bst r5,2 + bld r21,2 + bst r7,2 + bld r21,3 + bst r23,3 + bld r21,4 + bst r3,3 + bld r21,5 + bst r5,3 + bld r21,6 + bst r7,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,4 + bld r20,0 + bst r3,4 + bld r20,1 + bst r5,4 + bld r20,2 + bst r7,4 + bld r20,3 + bst r23,5 + bld r20,4 + bst r3,5 + bld r20,5 + bst r5,5 + bld r20,6 + bst r7,5 + bld r20,7 + bst r23,6 + bld r21,0 + bst r3,6 + bld r21,1 + bst r5,6 + bld r21,2 + bst r7,6 + bld r21,3 + bst r23,7 + bld r21,4 + bst r3,7 + bld r21,5 + bst r5,7 + bld r21,6 + bst r7,7 + bld r21,7 + st X+,r20 + st X+,r21 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64t_encrypt, .-gift64t_encrypt + + .text +.global gift64t_decrypt + .type gift64t_decrypt, @function +gift64t_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 30 + ld r8,Z + ldd r9,Z+1 + ldd r10,Z+2 + ldd r11,Z+3 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,0 + bst r20,1 + bld r2,0 + bst r20,2 + bld r4,0 + bst r20,3 + bld r6,0 + bst r20,4 + bld r22,1 + bst r20,5 + bld r2,1 + bst r20,6 + bld r4,1 + bst r20,7 + bld r6,1 + bst r21,0 + bld r22,2 + bst r21,1 + bld r2,2 + bst r21,2 + bld r4,2 + bst r21,3 + bld r6,2 + bst r21,4 + bld r22,3 + bst r21,5 + bld r2,3 + bst r21,6 + bld r4,3 + bst r21,7 + bld r6,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,4 + bst r20,1 + bld r2,4 + bst r20,2 + bld r4,4 + bst r20,3 + bld r6,4 + bst r20,4 + bld r22,5 + bst r20,5 + bld r2,5 + bst r20,6 + bld r4,5 + bst r20,7 + bld r6,5 + bst r21,0 + bld r22,6 + bst r21,1 + bld r2,6 + bst r21,2 + bld r4,6 + bst r21,3 + bld r6,6 + bst r21,4 + bld r22,7 + bst r21,5 + bld r2,7 + bst r21,6 + bld r4,7 + bst r21,7 + bld r6,7 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,0 + bst r20,1 + bld r3,0 + bst r20,2 + bld r5,0 + bst r20,3 + bld r7,0 + bst r20,4 + bld r23,1 + bst r20,5 + bld r3,1 + bst r20,6 + bld r5,1 + bst r20,7 + bld r7,1 + bst r21,0 + bld r23,2 + bst r21,1 + bld r3,2 + bst r21,2 + bld r5,2 + bst r21,3 + bld r7,2 + bst r21,4 + bld r23,3 + bst r21,5 + bld r3,3 + bst r21,6 + bld r5,3 + bst r21,7 + bld r7,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,4 + bst r20,1 + bld r3,4 + bst r20,2 + bld r5,4 + bst r20,3 + bld r7,4 + bst r20,4 + bld r23,5 + bst r20,5 + bld r3,5 + bst r20,6 + bld r5,5 + bst r20,7 + bld r7,5 + bst r21,0 + bld r23,6 + bst r21,1 + bld r3,6 + bst r21,2 + bld r5,6 + bst r21,3 + bld r7,6 + bst r21,4 + bld r23,7 + bst r21,5 + bld r3,7 + bst r21,6 + bld r5,7 + bst r21,7 + bld r7,7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,11 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,5 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,2 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,33 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,48 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,24 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,44 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,22 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,43 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,53 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,58 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,29 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,14 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,39 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,51 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,57 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,60 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,30 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,47 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,55 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,59 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,61 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,62 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,31 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,15 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,7 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,3 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,1 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + rjmp 1374f +1185: + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + bst r22,1 + bld r0,0 + bst r23,4 + bld r22,1 + bst r22,3 + bld r23,4 + bst r22,4 + bld r22,3 + bst r0,0 + bld r22,4 + bst r22,2 + bld r0,0 + bst r23,0 + bld r22,2 + bst r0,0 + bld r23,0 + bst r22,5 + bld r0,0 + bst r23,5 + bld r22,5 + bst r23,7 + bld r23,5 + bst r22,7 + bld r23,7 + bst r0,0 + bld r22,7 + bst r22,6 + bld r0,0 + bst r23,1 + bld r22,6 + bst r23,6 + bld r23,1 + bst r23,3 + bld r23,6 + bst r0,0 + bld r23,3 + bst r2,0 + bld r0,0 + bst r2,4 + bld r2,0 + bst r2,5 + bld r2,4 + bst r2,1 + bld r2,5 + bst r0,0 + bld r2,1 + bst r2,2 + bld r0,0 + bst r3,4 + bld r2,2 + bst r2,7 + bld r3,4 + bst r3,1 + bld r2,7 + bst r0,0 + bld r3,1 + bst r2,3 + bld r0,0 + bst r3,0 + bld r2,3 + bst r2,6 + bld r3,0 + bst r3,5 + bld r2,6 + bst r0,0 + bld r3,5 + bst r3,2 + bld r0,0 + bst r3,6 + bld r3,2 + bst r3,7 + bld r3,6 + bst r3,3 + bld r3,7 + bst r0,0 + bld r3,3 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r4,2 + bld r5,2 + bst r0,0 + bld r4,2 + bst r4,1 + bld r0,0 + bst r4,4 + bld r4,1 + bst r5,1 + bld r4,4 + bst r4,6 + bld r5,1 + bst r0,0 + bld r4,6 + bst r4,3 + bld r0,0 + bst r5,4 + bld r4,3 + bst r5,3 + bld r5,4 + bst r5,6 + bld r5,3 + bst r0,0 + bld r5,6 + bst r4,7 + bld r0,0 + bst r5,5 + bld r4,7 + bst r0,0 + bld r5,5 + bst r6,0 + bld r0,0 + bst r7,4 + bld r6,0 + bst r7,7 + bld r7,4 + bst r6,3 + bld r7,7 + bst r0,0 + bld r6,3 + bst r6,1 + bld r0,0 + bst r7,0 + bld r6,1 + bst r7,6 + bld r7,0 + bst r6,7 + bld r7,6 + bst r0,0 + bld r6,7 + bst r6,2 + bld r0,0 + bst r6,4 + bld r6,2 + bst r7,5 + bld r6,4 + bst r7,3 + bld r7,5 + bst r0,0 + bld r7,3 + bst r6,5 + bld r0,0 + bst r7,1 + bld r6,5 + bst r7,2 + bld r7,1 + bst r6,6 + bld r7,2 + bst r0,0 + bld r6,6 + movw r20,r6 + movw r6,r22 + movw r22,r20 + and r20,r2 + and r21,r3 + eor r4,r20 + eor r5,r21 + com r6 + com r7 + eor r2,r6 + eor r3,r7 + eor r6,r4 + eor r7,r5 + mov r0,r22 + or r0,r2 + eor r4,r0 + mov r0,r23 + or r0,r3 + eor r5,r0 + mov r0,r2 + and r0,r6 + eor r22,r0 + mov r0,r3 + and r0,r7 + eor r23,r0 + mov r0,r22 + and r0,r4 + eor r2,r0 + mov r0,r23 + and r0,r5 + eor r3,r0 + ret +1374: + ldd r26,Y+17 + ldd r27,Y+18 + bst r22,0 + bld r20,0 + bst r2,0 + bld r20,1 + bst r4,0 + bld r20,2 + bst r6,0 + bld r20,3 + bst r22,1 + bld r20,4 + bst r2,1 + bld r20,5 + bst r4,1 + bld r20,6 + bst r6,1 + bld r20,7 + bst r22,2 + bld r21,0 + bst r2,2 + bld r21,1 + bst r4,2 + bld r21,2 + bst r6,2 + bld r21,3 + bst r22,3 + bld r21,4 + bst r2,3 + bld r21,5 + bst r4,3 + bld r21,6 + bst r6,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r22,4 + bld r20,0 + bst r2,4 + bld r20,1 + bst r4,4 + bld r20,2 + bst r6,4 + bld r20,3 + bst r22,5 + bld r20,4 + bst r2,5 + bld r20,5 + bst r4,5 + bld r20,6 + bst r6,5 + bld r20,7 + bst r22,6 + bld r21,0 + bst r2,6 + bld r21,1 + bst r4,6 + bld r21,2 + bst r6,6 + bld r21,3 + bst r22,7 + bld r21,4 + bst r2,7 + bld r21,5 + bst r4,7 + bld r21,6 + bst r6,7 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,0 + bld r20,0 + bst r3,0 + bld r20,1 + bst r5,0 + bld r20,2 + bst r7,0 + bld r20,3 + bst r23,1 + bld r20,4 + bst r3,1 + bld r20,5 + bst r5,1 + bld r20,6 + bst r7,1 + bld r20,7 + bst r23,2 + bld r21,0 + bst r3,2 + bld r21,1 + bst r5,2 + bld r21,2 + bst r7,2 + bld r21,3 + bst r23,3 + bld r21,4 + bst r3,3 + bld r21,5 + bst r5,3 + bld r21,6 + bst r7,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,4 + bld r20,0 + bst r3,4 + bld r20,1 + bst r5,4 + bld r20,2 + bst r7,4 + bld r20,3 + bst r23,5 + bld r20,4 + bst r3,5 + bld r20,5 + bst r5,5 + bld r20,6 + bst r7,5 + bld r20,7 + bst r23,6 + bld r21,0 + bst r3,6 + bld r21,1 + bst r5,6 + bld r21,2 + bst r7,6 + bld r21,3 + bst r23,7 + bld r21,4 + bst r3,7 + bld r21,5 + bst r5,7 + bld r21,6 + bst r7,7 + bld r21,7 + st X+,r20 + st X+,r21 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64t_decrypt, .-gift64t_decrypt + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c index 321d079..81bc8a3 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.c @@ -24,6 +24,8 @@ #include "internal-util.h" #include +#if !GIFT64_LOW_MEMORY + /* Round constants for GIFT-64 in the fixsliced representation */ static uint32_t const GIFT64_RC[28] = { 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, @@ -33,19 +35,6 @@ static uint32_t const GIFT64_RC[28] = { 0x22008811, 0x00002288, 0x00118811, 0x880000bb }; -int gift64b_init - (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len) -{ - if (!ks || !key || key_len != 16) - return 0; - ks->k[0] = be_load_word32(key); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key + 12); - gift64b_update_round_keys(ks); - return 1; -} - /* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ #define bit_permute_step(_y, mask, shift) \ do { \ @@ -249,7 +238,7 @@ int gift64b_init ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ } while (0) -void gift64b_update_round_keys(gift64b_key_schedule_t *ks) +void gift64n_update_round_keys(gift64n_key_schedule_t *ks) { uint32_t x; @@ -293,7 +282,7 @@ void gift64b_update_round_keys(gift64b_key_schedule_t *ks) * \param Tweak value or zero if there is no tweak. */ static void gift64b_encrypt_core - (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) + (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) { const uint32_t *rc = GIFT64_RC; uint32_t s0, s1, s2, s3, temp; @@ -391,7 +380,7 @@ static void gift64b_encrypt_core * \param Tweak value or zero if there is no tweak. */ static void gift64b_decrypt_core - (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) + (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) { const uint32_t *rc = GIFT64_RC + 28 - 4; uint32_t s0, s1, s2, s3, temp; @@ -513,18 +502,14 @@ static void gift64b_decrypt_core state[3] = s3; } -int gift64n_init - (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) { /* Use the little-endian byte order from the LOTUS-AEAD submission */ - if (!ks || !key || key_len != 16) - return 0; ks->k[0] = le_load_word32(key + 12); ks->k[1] = le_load_word32(key + 8); ks->k[2] = le_load_word32(key + 4); ks->k[3] = le_load_word32(key); - gift64b_update_round_keys(ks); - return 1; + gift64n_update_round_keys(ks); } /** @@ -622,124 +607,599 @@ void gift64n_decrypt gift64n_to_nibbles(output, state); } +/* 4-bit tweak values expanded to 32-bit in fixsliced form */ +static uint32_t const GIFT64_tweaks[16] = { + 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, + 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, + 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff +}; + +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint16_t tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); + gift64n_to_nibbles(output, state); +} + +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint16_t tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); + gift64n_to_nibbles(output, state); +} + +#elif !defined(__AVR__) /* GIFT64_LOW_MEMORY */ + +/* Round constants for GIFT-64 */ +static uint8_t const GIFT64_RC[28] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B +}; + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint16_t y = (_y); \ + uint16_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ +#define bit_permute_step_simple(_y, mask, shift) \ + do { \ + (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 4 bits with respect to the next: + * + * P0: 0 12 8 4 1 13 9 5 2 14 10 6 3 15 11 7 + * P1: 4 0 12 8 5 1 13 9 6 2 14 10 7 3 15 11 + * P2: 8 4 0 12 9 5 1 13 10 6 2 14 11 7 3 15 + * P3: 12 8 4 0 13 9 5 1 14 10 6 2 15 11 7 3 + * + * The most efficient permutation from the online generator was P1, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P1 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM1_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a, 3); \ + bit_permute_step(x, 0x00cc, 6); \ + bit_permute_step_simple(x, 0x0f0f, 4); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate12_16(_x); \ + } while (0) +#define PERM1(x) PERM1_INNER(x) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate4_16(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate8_16(_x); \ + } while (0) + +#define INV_PERM1_INNER(x) \ + do { \ + bit_permute_step(x, 0x0505, 5); \ + bit_permute_step(x, 0x00cc, 6); \ + bit_permute_step_simple(x, 0x0f0f, 4); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate12_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) INV_PERM1_INNER(x) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate4_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = rightRotate8_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) + /** - * \brief Converts the GIFT-64 nibble-based representation into word-based - * (big-endian version). + * \brief Encrypts a 64-bit block with GIFT-64 (bit-sliced). * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. * - * The output words will be in fixsliced form. Technically the output will - * contain two blocks for gift64b_encrypt_core() to process in parallel but - * both blocks will have the same value. + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. */ -static void gift64nb_to_words(uint32_t output[4], const unsigned char *input) +static void gift64b_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { - uint32_t s0, s1, s2, s3; + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input block into 32-bit words */ - s0 = be_load_word32(input + 4); - s2 = be_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word16(input); + s1 = be_load_word16(input + 2); + s2 = be_load_word16(input + 4); + s3 = be_load_word16(input + 6); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + + /* Perform all 28 rounds */ + for (round = 0; round < 28; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 64-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bits in the block */ - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); +} - /* Split into two identical blocks in fixsliced form */ - s1 = s0; - s3 = s2; - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; +/** + * \brief Decrypts a 64-bit block with GIFT-64 (bit-sliced). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +static void gift64b_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word16(input); + s1 = be_load_word16(input + 2); + s2 = be_load_word16(input + 4); + s3 = be_load_word16(input + 6); + + /* Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 28; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 7 times for the full 28 rounds. The overall + * effect is to apply a "14 right and 28 left" bit-rotation to every word + * in the key schedule. That is equivalent to "14 right and 12 left" + * on the 16-bit sub-words. + */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | + ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); + w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | + ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); + w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | + ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); + w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | + ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); + + /* Perform all 28 rounds */ + for (round = 28; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); } +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian byte order from the LOTUS-AEAD submission */ + ks->k[0] = le_load_word32(key + 12); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key); +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step_32(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + /** - * \brief Converts the GIFT-64 word-based representation into nibble-based - * (big-endian version). + * \brief Converts the GIFT-64 nibble-based representation into word-based. * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. * - * The input words are in fixsliced form. Technically there are two - * identical blocks in the input. We drop one when we write to the output. + * The \a input and \a output buffers can be the same buffer. */ -static void gift64nb_to_nibbles(unsigned char *output, const uint32_t input[4]) +static void gift64n_to_words + (unsigned char *output, const unsigned char *input) { - uint32_t s0, s1, s2, s3; + uint32_t s0, s1; - /* Load the state and split the two blocks into separate words */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + /* Load the input buffer into 32-bit words. We use the nibble order from + * the LOTUS-AEAD submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-64 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 4); + s1 = le_load_word32(input); - /* Rearrange the bits in the first block back into nibble form */ - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - be_store_word32(output, s2); - be_store_word32(output + 4, s0); + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step_32(x, 0x0a0a0a0a, 3); \ + bit_permute_step_32(x, 0x00cc00cc, 6); \ + bit_permute_step_32(x, 0x0000f0f0, 12); \ + bit_permute_step_32(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)(s0 >> 8); + output[3] = (uint8_t)(s1 >> 8); + output[4] = (uint8_t)(s0 >> 16); + output[5] = (uint8_t)(s1 >> 16); + output[6] = (uint8_t)(s0 >> 24); + output[7] = (uint8_t)(s1 >> 24); } -void gift64nb_encrypt +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift64n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s1 contains the least significant */ + s0 = (((uint32_t)(input[6])) << 24) | + (((uint32_t)(input[4])) << 16) | + (((uint32_t)(input[2])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[7])) << 24) | + (((uint32_t)(input[5])) << 16) | + (((uint32_t)(input[3])) << 8) | + ((uint32_t)(input[1])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step_32(x, 0x00aa00aa, 7); \ + bit_permute_step_32(x, 0x0000cccc, 14); \ + bit_permute_step_32(x, 0x00f000f0, 4); \ + bit_permute_step_32(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 4, s0); + le_store_word32(output, s1); +} + +void gift64n_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - uint32_t state[4]; - gift64nb_to_words(state, input); - gift64b_encrypt_core(ks, state, 0); - gift64nb_to_nibbles(output, state); + gift64n_to_words(output, input); + gift64b_encrypt(ks, output, output); + gift64n_to_nibbles(output, output); } -void gift64nb_decrypt +void gift64n_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - uint32_t state[4]; - gift64nb_to_words(state, input); - gift64b_decrypt_core(ks, state, 0); - gift64nb_to_nibbles(output, state); + gift64n_to_words(output, input); + gift64b_decrypt(ks, output, output); + gift64n_to_nibbles(output, output); } -/* 4-bit tweak values expanded to 32-bit in fixsliced form */ -static uint32_t const GIFT64_tweaks[16] = { - 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, - 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, - 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff -}; - void gift64t_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint16_t tweak) { - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak]); - gift64n_to_nibbles(output, state); + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift64n_to_words(output, input); + s0 = be_load_word16(output); + s1 = be_load_word16(output + 2); + s2 = be_load_word16(output + 4); + s3 = be_load_word16(output + 6); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + + /* Perform all 28 rounds */ + for (round = 0; round < 28; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 64-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round]; + + /* AddTweak - XOR in the tweak every 4 rounds except the last */ + if (((round + 1) % 4) == 0 && round < 27) + s2 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); + gift64n_to_nibbles(output, output); } void gift64t_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint16_t tweak) { - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak]); - gift64n_to_nibbles(output, state); + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift64n_to_words(output, input); + s0 = be_load_word16(output); + s1 = be_load_word16(output + 2); + s2 = be_load_word16(output + 4); + s3 = be_load_word16(output + 6); + + /* Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 28; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 7 times for the full 28 rounds. The overall + * effect is to apply a "14 right and 28 left" bit-rotation to every word + * in the key schedule. That is equivalent to "14 right and 12 left" + * on the 16-bit sub-words. + */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | + ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); + w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | + ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); + w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | + ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); + w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | + ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); + + /* Perform all 28 rounds */ + for (round = 28; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 4 rounds except the last */ + if ((round % 4) == 0 && round != 28) + s2 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); + gift64n_to_nibbles(output, output); } + +#endif /* GIFT64_LOW_MEMORY */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h index 40479c7..010359b 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-gift64.h @@ -28,6 +28,7 @@ * \brief GIFT-64 block cipher. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ @@ -39,57 +40,63 @@ extern "C" { #endif /** + * \var GIFT64_LOW_MEMORY + * \brief Define this to 1 to use a low memory version of the key schedule. + * + * The default is to use the fix-sliced version of GIFT-64 which is very + * fast on 32-bit platforms but requires 48 bytes to store the key schedule. + * The large key schedule may be a problem on 8-bit and 16-bit platforms. + * The fix-sliced version also encrypts two blocks at a time in 32-bit + * words which is an unnecessary optimization for 8-bit platforms. + * + * GIFT64_LOW_MEMORY can be defined to 1 to select the original non + * fix-sliced version which only requires 16 bytes to store the key, + * with the rest of the key schedule expanded on the fly. + */ +#if !defined(GIFT64_LOW_MEMORY) +#if defined(__AVR__) +#define GIFT64_LOW_MEMORY 1 +#else +#define GIFT64_LOW_MEMORY 0 +#endif +#endif + +/** * \brief Size of a GIFT-64 block in bytes. */ #define GIFT64_BLOCK_SIZE 8 /** - * \brief Structure of the key schedule for GIFT-64 (bit-sliced). + * \brief Structure of the key schedule for GIFT-64. */ typedef struct { uint32_t k[4]; /**< Words of the key schedule */ +#if !GIFT64_LOW_MEMORY uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ +#endif -} gift64b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-64 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int gift64b_init - (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +} gift64n_key_schedule_t; /** + * \fn void gift64n_update_round_keys(gift64n_key_schedule_t *ks); * \brief Updates the round keys after a change in the base key. * * \param ks Points to the key schedule to update. */ -void gift64b_update_round_keys(gift64b_key_schedule_t *ks); - -/** - * \brief Structure of the key schedule for GIFT-64 (nibble-based). - */ -typedef gift64b_key_schedule_t gift64n_key_schedule_t; +#if GIFT64_LOW_MEMORY +#define gift64n_update_round_keys(ks) do { ; } while (0) /* Not needed */ +#else +void gift64n_update_round_keys(gift64n_key_schedule_t *ks); +#endif /** * \brief Initializes the key schedule for GIFT-64 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift64n_init - (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). @@ -119,33 +126,23 @@ void gift64n_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); -/** - * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based big-endian). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift64nb_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based big-endian). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift64nb_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); +/* 4-bit tweak values expanded to 16-bit for TweGIFT-64 */ +#define GIFT64T_TWEAK_0 0x0000 /**< TweGIFT-64 tweak value 0 */ +#define GIFT64T_TWEAK_1 0xe1e1 /**< TweGIFT-64 tweak value 1 */ +#define GIFT64T_TWEAK_2 0xd2d2 /**< TweGIFT-64 tweak value 2 */ +#define GIFT64T_TWEAK_3 0x3333 /**< TweGIFT-64 tweak value 3 */ +#define GIFT64T_TWEAK_4 0xb4b4 /**< TweGIFT-64 tweak value 4 */ +#define GIFT64T_TWEAK_5 0x5555 /**< TweGIFT-64 tweak value 5 */ +#define GIFT64T_TWEAK_6 0x6666 /**< TweGIFT-64 tweak value 6 */ +#define GIFT64T_TWEAK_7 0x8787 /**< TweGIFT-64 tweak value 7 */ +#define GIFT64T_TWEAK_8 0x7878 /**< TweGIFT-64 tweak value 8 */ +#define GIFT64T_TWEAK_9 0x9999 /**< TweGIFT-64 tweak value 9 */ +#define GIFT64T_TWEAK_10 0xaaaa /**< TweGIFT-64 tweak value 10 */ +#define GIFT64T_TWEAK_11 0x4b4b /**< TweGIFT-64 tweak value 11 */ +#define GIFT64T_TWEAK_12 0xcccc /**< TweGIFT-64 tweak value 12 */ +#define GIFT64T_TWEAK_13 0x2d2d /**< TweGIFT-64 tweak value 13 */ +#define GIFT64T_TWEAK_14 0x1e1e /**< TweGIFT-64 tweak value 14 */ +#define GIFT64T_TWEAK_15 0xffff /**< TweGIFT-64 tweak value 15 */ /** * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). @@ -153,7 +150,7 @@ void gift64nb_decrypt * \param ks Points to the GIFT-64 key schedule. * \param output Output buffer which must be at least 8 bytes in length. * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 16-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -165,7 +162,7 @@ void gift64nb_decrypt */ void gift64t_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint16_t tweak); /** * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). @@ -173,7 +170,7 @@ void gift64t_encrypt * \param ks Points to the GIFT-64 key schedule. * \param output Output buffer which must be at least 8 bytes in length. * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 16-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -185,7 +182,7 @@ void gift64t_encrypt */ void gift64t_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint16_t tweak); #ifdef __cplusplus } diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c index e60b084..4a1efd0 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c +++ b/lotus-locus/Implementations/crypto_aead/twegift64locusaeadv1/rhys/lotus-locus.c @@ -57,7 +57,7 @@ STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); - gift64b_update_round_keys(ks); + gift64n_update_round_keys(ks); } /** @@ -77,12 +77,12 @@ static void lotus_or_locus_init const unsigned char *nonce, unsigned char *T) { - gift64n_init(ks, key, LOTUS_AEAD_KEY_SIZE); + gift64n_init(ks, key); memset(deltaN, 0, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, 0); + gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_0); lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); - gift64n_init(ks, T, LOTUS_AEAD_KEY_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, 1); + gift64n_init(ks, T); + gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_1); } /** @@ -105,7 +105,7 @@ static void lotus_or_locus_process_ad while (adlen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(ks); lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, 2); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); lw_xor_block(V, X, GIFT64_BLOCK_SIZE); ad += GIFT64_BLOCK_SIZE; adlen -= GIFT64_BLOCK_SIZE; @@ -116,10 +116,10 @@ static void lotus_or_locus_process_ad memcpy(X, deltaN, GIFT64_BLOCK_SIZE); lw_xor_block(X, ad, temp); X[temp] ^= 0x01; - gift64t_encrypt(ks, X, X, 3); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_3); } else { lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, 2); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); } lw_xor_block(V, X, GIFT64_BLOCK_SIZE); } @@ -142,7 +142,7 @@ static void lotus_or_locus_gen_tag lotus_or_locus_mul_2(ks); lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); lw_xor_block(W, V, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, W, W, 6); + gift64t_encrypt(ks, W, W, GIFT64T_TWEAK_6); lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); } @@ -180,15 +180,15 @@ int lotus_aead_encrypt while (mlen > (GIFT64_BLOCK_SIZE * 2)) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, 4); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_4); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block_2_src (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block_2_src (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE * 2; @@ -199,9 +199,9 @@ int lotus_aead_encrypt lotus_or_locus_mul_2(&ks); memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, 12); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 12); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); if (temp <= GIFT64_BLOCK_SIZE) { lw_xor_block(WV, m, temp); lw_xor_block(X2, m, temp); @@ -212,9 +212,9 @@ int lotus_aead_encrypt c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, m, temp); lw_xor_block(X1, X2, temp); lw_xor_block_2_src(c, X1, m, temp); @@ -265,14 +265,14 @@ int lotus_aead_decrypt while (clen > (GIFT64_BLOCK_SIZE * 2)) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, 5); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_5); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block_2_src (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE * 2; @@ -283,9 +283,9 @@ int lotus_aead_decrypt lotus_or_locus_mul_2(&ks); memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, 12); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 12); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); if (temp <= GIFT64_BLOCK_SIZE) { lw_xor_block_2_src(m, X2, c, temp); lw_xor_block(m, deltaN, temp); @@ -298,9 +298,9 @@ int lotus_aead_decrypt c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(X1, X2, temp); lw_xor_block_2_src(m, X1, c, temp); lw_xor_block(WV, m, temp); @@ -346,9 +346,9 @@ int locus_aead_encrypt while (mlen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 4); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 4); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; @@ -358,10 +358,10 @@ int locus_aead_encrypt lotus_or_locus_mul_2(&ks); memcpy(X, deltaN, GIFT64_BLOCK_SIZE); X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); lw_xor_block(WV, m, temp); - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(X, deltaN, temp); lw_xor_block_2_src(c, m, X, temp); c += temp; @@ -409,9 +409,9 @@ int locus_aead_decrypt while (clen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, 4); + gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, 4); + gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; @@ -421,9 +421,9 @@ int locus_aead_decrypt lotus_or_locus_mul_2(&ks); memcpy(X, deltaN, GIFT64_BLOCK_SIZE); X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(X, deltaN, temp); lw_xor_block_2_src(m, c, X, temp); lw_xor_block(WV, m, temp); diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/api.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/api.h deleted file mode 100644 index 4bf8f5c..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/encrypt.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/encrypt.c deleted file mode 100644 index e089543..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "lotus-locus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return lotus_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return lotus_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64-avr.S b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64-avr.S deleted file mode 100644 index fdb668d..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64-avr.S +++ /dev/null @@ -1,6047 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global gift64n_init - .type gift64n_init, @function -gift64n_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ret - .size gift64n_init, .-gift64n_init - - .text -.global gift64n_encrypt - .type gift64n_encrypt, @function -gift64n_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 28 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Z+4 - ldd r7,Z+5 - ldd r8,Z+6 - ldd r9,Z+7 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Z+8 - ldd r7,Z+9 - ldd r8,Z+10 - ldd r9,Z+11 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,0 - bst r18,1 - bld r22,0 - bst r18,2 - bld r2,0 - bst r18,3 - bld r4,0 - bst r18,4 - bld r20,1 - bst r18,5 - bld r22,1 - bst r18,6 - bld r2,1 - bst r18,7 - bld r4,1 - bst r19,0 - bld r20,2 - bst r19,1 - bld r22,2 - bst r19,2 - bld r2,2 - bst r19,3 - bld r4,2 - bst r19,4 - bld r20,3 - bst r19,5 - bld r22,3 - bst r19,6 - bld r2,3 - bst r19,7 - bld r4,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,4 - bst r18,1 - bld r22,4 - bst r18,2 - bld r2,4 - bst r18,3 - bld r4,4 - bst r18,4 - bld r20,5 - bst r18,5 - bld r22,5 - bst r18,6 - bld r2,5 - bst r18,7 - bld r4,5 - bst r19,0 - bld r20,6 - bst r19,1 - bld r22,6 - bst r19,2 - bld r2,6 - bst r19,3 - bld r4,6 - bst r19,4 - bld r20,7 - bst r19,5 - bld r22,7 - bst r19,6 - bld r2,7 - bst r19,7 - bld r4,7 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,0 - bst r18,1 - bld r23,0 - bst r18,2 - bld r3,0 - bst r18,3 - bld r5,0 - bst r18,4 - bld r21,1 - bst r18,5 - bld r23,1 - bst r18,6 - bld r3,1 - bst r18,7 - bld r5,1 - bst r19,0 - bld r21,2 - bst r19,1 - bld r23,2 - bst r19,2 - bld r3,2 - bst r19,3 - bld r5,2 - bst r19,4 - bld r21,3 - bst r19,5 - bld r23,3 - bst r19,6 - bld r3,3 - bst r19,7 - bld r5,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,4 - bst r18,1 - bld r23,4 - bst r18,2 - bld r3,4 - bst r18,3 - bld r5,4 - bst r18,4 - bld r21,5 - bst r18,5 - bld r23,5 - bst r18,6 - bld r3,5 - bst r18,7 - bld r5,5 - bst r19,0 - bld r21,6 - bst r19,1 - bld r23,6 - bst r19,2 - bld r3,6 - bst r19,3 - bld r5,6 - bst r19,4 - bld r21,7 - bst r19,5 - bld r23,7 - bst r19,6 - bld r3,7 - bst r19,7 - bld r5,7 - rcall 1061f - ldi r18,1 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,3 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,7 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,15 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,31 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,62 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,61 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,59 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,55 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,47 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,30 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,60 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,57 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,51 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,39 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,14 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,29 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,58 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,53 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,43 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,22 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,44 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,24 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,48 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - rcall 1061f - ldi r18,33 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - rcall 1061f - ldi r18,2 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - rcall 1061f - ldi r18,5 - ldi r19,128 - eor r4,r18 - eor r5,r19 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - rcall 1061f - ldi r18,11 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rjmp 1252f -1061: - mov r0,r20 - and r0,r2 - eor r22,r0 - mov r0,r21 - and r0,r3 - eor r23,r0 - mov r0,r22 - and r0,r4 - eor r20,r0 - mov r0,r23 - and r0,r5 - eor r21,r0 - mov r0,r20 - or r0,r22 - eor r2,r0 - mov r0,r21 - or r0,r23 - eor r3,r0 - eor r4,r2 - eor r5,r3 - eor r22,r4 - eor r23,r5 - com r4 - com r5 - movw r18,r20 - mov r0,r22 - and r0,r18 - eor r2,r0 - mov r0,r23 - and r0,r19 - eor r3,r0 - movw r20,r4 - movw r4,r18 - bst r20,1 - bld r0,0 - bst r20,4 - bld r20,1 - bst r20,3 - bld r20,4 - bst r21,4 - bld r20,3 - bst r0,0 - bld r21,4 - bst r20,2 - bld r0,0 - bst r21,0 - bld r20,2 - bst r0,0 - bld r21,0 - bst r20,5 - bld r0,0 - bst r20,7 - bld r20,5 - bst r21,7 - bld r20,7 - bst r21,5 - bld r21,7 - bst r0,0 - bld r21,5 - bst r20,6 - bld r0,0 - bst r21,3 - bld r20,6 - bst r21,6 - bld r21,3 - bst r21,1 - bld r21,6 - bst r0,0 - bld r21,1 - bst r22,0 - bld r0,0 - bst r22,1 - bld r22,0 - bst r22,5 - bld r22,1 - bst r22,4 - bld r22,5 - bst r0,0 - bld r22,4 - bst r22,2 - bld r0,0 - bst r23,1 - bld r22,2 - bst r22,7 - bld r23,1 - bst r23,4 - bld r22,7 - bst r0,0 - bld r23,4 - bst r22,3 - bld r0,0 - bst r23,5 - bld r22,3 - bst r22,6 - bld r23,5 - bst r23,0 - bld r22,6 - bst r0,0 - bld r23,0 - bst r23,2 - bld r0,0 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r23,6 - bld r23,7 - bst r0,0 - bld r23,6 - bst r2,0 - bld r0,0 - bst r2,2 - bld r2,0 - bst r3,2 - bld r2,2 - bst r3,0 - bld r3,2 - bst r0,0 - bld r3,0 - bst r2,1 - bld r0,0 - bst r2,6 - bld r2,1 - bst r3,1 - bld r2,6 - bst r2,4 - bld r3,1 - bst r0,0 - bld r2,4 - bst r2,3 - bld r0,0 - bst r3,6 - bld r2,3 - bst r3,3 - bld r3,6 - bst r3,4 - bld r3,3 - bst r0,0 - bld r3,4 - bst r2,7 - bld r0,0 - bst r3,5 - bld r2,7 - bst r0,0 - bld r3,5 - bst r4,0 - bld r0,0 - bst r4,3 - bld r4,0 - bst r5,7 - bld r4,3 - bst r5,4 - bld r5,7 - bst r0,0 - bld r5,4 - bst r4,1 - bld r0,0 - bst r4,7 - bld r4,1 - bst r5,6 - bld r4,7 - bst r5,0 - bld r5,6 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,3 - bld r4,2 - bst r5,5 - bld r5,3 - bst r4,4 - bld r5,5 - bst r0,0 - bld r4,4 - bst r4,5 - bld r0,0 - bst r4,6 - bld r4,5 - bst r5,2 - bld r4,6 - bst r5,1 - bld r5,2 - bst r0,0 - bld r5,1 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - ret -1252: - ldd r26,Y+17 - ldd r27,Y+18 - bst r20,0 - bld r18,0 - bst r22,0 - bld r18,1 - bst r2,0 - bld r18,2 - bst r4,0 - bld r18,3 - bst r20,1 - bld r18,4 - bst r22,1 - bld r18,5 - bst r2,1 - bld r18,6 - bst r4,1 - bld r18,7 - bst r20,2 - bld r19,0 - bst r22,2 - bld r19,1 - bst r2,2 - bld r19,2 - bst r4,2 - bld r19,3 - bst r20,3 - bld r19,4 - bst r22,3 - bld r19,5 - bst r2,3 - bld r19,6 - bst r4,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r20,4 - bld r18,0 - bst r22,4 - bld r18,1 - bst r2,4 - bld r18,2 - bst r4,4 - bld r18,3 - bst r20,5 - bld r18,4 - bst r22,5 - bld r18,5 - bst r2,5 - bld r18,6 - bst r4,5 - bld r18,7 - bst r20,6 - bld r19,0 - bst r22,6 - bld r19,1 - bst r2,6 - bld r19,2 - bst r4,6 - bld r19,3 - bst r20,7 - bld r19,4 - bst r22,7 - bld r19,5 - bst r2,7 - bld r19,6 - bst r4,7 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,0 - bld r18,0 - bst r23,0 - bld r18,1 - bst r3,0 - bld r18,2 - bst r5,0 - bld r18,3 - bst r21,1 - bld r18,4 - bst r23,1 - bld r18,5 - bst r3,1 - bld r18,6 - bst r5,1 - bld r18,7 - bst r21,2 - bld r19,0 - bst r23,2 - bld r19,1 - bst r3,2 - bld r19,2 - bst r5,2 - bld r19,3 - bst r21,3 - bld r19,4 - bst r23,3 - bld r19,5 - bst r3,3 - bld r19,6 - bst r5,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,4 - bld r18,0 - bst r23,4 - bld r18,1 - bst r3,4 - bld r18,2 - bst r5,4 - bld r18,3 - bst r21,5 - bld r18,4 - bst r23,5 - bld r18,5 - bst r3,5 - bld r18,6 - bst r5,5 - bld r18,7 - bst r21,6 - bld r19,0 - bst r23,6 - bld r19,1 - bst r3,6 - bld r19,2 - bst r5,6 - bld r19,3 - bst r21,7 - bld r19,4 - bst r23,7 - bld r19,5 - bst r3,7 - bld r19,6 - bst r5,7 - bld r19,7 - st X+,r18 - st X+,r19 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64n_encrypt, .-gift64n_encrypt - - .text -.global gift64n_decrypt - .type gift64n_decrypt, @function -gift64n_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 28 - ld r6,Z - ldd r7,Z+1 - ldd r8,Z+2 - ldd r9,Z+3 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Z+4 - ldd r7,Z+5 - ldd r8,Z+6 - ldd r9,Z+7 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Z+8 - ldd r7,Z+9 - ldd r8,Z+10 - ldd r9,Z+11 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,0 - bst r18,1 - bld r22,0 - bst r18,2 - bld r2,0 - bst r18,3 - bld r4,0 - bst r18,4 - bld r20,1 - bst r18,5 - bld r22,1 - bst r18,6 - bld r2,1 - bst r18,7 - bld r4,1 - bst r19,0 - bld r20,2 - bst r19,1 - bld r22,2 - bst r19,2 - bld r2,2 - bst r19,3 - bld r4,2 - bst r19,4 - bld r20,3 - bst r19,5 - bld r22,3 - bst r19,6 - bld r2,3 - bst r19,7 - bld r4,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r20,4 - bst r18,1 - bld r22,4 - bst r18,2 - bld r2,4 - bst r18,3 - bld r4,4 - bst r18,4 - bld r20,5 - bst r18,5 - bld r22,5 - bst r18,6 - bld r2,5 - bst r18,7 - bld r4,5 - bst r19,0 - bld r20,6 - bst r19,1 - bld r22,6 - bst r19,2 - bld r2,6 - bst r19,3 - bld r4,6 - bst r19,4 - bld r20,7 - bst r19,5 - bld r22,7 - bst r19,6 - bld r2,7 - bst r19,7 - bld r4,7 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,0 - bst r18,1 - bld r23,0 - bst r18,2 - bld r3,0 - bst r18,3 - bld r5,0 - bst r18,4 - bld r21,1 - bst r18,5 - bld r23,1 - bst r18,6 - bld r3,1 - bst r18,7 - bld r5,1 - bst r19,0 - bld r21,2 - bst r19,1 - bld r23,2 - bst r19,2 - bld r3,2 - bst r19,3 - bld r5,2 - bst r19,4 - bld r21,3 - bst r19,5 - bld r23,3 - bst r19,6 - bld r3,3 - bst r19,7 - bld r5,3 - ld r18,X+ - ld r19,X+ - bst r18,0 - bld r21,4 - bst r18,1 - bld r23,4 - bst r18,2 - bld r3,4 - bst r18,3 - bld r5,4 - bst r18,4 - bld r21,5 - bst r18,5 - bld r23,5 - bst r18,6 - bld r3,5 - bst r18,7 - bld r5,5 - bst r19,0 - bld r21,6 - bst r19,1 - bld r23,6 - bst r19,2 - bld r3,6 - bst r19,3 - bld r5,6 - bst r19,4 - bld r21,7 - bst r19,5 - bld r23,7 - bst r19,6 - bld r3,7 - bst r19,7 - bld r5,7 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,11 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,5 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,2 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,33 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,48 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,24 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,44 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,22 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,43 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,53 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,58 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,29 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,14 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,39 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,51 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,57 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,60 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,30 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,47 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,55 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,59 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,61 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,62 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,31 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r6,Y+1 - ldd r7,Y+2 - ldd r8,Y+3 - ldd r9,Y+4 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,15 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+1,r6 - std Y+2,r7 - std Y+3,r8 - std Y+4,r9 - ldd r6,Y+5 - ldd r7,Y+6 - ldd r8,Y+7 - ldd r9,Y+8 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,7 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+5,r6 - std Y+6,r7 - std Y+7,r8 - std Y+8,r9 - ldd r6,Y+9 - ldd r7,Y+10 - ldd r8,Y+11 - ldd r9,Y+12 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,3 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - std Y+9,r6 - std Y+10,r7 - std Y+11,r8 - std Y+12,r9 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - mov r0,r1 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - lsr r7 - ror r6 - ror r0 - or r7,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - ldi r18,1 - ldi r19,128 - eor r4,r18 - eor r5,r19 - rcall 1173f - rjmp 1362f -1173: - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - bst r20,1 - bld r0,0 - bst r21,4 - bld r20,1 - bst r20,3 - bld r21,4 - bst r20,4 - bld r20,3 - bst r0,0 - bld r20,4 - bst r20,2 - bld r0,0 - bst r21,0 - bld r20,2 - bst r0,0 - bld r21,0 - bst r20,5 - bld r0,0 - bst r21,5 - bld r20,5 - bst r21,7 - bld r21,5 - bst r20,7 - bld r21,7 - bst r0,0 - bld r20,7 - bst r20,6 - bld r0,0 - bst r21,1 - bld r20,6 - bst r21,6 - bld r21,1 - bst r21,3 - bld r21,6 - bst r0,0 - bld r21,3 - bst r22,0 - bld r0,0 - bst r22,4 - bld r22,0 - bst r22,5 - bld r22,4 - bst r22,1 - bld r22,5 - bst r0,0 - bld r22,1 - bst r22,2 - bld r0,0 - bst r23,4 - bld r22,2 - bst r22,7 - bld r23,4 - bst r23,1 - bld r22,7 - bst r0,0 - bld r23,1 - bst r22,3 - bld r0,0 - bst r23,0 - bld r22,3 - bst r22,6 - bld r23,0 - bst r23,5 - bld r22,6 - bst r0,0 - bld r23,5 - bst r23,2 - bld r0,0 - bst r23,6 - bld r23,2 - bst r23,7 - bld r23,6 - bst r23,3 - bld r23,7 - bst r0,0 - bld r23,3 - bst r2,0 - bld r0,0 - bst r3,0 - bld r2,0 - bst r3,2 - bld r3,0 - bst r2,2 - bld r3,2 - bst r0,0 - bld r2,2 - bst r2,1 - bld r0,0 - bst r2,4 - bld r2,1 - bst r3,1 - bld r2,4 - bst r2,6 - bld r3,1 - bst r0,0 - bld r2,6 - bst r2,3 - bld r0,0 - bst r3,4 - bld r2,3 - bst r3,3 - bld r3,4 - bst r3,6 - bld r3,3 - bst r0,0 - bld r3,6 - bst r2,7 - bld r0,0 - bst r3,5 - bld r2,7 - bst r0,0 - bld r3,5 - bst r4,0 - bld r0,0 - bst r5,4 - bld r4,0 - bst r5,7 - bld r5,4 - bst r4,3 - bld r5,7 - bst r0,0 - bld r4,3 - bst r4,1 - bld r0,0 - bst r5,0 - bld r4,1 - bst r5,6 - bld r5,0 - bst r4,7 - bld r5,6 - bst r0,0 - bld r4,7 - bst r4,2 - bld r0,0 - bst r4,4 - bld r4,2 - bst r5,5 - bld r4,4 - bst r5,3 - bld r5,5 - bst r0,0 - bld r5,3 - bst r4,5 - bld r0,0 - bst r5,1 - bld r4,5 - bst r5,2 - bld r5,1 - bst r4,6 - bld r5,2 - bst r0,0 - bld r4,6 - movw r18,r4 - movw r4,r20 - movw r20,r18 - and r18,r22 - and r19,r23 - eor r2,r18 - eor r3,r19 - com r4 - com r5 - eor r22,r4 - eor r23,r5 - eor r4,r2 - eor r5,r3 - mov r0,r20 - or r0,r22 - eor r2,r0 - mov r0,r21 - or r0,r23 - eor r3,r0 - mov r0,r22 - and r0,r4 - eor r20,r0 - mov r0,r23 - and r0,r5 - eor r21,r0 - mov r0,r20 - and r0,r2 - eor r22,r0 - mov r0,r21 - and r0,r3 - eor r23,r0 - ret -1362: - ldd r26,Y+17 - ldd r27,Y+18 - bst r20,0 - bld r18,0 - bst r22,0 - bld r18,1 - bst r2,0 - bld r18,2 - bst r4,0 - bld r18,3 - bst r20,1 - bld r18,4 - bst r22,1 - bld r18,5 - bst r2,1 - bld r18,6 - bst r4,1 - bld r18,7 - bst r20,2 - bld r19,0 - bst r22,2 - bld r19,1 - bst r2,2 - bld r19,2 - bst r4,2 - bld r19,3 - bst r20,3 - bld r19,4 - bst r22,3 - bld r19,5 - bst r2,3 - bld r19,6 - bst r4,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r20,4 - bld r18,0 - bst r22,4 - bld r18,1 - bst r2,4 - bld r18,2 - bst r4,4 - bld r18,3 - bst r20,5 - bld r18,4 - bst r22,5 - bld r18,5 - bst r2,5 - bld r18,6 - bst r4,5 - bld r18,7 - bst r20,6 - bld r19,0 - bst r22,6 - bld r19,1 - bst r2,6 - bld r19,2 - bst r4,6 - bld r19,3 - bst r20,7 - bld r19,4 - bst r22,7 - bld r19,5 - bst r2,7 - bld r19,6 - bst r4,7 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,0 - bld r18,0 - bst r23,0 - bld r18,1 - bst r3,0 - bld r18,2 - bst r5,0 - bld r18,3 - bst r21,1 - bld r18,4 - bst r23,1 - bld r18,5 - bst r3,1 - bld r18,6 - bst r5,1 - bld r18,7 - bst r21,2 - bld r19,0 - bst r23,2 - bld r19,1 - bst r3,2 - bld r19,2 - bst r5,2 - bld r19,3 - bst r21,3 - bld r19,4 - bst r23,3 - bld r19,5 - bst r3,3 - bld r19,6 - bst r5,3 - bld r19,7 - st X+,r18 - st X+,r19 - bst r21,4 - bld r18,0 - bst r23,4 - bld r18,1 - bst r3,4 - bld r18,2 - bst r5,4 - bld r18,3 - bst r21,5 - bld r18,4 - bst r23,5 - bld r18,5 - bst r3,5 - bld r18,6 - bst r5,5 - bld r18,7 - bst r21,6 - bld r19,0 - bst r23,6 - bld r19,1 - bst r3,6 - bld r19,2 - bst r5,6 - bld r19,3 - bst r21,7 - bld r19,4 - bst r23,7 - bld r19,5 - bst r3,7 - bld r19,6 - bst r5,7 - bld r19,7 - st X+,r18 - st X+,r19 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64n_decrypt, .-gift64n_decrypt - - .text -.global gift64t_encrypt - .type gift64t_encrypt, @function -gift64t_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 30 - ld r8,Z - ldd r9,Z+1 - ldd r10,Z+2 - ldd r11,Z+3 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,0 - bst r20,1 - bld r2,0 - bst r20,2 - bld r4,0 - bst r20,3 - bld r6,0 - bst r20,4 - bld r22,1 - bst r20,5 - bld r2,1 - bst r20,6 - bld r4,1 - bst r20,7 - bld r6,1 - bst r21,0 - bld r22,2 - bst r21,1 - bld r2,2 - bst r21,2 - bld r4,2 - bst r21,3 - bld r6,2 - bst r21,4 - bld r22,3 - bst r21,5 - bld r2,3 - bst r21,6 - bld r4,3 - bst r21,7 - bld r6,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,4 - bst r20,1 - bld r2,4 - bst r20,2 - bld r4,4 - bst r20,3 - bld r6,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r2,5 - bst r20,6 - bld r4,5 - bst r20,7 - bld r6,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r2,6 - bst r21,2 - bld r4,6 - bst r21,3 - bld r6,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r2,7 - bst r21,6 - bld r4,7 - bst r21,7 - bld r6,7 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,0 - bst r20,1 - bld r3,0 - bst r20,2 - bld r5,0 - bst r20,3 - bld r7,0 - bst r20,4 - bld r23,1 - bst r20,5 - bld r3,1 - bst r20,6 - bld r5,1 - bst r20,7 - bld r7,1 - bst r21,0 - bld r23,2 - bst r21,1 - bld r3,2 - bst r21,2 - bld r5,2 - bst r21,3 - bld r7,2 - bst r21,4 - bld r23,3 - bst r21,5 - bld r3,3 - bst r21,6 - bld r5,3 - bst r21,7 - bld r7,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,4 - bst r20,1 - bld r3,4 - bst r20,2 - bld r5,4 - bst r20,3 - bld r7,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r3,5 - bst r20,6 - bld r5,5 - bst r20,7 - bld r7,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r3,6 - bst r21,2 - bld r5,6 - bst r21,3 - bld r7,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r3,7 - bst r21,6 - bld r5,7 - bst r21,7 - bld r7,7 - rcall 1073f - ldi r20,1 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,3 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,7 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,15 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,31 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,62 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,61 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,59 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,55 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,47 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,30 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,60 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,57 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,51 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,39 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,14 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,29 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,58 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,53 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,43 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,22 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,44 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,24 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,48 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - rcall 1073f - ldi r20,33 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - rcall 1073f - ldi r20,2 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - rcall 1073f - ldi r20,5 - ldi r21,128 - eor r6,r20 - eor r7,r21 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - rcall 1073f - ldi r20,11 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rjmp 1264f -1073: - mov r0,r22 - and r0,r4 - eor r2,r0 - mov r0,r23 - and r0,r5 - eor r3,r0 - mov r0,r2 - and r0,r6 - eor r22,r0 - mov r0,r3 - and r0,r7 - eor r23,r0 - mov r0,r22 - or r0,r2 - eor r4,r0 - mov r0,r23 - or r0,r3 - eor r5,r0 - eor r6,r4 - eor r7,r5 - eor r2,r6 - eor r3,r7 - com r6 - com r7 - movw r20,r22 - mov r0,r2 - and r0,r20 - eor r4,r0 - mov r0,r3 - and r0,r21 - eor r5,r0 - movw r22,r6 - movw r6,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r22,3 - bld r22,4 - bst r23,4 - bld r22,3 - bst r0,0 - bld r23,4 - bst r22,2 - bld r0,0 - bst r23,0 - bld r22,2 - bst r0,0 - bld r23,0 - bst r22,5 - bld r0,0 - bst r22,7 - bld r22,5 - bst r23,7 - bld r22,7 - bst r23,5 - bld r23,7 - bst r0,0 - bld r23,5 - bst r22,6 - bld r0,0 - bst r23,3 - bld r22,6 - bst r23,6 - bld r23,3 - bst r23,1 - bld r23,6 - bst r0,0 - bld r23,1 - bst r2,0 - bld r0,0 - bst r2,1 - bld r2,0 - bst r2,5 - bld r2,1 - bst r2,4 - bld r2,5 - bst r0,0 - bld r2,4 - bst r2,2 - bld r0,0 - bst r3,1 - bld r2,2 - bst r2,7 - bld r3,1 - bst r3,4 - bld r2,7 - bst r0,0 - bld r3,4 - bst r2,3 - bld r0,0 - bst r3,5 - bld r2,3 - bst r2,6 - bld r3,5 - bst r3,0 - bld r2,6 - bst r0,0 - bld r3,0 - bst r3,2 - bld r0,0 - bst r3,3 - bld r3,2 - bst r3,7 - bld r3,3 - bst r3,6 - bld r3,7 - bst r0,0 - bld r3,6 - bst r4,0 - bld r0,0 - bst r4,2 - bld r4,0 - bst r5,2 - bld r4,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,1 - bld r0,0 - bst r4,6 - bld r4,1 - bst r5,1 - bld r4,6 - bst r4,4 - bld r5,1 - bst r0,0 - bld r4,4 - bst r4,3 - bld r0,0 - bst r5,6 - bld r4,3 - bst r5,3 - bld r5,6 - bst r5,4 - bld r5,3 - bst r0,0 - bld r5,4 - bst r4,7 - bld r0,0 - bst r5,5 - bld r4,7 - bst r0,0 - bld r5,5 - bst r6,0 - bld r0,0 - bst r6,3 - bld r6,0 - bst r7,7 - bld r6,3 - bst r7,4 - bld r7,7 - bst r0,0 - bld r7,4 - bst r6,1 - bld r0,0 - bst r6,7 - bld r6,1 - bst r7,6 - bld r6,7 - bst r7,0 - bld r7,6 - bst r0,0 - bld r7,0 - bst r6,2 - bld r0,0 - bst r7,3 - bld r6,2 - bst r7,5 - bld r7,3 - bst r6,4 - bld r7,5 - bst r0,0 - bld r6,4 - bst r6,5 - bld r0,0 - bst r6,6 - bld r6,5 - bst r7,2 - bld r6,6 - bst r7,1 - bld r7,2 - bst r0,0 - bld r7,1 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - ret -1264: - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r20,0 - bst r2,0 - bld r20,1 - bst r4,0 - bld r20,2 - bst r6,0 - bld r20,3 - bst r22,1 - bld r20,4 - bst r2,1 - bld r20,5 - bst r4,1 - bld r20,6 - bst r6,1 - bld r20,7 - bst r22,2 - bld r21,0 - bst r2,2 - bld r21,1 - bst r4,2 - bld r21,2 - bst r6,2 - bld r21,3 - bst r22,3 - bld r21,4 - bst r2,3 - bld r21,5 - bst r4,3 - bld r21,6 - bst r6,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r22,4 - bld r20,0 - bst r2,4 - bld r20,1 - bst r4,4 - bld r20,2 - bst r6,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r2,5 - bld r20,5 - bst r4,5 - bld r20,6 - bst r6,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r2,6 - bld r21,1 - bst r4,6 - bld r21,2 - bst r6,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r2,7 - bld r21,5 - bst r4,7 - bld r21,6 - bst r6,7 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,0 - bld r20,0 - bst r3,0 - bld r20,1 - bst r5,0 - bld r20,2 - bst r7,0 - bld r20,3 - bst r23,1 - bld r20,4 - bst r3,1 - bld r20,5 - bst r5,1 - bld r20,6 - bst r7,1 - bld r20,7 - bst r23,2 - bld r21,0 - bst r3,2 - bld r21,1 - bst r5,2 - bld r21,2 - bst r7,2 - bld r21,3 - bst r23,3 - bld r21,4 - bst r3,3 - bld r21,5 - bst r5,3 - bld r21,6 - bst r7,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,4 - bld r20,0 - bst r3,4 - bld r20,1 - bst r5,4 - bld r20,2 - bst r7,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r3,5 - bld r20,5 - bst r5,5 - bld r20,6 - bst r7,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r3,6 - bld r21,1 - bst r5,6 - bld r21,2 - bst r7,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r3,7 - bld r21,5 - bst r5,7 - bld r21,6 - bst r7,7 - bld r21,7 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64t_encrypt, .-gift64t_encrypt - - .text -.global gift64t_decrypt - .type gift64t_decrypt, @function -gift64t_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 30 - ld r8,Z - ldd r9,Z+1 - ldd r10,Z+2 - ldd r11,Z+3 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - mov r0,r9 - mov r9,r8 - mov r8,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,0 - bst r20,1 - bld r2,0 - bst r20,2 - bld r4,0 - bst r20,3 - bld r6,0 - bst r20,4 - bld r22,1 - bst r20,5 - bld r2,1 - bst r20,6 - bld r4,1 - bst r20,7 - bld r6,1 - bst r21,0 - bld r22,2 - bst r21,1 - bld r2,2 - bst r21,2 - bld r4,2 - bst r21,3 - bld r6,2 - bst r21,4 - bld r22,3 - bst r21,5 - bld r2,3 - bst r21,6 - bld r4,3 - bst r21,7 - bld r6,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r22,4 - bst r20,1 - bld r2,4 - bst r20,2 - bld r4,4 - bst r20,3 - bld r6,4 - bst r20,4 - bld r22,5 - bst r20,5 - bld r2,5 - bst r20,6 - bld r4,5 - bst r20,7 - bld r6,5 - bst r21,0 - bld r22,6 - bst r21,1 - bld r2,6 - bst r21,2 - bld r4,6 - bst r21,3 - bld r6,6 - bst r21,4 - bld r22,7 - bst r21,5 - bld r2,7 - bst r21,6 - bld r4,7 - bst r21,7 - bld r6,7 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,0 - bst r20,1 - bld r3,0 - bst r20,2 - bld r5,0 - bst r20,3 - bld r7,0 - bst r20,4 - bld r23,1 - bst r20,5 - bld r3,1 - bst r20,6 - bld r5,1 - bst r20,7 - bld r7,1 - bst r21,0 - bld r23,2 - bst r21,1 - bld r3,2 - bst r21,2 - bld r5,2 - bst r21,3 - bld r7,2 - bst r21,4 - bld r23,3 - bst r21,5 - bld r3,3 - bst r21,6 - bld r5,3 - bst r21,7 - bld r7,3 - ld r20,X+ - ld r21,X+ - bst r20,0 - bld r23,4 - bst r20,1 - bld r3,4 - bst r20,2 - bld r5,4 - bst r20,3 - bld r7,4 - bst r20,4 - bld r23,5 - bst r20,5 - bld r3,5 - bst r20,6 - bld r5,5 - bst r20,7 - bld r7,5 - bst r21,0 - bld r23,6 - bst r21,1 - bld r3,6 - bst r21,2 - bld r5,6 - bst r21,3 - bld r7,6 - bst r21,4 - bld r23,7 - bst r21,5 - bld r3,7 - bst r21,6 - bld r5,7 - bst r21,7 - bld r7,7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,11 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,5 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,2 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,33 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,48 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,24 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,44 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,22 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,43 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,53 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,58 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,29 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,14 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,39 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,51 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,57 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,60 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,30 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,47 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,55 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,59 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,61 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,62 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,31 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r8,Y+1 - ldd r9,Y+2 - ldd r10,Y+3 - ldd r11,Y+4 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,15 - ldi r21,128 - eor r6,r20 - eor r7,r21 - eor r4,r18 - eor r5,r18 - rcall 1185f - std Y+1,r8 - std Y+2,r9 - std Y+3,r10 - std Y+4,r11 - ldd r8,Y+5 - ldd r9,Y+6 - ldd r10,Y+7 - ldd r11,Y+8 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,7 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+5,r8 - std Y+6,r9 - std Y+7,r10 - std Y+8,r11 - ldd r8,Y+9 - ldd r9,Y+10 - ldd r10,Y+11 - ldd r11,Y+12 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,3 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - std Y+9,r8 - std Y+10,r9 - std Y+11,r10 - std Y+12,r11 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ldi r20,1 - ldi r21,128 - eor r6,r20 - eor r7,r21 - rcall 1185f - rjmp 1374f -1185: - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - bst r22,1 - bld r0,0 - bst r23,4 - bld r22,1 - bst r22,3 - bld r23,4 - bst r22,4 - bld r22,3 - bst r0,0 - bld r22,4 - bst r22,2 - bld r0,0 - bst r23,0 - bld r22,2 - bst r0,0 - bld r23,0 - bst r22,5 - bld r0,0 - bst r23,5 - bld r22,5 - bst r23,7 - bld r23,5 - bst r22,7 - bld r23,7 - bst r0,0 - bld r22,7 - bst r22,6 - bld r0,0 - bst r23,1 - bld r22,6 - bst r23,6 - bld r23,1 - bst r23,3 - bld r23,6 - bst r0,0 - bld r23,3 - bst r2,0 - bld r0,0 - bst r2,4 - bld r2,0 - bst r2,5 - bld r2,4 - bst r2,1 - bld r2,5 - bst r0,0 - bld r2,1 - bst r2,2 - bld r0,0 - bst r3,4 - bld r2,2 - bst r2,7 - bld r3,4 - bst r3,1 - bld r2,7 - bst r0,0 - bld r3,1 - bst r2,3 - bld r0,0 - bst r3,0 - bld r2,3 - bst r2,6 - bld r3,0 - bst r3,5 - bld r2,6 - bst r0,0 - bld r3,5 - bst r3,2 - bld r0,0 - bst r3,6 - bld r3,2 - bst r3,7 - bld r3,6 - bst r3,3 - bld r3,7 - bst r0,0 - bld r3,3 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r4,2 - bld r5,2 - bst r0,0 - bld r4,2 - bst r4,1 - bld r0,0 - bst r4,4 - bld r4,1 - bst r5,1 - bld r4,4 - bst r4,6 - bld r5,1 - bst r0,0 - bld r4,6 - bst r4,3 - bld r0,0 - bst r5,4 - bld r4,3 - bst r5,3 - bld r5,4 - bst r5,6 - bld r5,3 - bst r0,0 - bld r5,6 - bst r4,7 - bld r0,0 - bst r5,5 - bld r4,7 - bst r0,0 - bld r5,5 - bst r6,0 - bld r0,0 - bst r7,4 - bld r6,0 - bst r7,7 - bld r7,4 - bst r6,3 - bld r7,7 - bst r0,0 - bld r6,3 - bst r6,1 - bld r0,0 - bst r7,0 - bld r6,1 - bst r7,6 - bld r7,0 - bst r6,7 - bld r7,6 - bst r0,0 - bld r6,7 - bst r6,2 - bld r0,0 - bst r6,4 - bld r6,2 - bst r7,5 - bld r6,4 - bst r7,3 - bld r7,5 - bst r0,0 - bld r7,3 - bst r6,5 - bld r0,0 - bst r7,1 - bld r6,5 - bst r7,2 - bld r7,1 - bst r6,6 - bld r7,2 - bst r0,0 - bld r6,6 - movw r20,r6 - movw r6,r22 - movw r22,r20 - and r20,r2 - and r21,r3 - eor r4,r20 - eor r5,r21 - com r6 - com r7 - eor r2,r6 - eor r3,r7 - eor r6,r4 - eor r7,r5 - mov r0,r22 - or r0,r2 - eor r4,r0 - mov r0,r23 - or r0,r3 - eor r5,r0 - mov r0,r2 - and r0,r6 - eor r22,r0 - mov r0,r3 - and r0,r7 - eor r23,r0 - mov r0,r22 - and r0,r4 - eor r2,r0 - mov r0,r23 - and r0,r5 - eor r3,r0 - ret -1374: - ldd r26,Y+17 - ldd r27,Y+18 - bst r22,0 - bld r20,0 - bst r2,0 - bld r20,1 - bst r4,0 - bld r20,2 - bst r6,0 - bld r20,3 - bst r22,1 - bld r20,4 - bst r2,1 - bld r20,5 - bst r4,1 - bld r20,6 - bst r6,1 - bld r20,7 - bst r22,2 - bld r21,0 - bst r2,2 - bld r21,1 - bst r4,2 - bld r21,2 - bst r6,2 - bld r21,3 - bst r22,3 - bld r21,4 - bst r2,3 - bld r21,5 - bst r4,3 - bld r21,6 - bst r6,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r22,4 - bld r20,0 - bst r2,4 - bld r20,1 - bst r4,4 - bld r20,2 - bst r6,4 - bld r20,3 - bst r22,5 - bld r20,4 - bst r2,5 - bld r20,5 - bst r4,5 - bld r20,6 - bst r6,5 - bld r20,7 - bst r22,6 - bld r21,0 - bst r2,6 - bld r21,1 - bst r4,6 - bld r21,2 - bst r6,6 - bld r21,3 - bst r22,7 - bld r21,4 - bst r2,7 - bld r21,5 - bst r4,7 - bld r21,6 - bst r6,7 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,0 - bld r20,0 - bst r3,0 - bld r20,1 - bst r5,0 - bld r20,2 - bst r7,0 - bld r20,3 - bst r23,1 - bld r20,4 - bst r3,1 - bld r20,5 - bst r5,1 - bld r20,6 - bst r7,1 - bld r20,7 - bst r23,2 - bld r21,0 - bst r3,2 - bld r21,1 - bst r5,2 - bld r21,2 - bst r7,2 - bld r21,3 - bst r23,3 - bld r21,4 - bst r3,3 - bld r21,5 - bst r5,3 - bld r21,6 - bst r7,3 - bld r21,7 - st X+,r20 - st X+,r21 - bst r23,4 - bld r20,0 - bst r3,4 - bld r20,1 - bst r5,4 - bld r20,2 - bst r7,4 - bld r20,3 - bst r23,5 - bld r20,4 - bst r3,5 - bld r20,5 - bst r5,5 - bld r20,6 - bst r7,5 - bld r20,7 - bst r23,6 - bld r21,0 - bst r3,6 - bld r21,1 - bst r5,6 - bld r21,2 - bst r7,6 - bld r21,3 - bst r23,7 - bld r21,4 - bst r3,7 - bld r21,5 - bst r5,7 - bld r21,6 - bst r7,7 - bld r21,7 - st X+,r20 - st X+,r21 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift64t_decrypt, .-gift64t_decrypt - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.c deleted file mode 100644 index 81bc8a3..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.c +++ /dev/null @@ -1,1205 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift64.h" -#include "internal-util.h" -#include - -#if !GIFT64_LOW_MEMORY - -/* Round constants for GIFT-64 in the fixsliced representation */ -static uint32_t const GIFT64_RC[28] = { - 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, - 0x22119933, 0x880033bb, 0x22119999, 0x880022ff, 0x11119922, 0x880033cc, - 0x33008899, 0x99002299, 0x33118811, 0x880000ee, 0x33110099, 0x990022aa, - 0x22118833, 0x880022bb, 0x22111188, 0x88002266, 0x00009922, 0x88003300, - 0x22008811, 0x00002288, 0x00118811, 0x880000bb -}; - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift64b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t t = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= t; \ - (a) ^= t << (shift); \ - } while (0) - -/** - * \brief Performs the GIFT-64 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift64b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-64 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift64b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/* Rotates a state word left by 1 position in the fixsliced representation: - * - * 0 1 2 3 1 2 3 0 - * 4 5 6 7 ==> 5 6 7 4 - * 8 9 10 11 9 10 11 8 - * 12 13 14 15 13 14 14 12 - */ -#define gift64b_rotate_left_1(x) \ - ((((x) >> 1) & 0x77777777U) | (((x) & 0x11111111U) << 3)) - -/* Rotates a state word left by 2 positions in the fixsliced representation: - * - * 0 1 2 3 2 3 0 1 - * 4 5 6 7 ==> 6 7 4 5 - * 8 9 10 11 10 11 8 9 - * 12 13 14 15 14 15 12 13 - */ -#define gift64b_rotate_left_2(x) \ - ((((x) >> 2) & 0x33333333U) | (((x) & 0x33333333U) << 2)) - -/* Rotates a state word left by 3 positions in the fixsliced representation: - * - * 0 1 2 3 3 0 1 2 - * 4 5 6 7 ==> 7 4 5 6 - * 8 9 10 11 11 8 9 10 - * 12 13 14 15 15 12 13 14 - */ -#define gift64b_rotate_left_3(x) \ - ((((x) >> 3) & 0x11111111U) | (((x) & 0x77777777U) << 1)) - -/* Rotates a state word right by 1 position in the fixsliced representation */ -#define gift64b_rotate_right_1(x) gift64b_rotate_left_3(x) - -/* Rotates a state word right by 2 positions in the fixsliced representation */ -#define gift64b_rotate_right_2(x) gift64b_rotate_left_2(x) - -/* Rotates a state word right by 3 positions in the fixsliced representation */ -#define gift64b_rotate_right_3(x) gift64b_rotate_left_1(x) - -/* Rotates a state word up by 1 position in the fixsliced representation: - * - * 0 1 2 3 4 5 6 7 - * 4 5 6 7 ==> 8 9 10 11 - * 8 9 10 11 12 13 14 15 - * 12 13 14 15 0 1 2 3 - */ -#define gift64b_rotate_up_1(x) (rightRotate8((x))) - -/* Rotates a state word up by 2 positions in the fixsliced representation: - * - * 0 1 2 3 8 9 10 11 - * 4 5 6 7 ==> 12 13 14 15 - * 8 9 10 11 0 1 2 3 - * 12 13 14 15 4 5 6 7 - */ -#define gift64b_rotate_up_2(x) (rightRotate16((x))) - -/* Rotates a state word up by 3 positions in the fixsliced representation: - * - * 0 1 2 3 12 13 14 15 - * 4 5 6 7 ==> 0 1 2 3 - * 8 9 10 11 4 5 6 7 - * 12 13 14 15 8 9 10 11 - */ -#define gift64b_rotate_up_3(x) (rightRotate24((x))) - -/* Rotates a state word down by 1 position in the fixsliced representation */ -#define gift64b_rotate_down_1(x) gift64b_rotate_up_3(x) - -/* Rotates a state word down by 2 positions in the fixsliced representation */ -#define gift64b_rotate_down_2(x) gift64b_rotate_up_2(x) - -/* Rotates a state word down by 3 positions in the fixsliced representation */ -#define gift64b_rotate_down_3(x) gift64b_rotate_up_1(x) - -/* Permutation code to rearrange key bits into fixsliced form. Permutations - * generated wth "http://programming.sirrida.de/calcperm.php" */ -#define gift64b_rearrange1_transpose_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ - bit_permute_step(out, 0x0000CCCCU, 16); \ - bit_permute_step(out, 0x30030330U, 2); \ - bit_permute_step(out, 0x00960096U, 8); \ - bit_permute_step(out, 0x05500550U, 1); \ - bit_permute_step(out, 0x0A0A0A0AU, 4); \ - } while (0) -#define gift64b_rearrange1_transpose_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 8 16 24 3 11 19 27 2 10 18 26 1 9 17 25 * */ \ - bit_permute_step(out, 0x0000CCCCU, 16); \ - bit_permute_step(out, 0x30030330U, 2); \ - bit_permute_step(out, 0x00960096U, 8); \ - bit_permute_step(out, 0x05500550U, 1); \ - bit_permute_step(out, 0x0A0A0A0AU, 4); \ - } while (0) -#define gift64b_rearrange1_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ - out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ - ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ - } while (0) -#define gift64b_rearrange1_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 1 2 3 24 25 26 27 16 17 18 19 8 9 10 11 * */ \ - out = (out & 0x0000000FU) | ((out & 0x00000F00U) << 8) | \ - ((out & 0x000000F0U) << 20) | ((out & 0x0000F000U) >> 4); \ - } while (0) -#define gift64b_rearrange2_transpose_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ - bit_permute_step(out, 0x0A0A0A0AU, 3); \ - bit_permute_step(out, 0x00CC00CCU, 6); \ - bit_permute_step(out, 0x0000F0F0U, 12); \ - bit_permute_step(out, 0x0000FF00U, 8); \ - } while (0) -#define gift64b_rearrange2_transpose_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 * */ \ - bit_permute_step(out, 0x0A0A0A0AU, 3); \ - bit_permute_step(out, 0x00CC00CCU, 6); \ - bit_permute_step(out, 0x0000F0F0U, 12); \ - bit_permute_step(out, 0x0000FF00U, 8); \ - } while (0) -#define gift64b_rearrange2_low(out, in) \ - do { \ - out = (in) & 0x0000FFFFU; \ - /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ - out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ - ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ - } while (0) -#define gift64b_rearrange2_high(out, in) \ - do { \ - out = (in) >> 16; \ - /* 0 1 2 3 8 9 10 11 16 17 18 19 24 25 26 27 * */ \ - out = (out & 0x0000000FU) | ((out & 0x000000F0U) << 4) | \ - ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ - } while (0) - -void gift64n_update_round_keys(gift64n_key_schedule_t *ks) -{ - uint32_t x; - - /* First round */ - gift64b_rearrange1_transpose_low(x, ks->k[3]); - ks->rk[0] = ~(x | (x << 4)); - gift64b_rearrange1_transpose_high(x, ks->k[3]); - ks->rk[1] = x | (x << 4); - - /* Second round */ - gift64b_rearrange1_low(x, ks->k[2]); - x = x | (x << 4); - gift64b_swap_move(x, x, 0x22222222U, 2); - ks->rk[2] = ~x; - gift64b_rearrange1_high(x, ks->k[2]); - x = x | (x << 4); - gift64b_swap_move(x, x, 0x22222222U, 2); - ks->rk[3] = x; - - /* Third round */ - gift64b_rearrange2_transpose_low(x, ks->k[1]); - gift64b_swap_move(x, x, 0x00000F00U, 16); - ks->rk[4] = ~(x | (x << 4)); - gift64b_rearrange2_transpose_high(x, ks->k[1]); - gift64b_swap_move(x, x, 0x00000F00U, 16); - ks->rk[5] = x | (x << 4); - - /* Fourth round */ - gift64b_rearrange2_low(x, ks->k[0]); - ks->rk[6] = ~(x | (x << 4)); - gift64b_rearrange2_high(x, ks->k[0]); - ks->rk[7] = x | (x << 4); -} - -/** - * \brief Perform the core of GIFT-64 encryption on two blocks in parallel. - * - * \param ks Points to the key schedule to use to encrypt the blocks. - * \param state Buffer containing the two blocks in bit-sliced form, - * on input and output. - * \param Tweak value or zero if there is no tweak. - */ -static void gift64b_encrypt_core - (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) -{ - const uint32_t *rc = GIFT64_RC; - uint32_t s0, s1, s2, s3, temp; - uint32_t rk[8]; - uint8_t round; - - /* Start with the pre-computed round keys for the first four rounds */ - memcpy(rk, ks->rk, sizeof(ks->rk)); - - /* Load the state into local variables */ - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - - /* Perform all 28 rounds four at a time. We use the "fixslicing" method. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of four rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 4 rounds. - */ - for (round = 0; round < 28; round += 4, rc += 4) { - /* 1st round - S-box, rotate left, add round key */ - gift64b_sbox(s0, s1, s2, s3); - s1 = gift64b_rotate_left_1(s1); - s2 = gift64b_rotate_left_2(s2); - s0 = gift64b_rotate_left_3(s0); - s3 ^= rk[0]; - s1 ^= rk[1]; - s0 ^= rc[0]; - - /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ - gift64b_sbox(s3, s1, s2, s0); - s1 = gift64b_rotate_up_1(s1); - s2 = gift64b_rotate_up_2(s2); - s3 = gift64b_rotate_up_3(s3); - s0 ^= rk[2]; - s1 ^= rk[3]; - s3 ^= rc[1]; - - /* 3rd round - S-box, rotate right, add round key */ - gift64b_sbox(s0, s1, s2, s3); - s1 = gift64b_rotate_right_1(s1); - s2 = gift64b_rotate_right_2(s2); - s0 = gift64b_rotate_right_3(s0); - s3 ^= rk[4]; - s1 ^= rk[5]; - s0 ^= rc[2]; - - /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ - gift64b_sbox(s3, s1, s2, s0); - s1 = gift64b_rotate_down_1(s1); - s2 = gift64b_rotate_down_2(s2); - s3 = gift64b_rotate_down_3(s3); - s0 ^= rk[6]; - s1 ^= rk[7]; - s3 ^= rc[3]; - - /* Add the tweak every four encryption rounds except the last */ - if (round < 24) - s2 ^= tweak; - - /* Derive the round keys for the next 4 rounds */ - rk[0] = gift64b_rotate_left_1(rk[0]); - rk[1] = (gift64b_rotate_left_3(rk[1]) << 16) | (rk[1] >> 16); - rk[2] = rightRotate8(rk[2]); - temp = gift64b_rotate_left_2(rk[3]); - rk[3] = (temp & 0x99999999U) | leftRotate8(temp & 0x66666666U); - rk[4] = gift64b_rotate_left_3(rk[4]); - temp = rightRotate16(rk[5]); - rk[5] = (gift64b_rotate_left_1(temp) & 0x00FFFF00U) | - (temp & 0xFF0000FFU); - rk[6] = leftRotate8(rk[6]); - temp = gift64b_rotate_left_2(rk[7]); - rk[7] = (temp & 0x33333333U) | rightRotate8(temp & 0xCCCCCCCCU); - } - - /* Copy the local variables to the output state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -/** - * \brief Perform the core of GIFT-64 decryption on two blocks in parallel. - * - * \param ks Points to the key schedule to use to encrypt the blocks. - * \param state Buffer containing the two blocks in bit-sliced form, - * on input and output. - * \param Tweak value or zero if there is no tweak. - */ -static void gift64b_decrypt_core - (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) -{ - const uint32_t *rc = GIFT64_RC + 28 - 4; - uint32_t s0, s1, s2, s3, temp; - uint32_t rk[8]; - uint8_t round; - - /* Start with the pre-computed round keys for the first four rounds */ - memcpy(rk, ks->rk, sizeof(ks->rk)); - - /* Fast forward the key schedule to the end by permuting each round - * key by the amount it would see under the full set of rounds. - * Generated with "http://programming.sirrida.de/calcperm.php" */ - /* P0: 1 2 3 0 5 6 7 4 9 10 11 8 13 14 15 12 17 18 - * 19 16 21 22 23 20 25 26 27 24 29 30 31 28 */ - rk[0] = ((rk[0] & 0x77777777U) << 1) | ((rk[0] & 0x88888888U) >> 3); - /* P1: 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 - * 31 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 */ - rk[1] = ((rk[1] & 0xEEEE0000U) >> 17) | ((rk[1] & 0x0000FFFFU) << 16) | - ((rk[1] & 0x11110000U) >> 13); - /* P2: 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 - * 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 */ - rk[2] = leftRotate8(rk[2]); - /* P3: 2 27 24 1 6 31 28 5 10 3 0 9 14 7 4 13 18 11 - * 8 17 22 15 12 21 26 19 16 25 30 23 20 29 */ - rk[3] = ((rk[3] & 0x11111111U) << 2) | leftRotate22(rk[3] & 0x44444444U) | - leftRotate26(rk[3] & 0x22222222U) | ((rk[3] & 0x88888888U) >> 2); - /* P4: 3 0 1 2 7 4 5 6 11 8 9 10 15 12 13 14 19 16 - * 17 18 23 20 21 22 27 24 25 26 31 28 29 30 */ - rk[4] = ((rk[4] & 0x11111111U) << 3) | ((rk[4] & 0xEEEEEEEEU) >> 1); - /* P5: 16 17 18 19 20 21 22 23 25 26 27 24 29 30 31 - * 28 1 2 3 0 5 6 7 4 8 9 10 11 12 13 14 15 */ - rk[5] = leftRotate13(rk[5] & 0x00888800U) | - leftRotate16(rk[5] & 0xFF0000FFU) | - leftRotate17(rk[5] & 0x00777700U); - /* P6: 24 25 26 27 28 29 30 31 0 1 2 3 4 5 6 7 8 9 10 - * 11 12 13 14 15 16 17 18 19 20 21 22 23 */ - rk[6] = leftRotate24(rk[6]); - /* P7: 2 3 8 9 6 7 12 13 10 11 16 17 14 15 20 21 18 19 - * 24 25 22 23 28 29 26 27 0 1 30 31 4 5 */ - rk[7] = ((rk[7] & 0x33333333U) << 2) | leftRotate6(rk[7] & 0xCCCCCCCCU); - - /* Load the state into local variables */ - s0 = state[0]; - s1 = state[1]; - s2 = state[2]; - s3 = state[3]; - - /* Perform all 28 rounds four at a time. We use the "fixslicing" method. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of four rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 4 rounds. - */ - for (round = 0; round < 28; round += 4, rc -= 4) { - /* Derive the round keys for the previous 4 rounds */ - rk[0] = gift64b_rotate_right_1(rk[0]); - temp = rk[1] >> 16; - rk[1] = gift64b_rotate_right_3(temp) | (rk[1] << 16); - rk[2] = leftRotate8(rk[2]); - temp = (rk[3] & 0x99999999U) | rightRotate8(rk[3] & 0x66666666U); - rk[3] = gift64b_rotate_right_2(temp); - rk[4] = gift64b_rotate_right_3(rk[4]); - temp = (gift64b_rotate_right_1(rk[5]) & 0x00FFFF00U) | - (rk[5] & 0xFF0000FFU); - rk[5] = leftRotate16(temp); - rk[6] = rightRotate8(rk[6]); - temp = (rk[7] & 0x33333333U) | leftRotate8(rk[7] & 0xCCCCCCCCU); - rk[7] = gift64b_rotate_right_2(temp); - - /* Add the tweak every four decryption rounds except the first */ - if (round != 0) - s2 ^= tweak; - - /* 4th round - S-box, rotate down, add round key (s0 and s3 swapped) */ - s0 ^= rk[6]; - s1 ^= rk[7]; - s3 ^= rc[3]; - s1 = gift64b_rotate_up_1(s1); - s2 = gift64b_rotate_up_2(s2); - s3 = gift64b_rotate_up_3(s3); - gift64b_inv_sbox(s0, s1, s2, s3); - - /* 3rd round - S-box, rotate right, add round key */ - s3 ^= rk[4]; - s1 ^= rk[5]; - s0 ^= rc[2]; - s1 = gift64b_rotate_left_1(s1); - s2 = gift64b_rotate_left_2(s2); - s0 = gift64b_rotate_left_3(s0); - gift64b_inv_sbox(s3, s1, s2, s0); - - /* 2nd round - S-box, rotate up, add round key (s0 and s3 swapped) */ - s0 ^= rk[2]; - s1 ^= rk[3]; - s3 ^= rc[1]; - s1 = gift64b_rotate_down_1(s1); - s2 = gift64b_rotate_down_2(s2); - s3 = gift64b_rotate_down_3(s3); - gift64b_inv_sbox(s0, s1, s2, s3); - - /* 1st round - S-box, rotate left, add round key */ - s3 ^= rk[0]; - s1 ^= rk[1]; - s0 ^= rc[0]; - s1 = gift64b_rotate_right_1(s1); - s2 = gift64b_rotate_right_2(s2); - s0 = gift64b_rotate_right_3(s0); - gift64b_inv_sbox(s3, s1, s2, s0); - } - - /* Copy the local variables to the output state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian byte order from the LOTUS-AEAD submission */ - ks->k[0] = le_load_word32(key + 12); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key); - gift64n_update_round_keys(ks); -} - -/** - * \brief Converts the GIFT-64 nibble-based representation into word-based - * (littlen-endian version). - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The output words will be in fixsliced form. Technically the output will - * contain two blocks for gift64b_encrypt_core() to process in parallel but - * both blocks will have the same value. - */ -static void gift64n_to_words(uint32_t output[4], const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input block into 32-bit words */ - s0 = le_load_word32(input); - s2 = le_load_word32(input + 4); - - /* Rearrange the bits in the block */ - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - - /* Split into two identical blocks in fixsliced form */ - s1 = s0; - s3 = s2; - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -/** - * \brief Converts the GIFT-64 word-based representation into nibble-based - * (little-endian version). - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - * - * The input words are in fixsliced form. Technically there are two - * identical blocks in the input. We drop one when we write to the output. - */ -static void gift64n_to_nibbles(unsigned char *output, const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Load the state and split the two blocks into separate words */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - - /* Rearrange the bits in the first block back into nibble form */ - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - le_store_word32(output, s0); - le_store_word32(output + 4, s2); -} - -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, 0); - gift64n_to_nibbles(output, state); -} - -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, 0); - gift64n_to_nibbles(output, state); -} - -/* 4-bit tweak values expanded to 32-bit in fixsliced form */ -static uint32_t const GIFT64_tweaks[16] = { - 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, - 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, - 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff -}; - -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); - gift64n_to_nibbles(output, state); -} - -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); - gift64n_to_nibbles(output, state); -} - -#elif !defined(__AVR__) /* GIFT64_LOW_MEMORY */ - -/* Round constants for GIFT-64 */ -static uint8_t const GIFT64_RC[28] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B -}; - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint16_t y = (_y); \ - uint16_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ -#define bit_permute_step_simple(_y, mask, shift) \ - do { \ - (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 4 bits with respect to the next: - * - * P0: 0 12 8 4 1 13 9 5 2 14 10 6 3 15 11 7 - * P1: 4 0 12 8 5 1 13 9 6 2 14 10 7 3 15 11 - * P2: 8 4 0 12 9 5 1 13 10 6 2 14 11 7 3 15 - * P3: 12 8 4 0 13 9 5 1 14 10 6 2 15 11 7 3 - * - * The most efficient permutation from the online generator was P1, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P1 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM1_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a, 3); \ - bit_permute_step(x, 0x00cc, 6); \ - bit_permute_step_simple(x, 0x0f0f, 4); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate12_16(_x); \ - } while (0) -#define PERM1(x) PERM1_INNER(x) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate4_16(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM1_INNER(_x); \ - (x) = leftRotate8_16(_x); \ - } while (0) - -#define INV_PERM1_INNER(x) \ - do { \ - bit_permute_step(x, 0x0505, 5); \ - bit_permute_step(x, 0x00cc, 6); \ - bit_permute_step_simple(x, 0x0f0f, 4); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate12_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) INV_PERM1_INNER(x) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate4_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = rightRotate8_16(x); \ - INV_PERM1_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with GIFT-64 (bit-sliced). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -static void gift64b_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word16(input); - s1 = be_load_word16(input + 2); - s2 = be_load_word16(input + 4); - s3 = be_load_word16(input + 6); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - - /* Perform all 28 rounds */ - for (round = 0; round < 28; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 64-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); -} - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (bit-sliced). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -static void gift64b_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word16(input); - s1 = be_load_word16(input + 2); - s2 = be_load_word16(input + 4); - s3 = be_load_word16(input + 6); - - /* Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 28; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 7 times for the full 28 rounds. The overall - * effect is to apply a "14 right and 28 left" bit-rotation to every word - * in the key schedule. That is equivalent to "14 right and 12 left" - * on the 16-bit sub-words. - */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | - ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); - w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | - ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); - w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | - ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); - w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | - ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); - - /* Perform all 28 rounds */ - for (round = 28; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); -} - -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian byte order from the LOTUS-AEAD submission */ - ks->k[0] = le_load_word32(key + 12); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key); -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step_32(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts the GIFT-64 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift64n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1; - - /* Load the input buffer into 32-bit words. We use the nibble order from - * the LOTUS-AEAD submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-64 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 4); - s1 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step_32(x, 0x0a0a0a0a, 3); \ - bit_permute_step_32(x, 0x00cc00cc, 6); \ - bit_permute_step_32(x, 0x0000f0f0, 12); \ - bit_permute_step_32(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)(s0 >> 8); - output[3] = (uint8_t)(s1 >> 8); - output[4] = (uint8_t)(s0 >> 16); - output[5] = (uint8_t)(s1 >> 16); - output[6] = (uint8_t)(s0 >> 24); - output[7] = (uint8_t)(s1 >> 24); -} - -/** - * \brief Converts the GIFT-64 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift64n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s1 contains the least significant */ - s0 = (((uint32_t)(input[6])) << 24) | - (((uint32_t)(input[4])) << 16) | - (((uint32_t)(input[2])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[7])) << 24) | - (((uint32_t)(input[5])) << 16) | - (((uint32_t)(input[3])) << 8) | - ((uint32_t)(input[1])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step_32(x, 0x00aa00aa, 7); \ - bit_permute_step_32(x, 0x0000cccc, 14); \ - bit_permute_step_32(x, 0x00f000f0, 4); \ - bit_permute_step_32(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 4, s0); - le_store_word32(output, s1); -} - -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift64n_to_words(output, input); - gift64b_encrypt(ks, output, output); - gift64n_to_nibbles(output, output); -} - -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift64n_to_words(output, input); - gift64b_decrypt(ks, output, output); - gift64n_to_nibbles(output, output); -} - -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift64n_to_words(output, input); - s0 = be_load_word16(output); - s1 = be_load_word16(output + 2); - s2 = be_load_word16(output + 4); - s3 = be_load_word16(output + 6); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - - /* Perform all 28 rounds */ - for (round = 0; round < 28; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 64-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round]; - - /* AddTweak - XOR in the tweak every 4 rounds except the last */ - if (((round + 1) % 4) == 0 && round < 27) - s2 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); - gift64n_to_nibbles(output, output); -} - -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak) -{ - uint16_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift64n_to_words(output, input); - s0 = be_load_word16(output); - s1 = be_load_word16(output + 2); - s2 = be_load_word16(output + 4); - s3 = be_load_word16(output + 6); - - /* Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 28; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 7 times for the full 28 rounds. The overall - * effect is to apply a "14 right and 28 left" bit-rotation to every word - * in the key schedule. That is equivalent to "14 right and 12 left" - * on the 16-bit sub-words. - */ - w0 = ks->k[0]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[3]; - w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | - ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); - w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | - ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); - w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | - ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); - w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | - ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); - - /* Perform all 28 rounds */ - for (round = 28; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 4 rounds except the last */ - if ((round % 4) == 0 && round != 28) - s2 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s0 ^= (uint16_t)w3; - s1 ^= (uint16_t)(w3 >> 16); - s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word16(output, s0); - be_store_word16(output + 2, s1); - be_store_word16(output + 4, s2); - be_store_word16(output + 6, s3); - gift64n_to_nibbles(output, output); -} - -#endif /* GIFT64_LOW_MEMORY */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.h deleted file mode 100644 index 010359b..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-gift64.h +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT64_H -#define LW_INTERNAL_GIFT64_H - -/** - * \file internal-gift64.h - * \brief GIFT-64 block cipher. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \var GIFT64_LOW_MEMORY - * \brief Define this to 1 to use a low memory version of the key schedule. - * - * The default is to use the fix-sliced version of GIFT-64 which is very - * fast on 32-bit platforms but requires 48 bytes to store the key schedule. - * The large key schedule may be a problem on 8-bit and 16-bit platforms. - * The fix-sliced version also encrypts two blocks at a time in 32-bit - * words which is an unnecessary optimization for 8-bit platforms. - * - * GIFT64_LOW_MEMORY can be defined to 1 to select the original non - * fix-sliced version which only requires 16 bytes to store the key, - * with the rest of the key schedule expanded on the fly. - */ -#if !defined(GIFT64_LOW_MEMORY) -#if defined(__AVR__) -#define GIFT64_LOW_MEMORY 1 -#else -#define GIFT64_LOW_MEMORY 0 -#endif -#endif - -/** - * \brief Size of a GIFT-64 block in bytes. - */ -#define GIFT64_BLOCK_SIZE 8 - -/** - * \brief Structure of the key schedule for GIFT-64. - */ -typedef struct -{ - uint32_t k[4]; /**< Words of the key schedule */ -#if !GIFT64_LOW_MEMORY - uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ -#endif - -} gift64n_key_schedule_t; - -/** - * \fn void gift64n_update_round_keys(gift64n_key_schedule_t *ks); - * \brief Updates the round keys after a change in the base key. - * - * \param ks Points to the key schedule to update. - */ -#if GIFT64_LOW_MEMORY -#define gift64n_update_round_keys(ks) do { ; } while (0) /* Not needed */ -#else -void gift64n_update_round_keys(gift64n_key_schedule_t *ks); -#endif - -/** - * \brief Initializes the key schedule for GIFT-64 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift64n_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift64n_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 16-bit for TweGIFT-64 */ -#define GIFT64T_TWEAK_0 0x0000 /**< TweGIFT-64 tweak value 0 */ -#define GIFT64T_TWEAK_1 0xe1e1 /**< TweGIFT-64 tweak value 1 */ -#define GIFT64T_TWEAK_2 0xd2d2 /**< TweGIFT-64 tweak value 2 */ -#define GIFT64T_TWEAK_3 0x3333 /**< TweGIFT-64 tweak value 3 */ -#define GIFT64T_TWEAK_4 0xb4b4 /**< TweGIFT-64 tweak value 4 */ -#define GIFT64T_TWEAK_5 0x5555 /**< TweGIFT-64 tweak value 5 */ -#define GIFT64T_TWEAK_6 0x6666 /**< TweGIFT-64 tweak value 6 */ -#define GIFT64T_TWEAK_7 0x8787 /**< TweGIFT-64 tweak value 7 */ -#define GIFT64T_TWEAK_8 0x7878 /**< TweGIFT-64 tweak value 8 */ -#define GIFT64T_TWEAK_9 0x9999 /**< TweGIFT-64 tweak value 9 */ -#define GIFT64T_TWEAK_10 0xaaaa /**< TweGIFT-64 tweak value 10 */ -#define GIFT64T_TWEAK_11 0x4b4b /**< TweGIFT-64 tweak value 11 */ -#define GIFT64T_TWEAK_12 0xcccc /**< TweGIFT-64 tweak value 12 */ -#define GIFT64T_TWEAK_13 0x2d2d /**< TweGIFT-64 tweak value 13 */ -#define GIFT64T_TWEAK_14 0x1e1e /**< TweGIFT-64 tweak value 14 */ -#define GIFT64T_TWEAK_15 0xffff /**< TweGIFT-64 tweak value 15 */ - -/** - * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value expanded to 16-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift64n_encrypt(). - */ -void gift64t_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak); - -/** - * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value expanded to 16-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-64 is used by the LOTUS/LOCUS submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift64n_decrypt(). - */ -void gift64t_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint16_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.c deleted file mode 100644 index 4a1efd0..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.c +++ /dev/null @@ -1,436 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "lotus-locus.h" -#include "internal-gift64.h" -#include "internal-util.h" -#include - -aead_cipher_t const lotus_aead_cipher = { - "LOTUS-AEAD", - LOTUS_AEAD_KEY_SIZE, - LOTUS_AEAD_NONCE_SIZE, - LOTUS_AEAD_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - lotus_aead_encrypt, - lotus_aead_decrypt -}; - -aead_cipher_t const locus_aead_cipher = { - "LOCUS-AEAD", - LOCUS_AEAD_KEY_SIZE, - LOCUS_AEAD_NONCE_SIZE, - LOCUS_AEAD_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - locus_aead_encrypt, - locus_aead_decrypt -}; - -/** - * \brief Multiplies a key by 2 in the GF(128) field. - * - * \param ks The key schedule structure containing the key in host byte order. - */ -STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) -{ - uint32_t mask = (uint32_t)(((int32_t)(ks->k[0])) >> 31); - ks->k[0] = (ks->k[0] << 1) | (ks->k[1] >> 31); - ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); - ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); - ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); - gift64n_update_round_keys(ks); -} - -/** - * \brief Initializes a LOTUS-AEAD or LOCUS-AEAD cipher instance. - * - * \param ks Key schedule to initialize. - * \param deltaN Delta-N value for the cipher state. - * \param key Points to the 16-byte key for the cipher instance. - * \param nonce Points to the 16-byte key for the cipher instance. - * \param T Points to a temporary buffer of LOTUS_AEAD_KEY_SIZE bytes - * that will be destroyed during this function. - */ -static void lotus_or_locus_init - (gift64n_key_schedule_t *ks, - unsigned char deltaN[GIFT64_BLOCK_SIZE], - const unsigned char *key, - const unsigned char *nonce, - unsigned char *T) -{ - gift64n_init(ks, key); - memset(deltaN, 0, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_0); - lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); - gift64n_init(ks, T); - gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_1); -} - -/** - * \brief Processes associated data for LOTUS-AEAD or LOCUS-AEAD. - * - * \param ks Points to the key schedule. - * \param deltaN Points to the Delta-N value from the state. - * \param V Points to the V value from the state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void lotus_or_locus_process_ad - (gift64n_key_schedule_t *ks, - const unsigned char deltaN[GIFT64_BLOCK_SIZE], - unsigned char V[GIFT64_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned char temp; - while (adlen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(ks); - lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); - lw_xor_block(V, X, GIFT64_BLOCK_SIZE); - ad += GIFT64_BLOCK_SIZE; - adlen -= GIFT64_BLOCK_SIZE; - } - lotus_or_locus_mul_2(ks); - temp = (unsigned)adlen; - if (temp < GIFT64_BLOCK_SIZE) { - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(X, ad, temp); - X[temp] ^= 0x01; - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_3); - } else { - lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); - } - lw_xor_block(V, X, GIFT64_BLOCK_SIZE); -} - -/** - * \brief Generates the authentication tag for LOTUS-AEAD or LOCUS-AEAD. - * - * \param ks Points to the key schedule. - * \param tag Points to the buffer to receive the authentication tag. - * \param deltaN Points to the Delta-N value from the state. - * \param W Points to the W value from the state. - * \param V Points to the V value from the state. - */ -static void lotus_or_locus_gen_tag - (gift64n_key_schedule_t *ks, unsigned char *tag, - unsigned char deltaN[GIFT64_BLOCK_SIZE], - unsigned char W[GIFT64_BLOCK_SIZE], - unsigned char V[GIFT64_BLOCK_SIZE]) -{ - lotus_or_locus_mul_2(ks); - lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(W, V, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, W, W, GIFT64T_TWEAK_6); - lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); -} - -int lotus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X1[GIFT64_BLOCK_SIZE]; - unsigned char X2[GIFT64_BLOCK_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + LOTUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > (GIFT64_BLOCK_SIZE * 2)) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_4); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block_2_src - (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block_2_src - (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE * 2; - m += GIFT64_BLOCK_SIZE * 2; - mlen -= GIFT64_BLOCK_SIZE * 2; - } - temp = (unsigned)mlen; - lotus_or_locus_mul_2(&ks); - memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); - X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); - if (temp <= GIFT64_BLOCK_SIZE) { - lw_xor_block(WV, m, temp); - lw_xor_block(X2, m, temp); - lw_xor_block_2_src(c, X2, deltaN, temp); - } else { - lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, m, temp); - lw_xor_block(X1, X2, temp); - lw_xor_block_2_src(c, X1, m, temp); - } - c += temp; - } - - /* Generate the authentication tag */ - lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return 0; -} - -int lotus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X1[GIFT64_BLOCK_SIZE]; - unsigned char X2[GIFT64_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < LOTUS_AEAD_TAG_SIZE) - return -1; - *mlen = clen - LOTUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= LOTUS_AEAD_TAG_SIZE; - if (clen > 0) { - while (clen > (GIFT64_BLOCK_SIZE * 2)) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_5); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); - lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); - lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); - lw_xor_block_2_src - (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE * 2; - m += GIFT64_BLOCK_SIZE * 2; - clen -= GIFT64_BLOCK_SIZE * 2; - } - temp = (unsigned)clen; - lotus_or_locus_mul_2(&ks); - memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); - X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); - if (temp <= GIFT64_BLOCK_SIZE) { - lw_xor_block_2_src(m, X2, c, temp); - lw_xor_block(m, deltaN, temp); - lw_xor_block(X2, m, temp); - lw_xor_block(WV, m, temp); - } else { - lw_xor_block_2_src(m, X2, c, GIFT64_BLOCK_SIZE); - lw_xor_block(m, deltaN, GIFT64_BLOCK_SIZE); - lw_xor_block(X2, m, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); - lw_xor_block(X1, X2, temp); - lw_xor_block_2_src(m, X1, c, temp); - lw_xor_block(WV, m, temp); - } - c += temp; - } - - /* Check the authentication tag */ - lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return aead_check_tag(mtemp, *mlen, WV, c, LOTUS_AEAD_TAG_SIZE); -} - -int locus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + LOCUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - mlen -= GIFT64_BLOCK_SIZE; - } - temp = (unsigned)mlen; - lotus_or_locus_mul_2(&ks); - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - lw_xor_block(WV, m, temp); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(X, deltaN, temp); - lw_xor_block_2_src(c, m, X, temp); - c += temp; - } - - /* Generate the authentication tag */ - lotus_or_locus_gen_tag(&ks, c, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return 0; -} - -int locus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - gift64n_key_schedule_t ks; - unsigned char WV[GIFT64_BLOCK_SIZE * 2]; - unsigned char deltaN[GIFT64_BLOCK_SIZE]; - unsigned char X[GIFT64_BLOCK_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < LOCUS_AEAD_TAG_SIZE) - return -1; - *mlen = clen - LOCUS_AEAD_TAG_SIZE; - - /* Initialize the state with the key and the nonce */ - lotus_or_locus_init(&ks, deltaN, k, npub, WV); - memset(WV, 0, sizeof(WV)); - - /* Process the associated data */ - if (adlen > 0) { - lotus_or_locus_process_ad - (&ks, deltaN, WV + GIFT64_BLOCK_SIZE, ad, adlen); - } - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= LOCUS_AEAD_TAG_SIZE; - if (clen > 0) { - while (clen > GIFT64_BLOCK_SIZE) { - lotus_or_locus_mul_2(&ks); - lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); - lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); - c += GIFT64_BLOCK_SIZE; - m += GIFT64_BLOCK_SIZE; - clen -= GIFT64_BLOCK_SIZE; - } - temp = (unsigned)clen; - lotus_or_locus_mul_2(&ks); - memcpy(X, deltaN, GIFT64_BLOCK_SIZE); - X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); - lw_xor_block(X, deltaN, temp); - lw_xor_block_2_src(m, c, X, temp); - lw_xor_block(WV, m, temp); - c += temp; - } - - /* Check the authentication tag */ - lotus_or_locus_gen_tag(&ks, WV, deltaN, WV, WV + GIFT64_BLOCK_SIZE); - return aead_check_tag(mtemp, *mlen, WV, c, LOCUS_AEAD_TAG_SIZE); -} diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.h deleted file mode 100644 index 85434a8..0000000 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys-avr/lotus-locus.h +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_LOTUS_LOCUS_H -#define LWCRYPTO_LOTUS_LOCUS_H - -#include "aead-common.h" - -/** - * \file lotus-locus.h - * \brief LOTUS-AEAD and LOCUS-AEAD authenticated encryption algorithms. - * - * LOTUS-AEAD and LOCUS-AEAD are authenticated encryption algorithms - * that are based around a tweakable variant of the GIFT-64 block cipher - * called TweGIFT-64. Both AEAD algorithms have a 128-bit key, a 128-bit - * nonce, and a 64-bit tag. - * - * The two algorithms have the same key initialization, associated data - * processing, and tag generation mechanisms. They differ in how the - * input is encrypted with TweGIFT-64. - * - * LOTUS-AEAD uses a method similar to the block cipher mode OTR. - * TweGIFT-64 is essentially converted into a 128-bit block cipher - * using a Feistel construction and four TweGIFT-64 block operations - * every 16 bytes of input. - * - * LOCUS-AEAD uses a method similar to the block cipher mode OCB - * with two TweGIFT-64 block operations for every 8 bytes of input. - * LOCUS-AEAD requires both the block encrypt and block decrypt - * operations of TweGIFT-64, which increases the overall code size. - * LOTUS-AEAD only needs the block encrypt operation. - * - * LOTUS-AEAD is the primary member of the family. - * - * References: https://www.isical.ac.in/~lightweight/lotus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for LOTUS-AEAD. - */ -#define LOTUS_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for LOTUS-AEAD. - */ -#define LOTUS_AEAD_TAG_SIZE 8 - -/** - * \brief Size of the nonce for LOTUS-AEAD. - */ -#define LOTUS_AEAD_NONCE_SIZE 16 - -/** - * \brief Size of the key for LOCUS-AEAD. - */ -#define LOCUS_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for LOCUS-AEAD. - */ -#define LOCUS_AEAD_TAG_SIZE 8 - -/** - * \brief Size of the nonce for LOCUS-AEAD. - */ -#define LOCUS_AEAD_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the LOTUS-AEAD cipher. - */ -extern aead_cipher_t const lotus_aead_cipher; - -/** - * \brief Meta-information block for the LOCUS-AEAD cipher. - */ -extern aead_cipher_t const locus_aead_cipher; - -/** - * \brief Encrypts and authenticates a packet with LOTUS-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa lotus_aead_decrypt() - */ -int lotus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with LOTUS-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 9 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa lotus_aead_encrypt() - */ -int lotus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with LOCUS-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa locus_aead_decrypt() - */ -int locus_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with LOCUS-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 9 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa locus_aead_encrypt() - */ -int locus_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64-avr.S b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64-avr.S new file mode 100644 index 0000000..fdb668d --- /dev/null +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64-avr.S @@ -0,0 +1,6047 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global gift64n_init + .type gift64n_init, @function +gift64n_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+12,r18 + std Z+13,r19 + std Z+14,r20 + std Z+15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+8,r18 + std Z+9,r19 + std Z+10,r20 + std Z+11,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + std Z+4,r18 + std Z+5,r19 + std Z+6,r20 + std Z+7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z,r18 + std Z+1,r19 + std Z+2,r20 + std Z+3,r21 + ret + .size gift64n_init, .-gift64n_init + + .text +.global gift64n_encrypt + .type gift64n_encrypt, @function +gift64n_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 28 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Z+4 + ldd r7,Z+5 + ldd r8,Z+6 + ldd r9,Z+7 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Z+8 + ldd r7,Z+9 + ldd r8,Z+10 + ldd r9,Z+11 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,0 + bst r18,1 + bld r22,0 + bst r18,2 + bld r2,0 + bst r18,3 + bld r4,0 + bst r18,4 + bld r20,1 + bst r18,5 + bld r22,1 + bst r18,6 + bld r2,1 + bst r18,7 + bld r4,1 + bst r19,0 + bld r20,2 + bst r19,1 + bld r22,2 + bst r19,2 + bld r2,2 + bst r19,3 + bld r4,2 + bst r19,4 + bld r20,3 + bst r19,5 + bld r22,3 + bst r19,6 + bld r2,3 + bst r19,7 + bld r4,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,4 + bst r18,1 + bld r22,4 + bst r18,2 + bld r2,4 + bst r18,3 + bld r4,4 + bst r18,4 + bld r20,5 + bst r18,5 + bld r22,5 + bst r18,6 + bld r2,5 + bst r18,7 + bld r4,5 + bst r19,0 + bld r20,6 + bst r19,1 + bld r22,6 + bst r19,2 + bld r2,6 + bst r19,3 + bld r4,6 + bst r19,4 + bld r20,7 + bst r19,5 + bld r22,7 + bst r19,6 + bld r2,7 + bst r19,7 + bld r4,7 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,0 + bst r18,1 + bld r23,0 + bst r18,2 + bld r3,0 + bst r18,3 + bld r5,0 + bst r18,4 + bld r21,1 + bst r18,5 + bld r23,1 + bst r18,6 + bld r3,1 + bst r18,7 + bld r5,1 + bst r19,0 + bld r21,2 + bst r19,1 + bld r23,2 + bst r19,2 + bld r3,2 + bst r19,3 + bld r5,2 + bst r19,4 + bld r21,3 + bst r19,5 + bld r23,3 + bst r19,6 + bld r3,3 + bst r19,7 + bld r5,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,4 + bst r18,1 + bld r23,4 + bst r18,2 + bld r3,4 + bst r18,3 + bld r5,4 + bst r18,4 + bld r21,5 + bst r18,5 + bld r23,5 + bst r18,6 + bld r3,5 + bst r18,7 + bld r5,5 + bst r19,0 + bld r21,6 + bst r19,1 + bld r23,6 + bst r19,2 + bld r3,6 + bst r19,3 + bld r5,6 + bst r19,4 + bld r21,7 + bst r19,5 + bld r23,7 + bst r19,6 + bld r3,7 + bst r19,7 + bld r5,7 + rcall 1061f + ldi r18,1 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,3 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,7 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,15 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,31 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,62 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,61 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,59 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,55 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,47 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,30 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,60 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,57 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,51 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,39 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,14 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,29 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,58 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,53 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,43 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,22 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,44 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,24 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,48 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + rcall 1061f + ldi r18,33 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + rcall 1061f + ldi r18,2 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + rcall 1061f + ldi r18,5 + ldi r19,128 + eor r4,r18 + eor r5,r19 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + rcall 1061f + ldi r18,11 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rjmp 1252f +1061: + mov r0,r20 + and r0,r2 + eor r22,r0 + mov r0,r21 + and r0,r3 + eor r23,r0 + mov r0,r22 + and r0,r4 + eor r20,r0 + mov r0,r23 + and r0,r5 + eor r21,r0 + mov r0,r20 + or r0,r22 + eor r2,r0 + mov r0,r21 + or r0,r23 + eor r3,r0 + eor r4,r2 + eor r5,r3 + eor r22,r4 + eor r23,r5 + com r4 + com r5 + movw r18,r20 + mov r0,r22 + and r0,r18 + eor r2,r0 + mov r0,r23 + and r0,r19 + eor r3,r0 + movw r20,r4 + movw r4,r18 + bst r20,1 + bld r0,0 + bst r20,4 + bld r20,1 + bst r20,3 + bld r20,4 + bst r21,4 + bld r20,3 + bst r0,0 + bld r21,4 + bst r20,2 + bld r0,0 + bst r21,0 + bld r20,2 + bst r0,0 + bld r21,0 + bst r20,5 + bld r0,0 + bst r20,7 + bld r20,5 + bst r21,7 + bld r20,7 + bst r21,5 + bld r21,7 + bst r0,0 + bld r21,5 + bst r20,6 + bld r0,0 + bst r21,3 + bld r20,6 + bst r21,6 + bld r21,3 + bst r21,1 + bld r21,6 + bst r0,0 + bld r21,1 + bst r22,0 + bld r0,0 + bst r22,1 + bld r22,0 + bst r22,5 + bld r22,1 + bst r22,4 + bld r22,5 + bst r0,0 + bld r22,4 + bst r22,2 + bld r0,0 + bst r23,1 + bld r22,2 + bst r22,7 + bld r23,1 + bst r23,4 + bld r22,7 + bst r0,0 + bld r23,4 + bst r22,3 + bld r0,0 + bst r23,5 + bld r22,3 + bst r22,6 + bld r23,5 + bst r23,0 + bld r22,6 + bst r0,0 + bld r23,0 + bst r23,2 + bld r0,0 + bst r23,3 + bld r23,2 + bst r23,7 + bld r23,3 + bst r23,6 + bld r23,7 + bst r0,0 + bld r23,6 + bst r2,0 + bld r0,0 + bst r2,2 + bld r2,0 + bst r3,2 + bld r2,2 + bst r3,0 + bld r3,2 + bst r0,0 + bld r3,0 + bst r2,1 + bld r0,0 + bst r2,6 + bld r2,1 + bst r3,1 + bld r2,6 + bst r2,4 + bld r3,1 + bst r0,0 + bld r2,4 + bst r2,3 + bld r0,0 + bst r3,6 + bld r2,3 + bst r3,3 + bld r3,6 + bst r3,4 + bld r3,3 + bst r0,0 + bld r3,4 + bst r2,7 + bld r0,0 + bst r3,5 + bld r2,7 + bst r0,0 + bld r3,5 + bst r4,0 + bld r0,0 + bst r4,3 + bld r4,0 + bst r5,7 + bld r4,3 + bst r5,4 + bld r5,7 + bst r0,0 + bld r5,4 + bst r4,1 + bld r0,0 + bst r4,7 + bld r4,1 + bst r5,6 + bld r4,7 + bst r5,0 + bld r5,6 + bst r0,0 + bld r5,0 + bst r4,2 + bld r0,0 + bst r5,3 + bld r4,2 + bst r5,5 + bld r5,3 + bst r4,4 + bld r5,5 + bst r0,0 + bld r4,4 + bst r4,5 + bld r0,0 + bst r4,6 + bld r4,5 + bst r5,2 + bld r4,6 + bst r5,1 + bld r5,2 + bst r0,0 + bld r5,1 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + ret +1252: + ldd r26,Y+17 + ldd r27,Y+18 + bst r20,0 + bld r18,0 + bst r22,0 + bld r18,1 + bst r2,0 + bld r18,2 + bst r4,0 + bld r18,3 + bst r20,1 + bld r18,4 + bst r22,1 + bld r18,5 + bst r2,1 + bld r18,6 + bst r4,1 + bld r18,7 + bst r20,2 + bld r19,0 + bst r22,2 + bld r19,1 + bst r2,2 + bld r19,2 + bst r4,2 + bld r19,3 + bst r20,3 + bld r19,4 + bst r22,3 + bld r19,5 + bst r2,3 + bld r19,6 + bst r4,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r20,4 + bld r18,0 + bst r22,4 + bld r18,1 + bst r2,4 + bld r18,2 + bst r4,4 + bld r18,3 + bst r20,5 + bld r18,4 + bst r22,5 + bld r18,5 + bst r2,5 + bld r18,6 + bst r4,5 + bld r18,7 + bst r20,6 + bld r19,0 + bst r22,6 + bld r19,1 + bst r2,6 + bld r19,2 + bst r4,6 + bld r19,3 + bst r20,7 + bld r19,4 + bst r22,7 + bld r19,5 + bst r2,7 + bld r19,6 + bst r4,7 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,0 + bld r18,0 + bst r23,0 + bld r18,1 + bst r3,0 + bld r18,2 + bst r5,0 + bld r18,3 + bst r21,1 + bld r18,4 + bst r23,1 + bld r18,5 + bst r3,1 + bld r18,6 + bst r5,1 + bld r18,7 + bst r21,2 + bld r19,0 + bst r23,2 + bld r19,1 + bst r3,2 + bld r19,2 + bst r5,2 + bld r19,3 + bst r21,3 + bld r19,4 + bst r23,3 + bld r19,5 + bst r3,3 + bld r19,6 + bst r5,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,4 + bld r18,0 + bst r23,4 + bld r18,1 + bst r3,4 + bld r18,2 + bst r5,4 + bld r18,3 + bst r21,5 + bld r18,4 + bst r23,5 + bld r18,5 + bst r3,5 + bld r18,6 + bst r5,5 + bld r18,7 + bst r21,6 + bld r19,0 + bst r23,6 + bld r19,1 + bst r3,6 + bld r19,2 + bst r5,6 + bld r19,3 + bst r21,7 + bld r19,4 + bst r23,7 + bld r19,5 + bst r3,7 + bld r19,6 + bst r5,7 + bld r19,7 + st X+,r18 + st X+,r19 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64n_encrypt, .-gift64n_encrypt + + .text +.global gift64n_decrypt + .type gift64n_decrypt, @function +gift64n_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 28 + ld r6,Z + ldd r7,Z+1 + ldd r8,Z+2 + ldd r9,Z+3 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Z+4 + ldd r7,Z+5 + ldd r8,Z+6 + ldd r9,Z+7 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Z+8 + ldd r7,Z+9 + ldd r8,Z+10 + ldd r9,Z+11 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,0 + bst r18,1 + bld r22,0 + bst r18,2 + bld r2,0 + bst r18,3 + bld r4,0 + bst r18,4 + bld r20,1 + bst r18,5 + bld r22,1 + bst r18,6 + bld r2,1 + bst r18,7 + bld r4,1 + bst r19,0 + bld r20,2 + bst r19,1 + bld r22,2 + bst r19,2 + bld r2,2 + bst r19,3 + bld r4,2 + bst r19,4 + bld r20,3 + bst r19,5 + bld r22,3 + bst r19,6 + bld r2,3 + bst r19,7 + bld r4,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r20,4 + bst r18,1 + bld r22,4 + bst r18,2 + bld r2,4 + bst r18,3 + bld r4,4 + bst r18,4 + bld r20,5 + bst r18,5 + bld r22,5 + bst r18,6 + bld r2,5 + bst r18,7 + bld r4,5 + bst r19,0 + bld r20,6 + bst r19,1 + bld r22,6 + bst r19,2 + bld r2,6 + bst r19,3 + bld r4,6 + bst r19,4 + bld r20,7 + bst r19,5 + bld r22,7 + bst r19,6 + bld r2,7 + bst r19,7 + bld r4,7 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,0 + bst r18,1 + bld r23,0 + bst r18,2 + bld r3,0 + bst r18,3 + bld r5,0 + bst r18,4 + bld r21,1 + bst r18,5 + bld r23,1 + bst r18,6 + bld r3,1 + bst r18,7 + bld r5,1 + bst r19,0 + bld r21,2 + bst r19,1 + bld r23,2 + bst r19,2 + bld r3,2 + bst r19,3 + bld r5,2 + bst r19,4 + bld r21,3 + bst r19,5 + bld r23,3 + bst r19,6 + bld r3,3 + bst r19,7 + bld r5,3 + ld r18,X+ + ld r19,X+ + bst r18,0 + bld r21,4 + bst r18,1 + bld r23,4 + bst r18,2 + bld r3,4 + bst r18,3 + bld r5,4 + bst r18,4 + bld r21,5 + bst r18,5 + bld r23,5 + bst r18,6 + bld r3,5 + bst r18,7 + bld r5,5 + bst r19,0 + bld r21,6 + bst r19,1 + bld r23,6 + bst r19,2 + bld r3,6 + bst r19,3 + bld r5,6 + bst r19,4 + bld r21,7 + bst r19,5 + bld r23,7 + bst r19,6 + bld r3,7 + bst r19,7 + bld r5,7 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,11 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,5 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,2 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,33 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,48 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,24 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,44 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,22 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,43 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,53 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,58 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,29 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,14 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,39 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,51 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,57 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,60 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,30 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,47 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,55 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,59 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,61 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,62 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,31 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r6,Y+1 + ldd r7,Y+2 + ldd r8,Y+3 + ldd r9,Y+4 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,15 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+1,r6 + std Y+2,r7 + std Y+3,r8 + std Y+4,r9 + ldd r6,Y+5 + ldd r7,Y+6 + ldd r8,Y+7 + ldd r9,Y+8 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,7 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+5,r6 + std Y+6,r7 + std Y+7,r8 + std Y+8,r9 + ldd r6,Y+9 + ldd r7,Y+10 + ldd r8,Y+11 + ldd r9,Y+12 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,3 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + std Y+9,r6 + std Y+10,r7 + std Y+11,r8 + std Y+12,r9 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + mov r0,r1 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + lsr r7 + ror r6 + ror r0 + or r7,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + ldi r18,1 + ldi r19,128 + eor r4,r18 + eor r5,r19 + rcall 1173f + rjmp 1362f +1173: + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + bst r20,1 + bld r0,0 + bst r21,4 + bld r20,1 + bst r20,3 + bld r21,4 + bst r20,4 + bld r20,3 + bst r0,0 + bld r20,4 + bst r20,2 + bld r0,0 + bst r21,0 + bld r20,2 + bst r0,0 + bld r21,0 + bst r20,5 + bld r0,0 + bst r21,5 + bld r20,5 + bst r21,7 + bld r21,5 + bst r20,7 + bld r21,7 + bst r0,0 + bld r20,7 + bst r20,6 + bld r0,0 + bst r21,1 + bld r20,6 + bst r21,6 + bld r21,1 + bst r21,3 + bld r21,6 + bst r0,0 + bld r21,3 + bst r22,0 + bld r0,0 + bst r22,4 + bld r22,0 + bst r22,5 + bld r22,4 + bst r22,1 + bld r22,5 + bst r0,0 + bld r22,1 + bst r22,2 + bld r0,0 + bst r23,4 + bld r22,2 + bst r22,7 + bld r23,4 + bst r23,1 + bld r22,7 + bst r0,0 + bld r23,1 + bst r22,3 + bld r0,0 + bst r23,0 + bld r22,3 + bst r22,6 + bld r23,0 + bst r23,5 + bld r22,6 + bst r0,0 + bld r23,5 + bst r23,2 + bld r0,0 + bst r23,6 + bld r23,2 + bst r23,7 + bld r23,6 + bst r23,3 + bld r23,7 + bst r0,0 + bld r23,3 + bst r2,0 + bld r0,0 + bst r3,0 + bld r2,0 + bst r3,2 + bld r3,0 + bst r2,2 + bld r3,2 + bst r0,0 + bld r2,2 + bst r2,1 + bld r0,0 + bst r2,4 + bld r2,1 + bst r3,1 + bld r2,4 + bst r2,6 + bld r3,1 + bst r0,0 + bld r2,6 + bst r2,3 + bld r0,0 + bst r3,4 + bld r2,3 + bst r3,3 + bld r3,4 + bst r3,6 + bld r3,3 + bst r0,0 + bld r3,6 + bst r2,7 + bld r0,0 + bst r3,5 + bld r2,7 + bst r0,0 + bld r3,5 + bst r4,0 + bld r0,0 + bst r5,4 + bld r4,0 + bst r5,7 + bld r5,4 + bst r4,3 + bld r5,7 + bst r0,0 + bld r4,3 + bst r4,1 + bld r0,0 + bst r5,0 + bld r4,1 + bst r5,6 + bld r5,0 + bst r4,7 + bld r5,6 + bst r0,0 + bld r4,7 + bst r4,2 + bld r0,0 + bst r4,4 + bld r4,2 + bst r5,5 + bld r4,4 + bst r5,3 + bld r5,5 + bst r0,0 + bld r5,3 + bst r4,5 + bld r0,0 + bst r5,1 + bld r4,5 + bst r5,2 + bld r5,1 + bst r4,6 + bld r5,2 + bst r0,0 + bld r4,6 + movw r18,r4 + movw r4,r20 + movw r20,r18 + and r18,r22 + and r19,r23 + eor r2,r18 + eor r3,r19 + com r4 + com r5 + eor r22,r4 + eor r23,r5 + eor r4,r2 + eor r5,r3 + mov r0,r20 + or r0,r22 + eor r2,r0 + mov r0,r21 + or r0,r23 + eor r3,r0 + mov r0,r22 + and r0,r4 + eor r20,r0 + mov r0,r23 + and r0,r5 + eor r21,r0 + mov r0,r20 + and r0,r2 + eor r22,r0 + mov r0,r21 + and r0,r3 + eor r23,r0 + ret +1362: + ldd r26,Y+17 + ldd r27,Y+18 + bst r20,0 + bld r18,0 + bst r22,0 + bld r18,1 + bst r2,0 + bld r18,2 + bst r4,0 + bld r18,3 + bst r20,1 + bld r18,4 + bst r22,1 + bld r18,5 + bst r2,1 + bld r18,6 + bst r4,1 + bld r18,7 + bst r20,2 + bld r19,0 + bst r22,2 + bld r19,1 + bst r2,2 + bld r19,2 + bst r4,2 + bld r19,3 + bst r20,3 + bld r19,4 + bst r22,3 + bld r19,5 + bst r2,3 + bld r19,6 + bst r4,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r20,4 + bld r18,0 + bst r22,4 + bld r18,1 + bst r2,4 + bld r18,2 + bst r4,4 + bld r18,3 + bst r20,5 + bld r18,4 + bst r22,5 + bld r18,5 + bst r2,5 + bld r18,6 + bst r4,5 + bld r18,7 + bst r20,6 + bld r19,0 + bst r22,6 + bld r19,1 + bst r2,6 + bld r19,2 + bst r4,6 + bld r19,3 + bst r20,7 + bld r19,4 + bst r22,7 + bld r19,5 + bst r2,7 + bld r19,6 + bst r4,7 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,0 + bld r18,0 + bst r23,0 + bld r18,1 + bst r3,0 + bld r18,2 + bst r5,0 + bld r18,3 + bst r21,1 + bld r18,4 + bst r23,1 + bld r18,5 + bst r3,1 + bld r18,6 + bst r5,1 + bld r18,7 + bst r21,2 + bld r19,0 + bst r23,2 + bld r19,1 + bst r3,2 + bld r19,2 + bst r5,2 + bld r19,3 + bst r21,3 + bld r19,4 + bst r23,3 + bld r19,5 + bst r3,3 + bld r19,6 + bst r5,3 + bld r19,7 + st X+,r18 + st X+,r19 + bst r21,4 + bld r18,0 + bst r23,4 + bld r18,1 + bst r3,4 + bld r18,2 + bst r5,4 + bld r18,3 + bst r21,5 + bld r18,4 + bst r23,5 + bld r18,5 + bst r3,5 + bld r18,6 + bst r5,5 + bld r18,7 + bst r21,6 + bld r19,0 + bst r23,6 + bld r19,1 + bst r3,6 + bld r19,2 + bst r5,6 + bld r19,3 + bst r21,7 + bld r19,4 + bst r23,7 + bld r19,5 + bst r3,7 + bld r19,6 + bst r5,7 + bld r19,7 + st X+,r18 + st X+,r19 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64n_decrypt, .-gift64n_decrypt + + .text +.global gift64t_encrypt + .type gift64t_encrypt, @function +gift64t_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 30 + ld r8,Z + ldd r9,Z+1 + ldd r10,Z+2 + ldd r11,Z+3 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,0 + bst r20,1 + bld r2,0 + bst r20,2 + bld r4,0 + bst r20,3 + bld r6,0 + bst r20,4 + bld r22,1 + bst r20,5 + bld r2,1 + bst r20,6 + bld r4,1 + bst r20,7 + bld r6,1 + bst r21,0 + bld r22,2 + bst r21,1 + bld r2,2 + bst r21,2 + bld r4,2 + bst r21,3 + bld r6,2 + bst r21,4 + bld r22,3 + bst r21,5 + bld r2,3 + bst r21,6 + bld r4,3 + bst r21,7 + bld r6,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,4 + bst r20,1 + bld r2,4 + bst r20,2 + bld r4,4 + bst r20,3 + bld r6,4 + bst r20,4 + bld r22,5 + bst r20,5 + bld r2,5 + bst r20,6 + bld r4,5 + bst r20,7 + bld r6,5 + bst r21,0 + bld r22,6 + bst r21,1 + bld r2,6 + bst r21,2 + bld r4,6 + bst r21,3 + bld r6,6 + bst r21,4 + bld r22,7 + bst r21,5 + bld r2,7 + bst r21,6 + bld r4,7 + bst r21,7 + bld r6,7 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,0 + bst r20,1 + bld r3,0 + bst r20,2 + bld r5,0 + bst r20,3 + bld r7,0 + bst r20,4 + bld r23,1 + bst r20,5 + bld r3,1 + bst r20,6 + bld r5,1 + bst r20,7 + bld r7,1 + bst r21,0 + bld r23,2 + bst r21,1 + bld r3,2 + bst r21,2 + bld r5,2 + bst r21,3 + bld r7,2 + bst r21,4 + bld r23,3 + bst r21,5 + bld r3,3 + bst r21,6 + bld r5,3 + bst r21,7 + bld r7,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,4 + bst r20,1 + bld r3,4 + bst r20,2 + bld r5,4 + bst r20,3 + bld r7,4 + bst r20,4 + bld r23,5 + bst r20,5 + bld r3,5 + bst r20,6 + bld r5,5 + bst r20,7 + bld r7,5 + bst r21,0 + bld r23,6 + bst r21,1 + bld r3,6 + bst r21,2 + bld r5,6 + bst r21,3 + bld r7,6 + bst r21,4 + bld r23,7 + bst r21,5 + bld r3,7 + bst r21,6 + bld r5,7 + bst r21,7 + bld r7,7 + rcall 1073f + ldi r20,1 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,3 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,7 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,15 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,31 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,62 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,61 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,59 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,55 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,47 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,30 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,60 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,57 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,51 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,39 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,14 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,29 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,58 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,53 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,43 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,22 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,44 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,24 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,48 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + rcall 1073f + ldi r20,33 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + rcall 1073f + ldi r20,2 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + rcall 1073f + ldi r20,5 + ldi r21,128 + eor r6,r20 + eor r7,r21 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + rcall 1073f + ldi r20,11 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rjmp 1264f +1073: + mov r0,r22 + and r0,r4 + eor r2,r0 + mov r0,r23 + and r0,r5 + eor r3,r0 + mov r0,r2 + and r0,r6 + eor r22,r0 + mov r0,r3 + and r0,r7 + eor r23,r0 + mov r0,r22 + or r0,r2 + eor r4,r0 + mov r0,r23 + or r0,r3 + eor r5,r0 + eor r6,r4 + eor r7,r5 + eor r2,r6 + eor r3,r7 + com r6 + com r7 + movw r20,r22 + mov r0,r2 + and r0,r20 + eor r4,r0 + mov r0,r3 + and r0,r21 + eor r5,r0 + movw r22,r6 + movw r6,r20 + bst r22,1 + bld r0,0 + bst r22,4 + bld r22,1 + bst r22,3 + bld r22,4 + bst r23,4 + bld r22,3 + bst r0,0 + bld r23,4 + bst r22,2 + bld r0,0 + bst r23,0 + bld r22,2 + bst r0,0 + bld r23,0 + bst r22,5 + bld r0,0 + bst r22,7 + bld r22,5 + bst r23,7 + bld r22,7 + bst r23,5 + bld r23,7 + bst r0,0 + bld r23,5 + bst r22,6 + bld r0,0 + bst r23,3 + bld r22,6 + bst r23,6 + bld r23,3 + bst r23,1 + bld r23,6 + bst r0,0 + bld r23,1 + bst r2,0 + bld r0,0 + bst r2,1 + bld r2,0 + bst r2,5 + bld r2,1 + bst r2,4 + bld r2,5 + bst r0,0 + bld r2,4 + bst r2,2 + bld r0,0 + bst r3,1 + bld r2,2 + bst r2,7 + bld r3,1 + bst r3,4 + bld r2,7 + bst r0,0 + bld r3,4 + bst r2,3 + bld r0,0 + bst r3,5 + bld r2,3 + bst r2,6 + bld r3,5 + bst r3,0 + bld r2,6 + bst r0,0 + bld r3,0 + bst r3,2 + bld r0,0 + bst r3,3 + bld r3,2 + bst r3,7 + bld r3,3 + bst r3,6 + bld r3,7 + bst r0,0 + bld r3,6 + bst r4,0 + bld r0,0 + bst r4,2 + bld r4,0 + bst r5,2 + bld r4,2 + bst r5,0 + bld r5,2 + bst r0,0 + bld r5,0 + bst r4,1 + bld r0,0 + bst r4,6 + bld r4,1 + bst r5,1 + bld r4,6 + bst r4,4 + bld r5,1 + bst r0,0 + bld r4,4 + bst r4,3 + bld r0,0 + bst r5,6 + bld r4,3 + bst r5,3 + bld r5,6 + bst r5,4 + bld r5,3 + bst r0,0 + bld r5,4 + bst r4,7 + bld r0,0 + bst r5,5 + bld r4,7 + bst r0,0 + bld r5,5 + bst r6,0 + bld r0,0 + bst r6,3 + bld r6,0 + bst r7,7 + bld r6,3 + bst r7,4 + bld r7,7 + bst r0,0 + bld r7,4 + bst r6,1 + bld r0,0 + bst r6,7 + bld r6,1 + bst r7,6 + bld r6,7 + bst r7,0 + bld r7,6 + bst r0,0 + bld r7,0 + bst r6,2 + bld r0,0 + bst r7,3 + bld r6,2 + bst r7,5 + bld r7,3 + bst r6,4 + bld r7,5 + bst r0,0 + bld r6,4 + bst r6,5 + bld r0,0 + bst r6,6 + bld r6,5 + bst r7,2 + bld r6,6 + bst r7,1 + bld r7,2 + bst r0,0 + bld r7,1 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + ret +1264: + ldd r26,Y+17 + ldd r27,Y+18 + bst r22,0 + bld r20,0 + bst r2,0 + bld r20,1 + bst r4,0 + bld r20,2 + bst r6,0 + bld r20,3 + bst r22,1 + bld r20,4 + bst r2,1 + bld r20,5 + bst r4,1 + bld r20,6 + bst r6,1 + bld r20,7 + bst r22,2 + bld r21,0 + bst r2,2 + bld r21,1 + bst r4,2 + bld r21,2 + bst r6,2 + bld r21,3 + bst r22,3 + bld r21,4 + bst r2,3 + bld r21,5 + bst r4,3 + bld r21,6 + bst r6,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r22,4 + bld r20,0 + bst r2,4 + bld r20,1 + bst r4,4 + bld r20,2 + bst r6,4 + bld r20,3 + bst r22,5 + bld r20,4 + bst r2,5 + bld r20,5 + bst r4,5 + bld r20,6 + bst r6,5 + bld r20,7 + bst r22,6 + bld r21,0 + bst r2,6 + bld r21,1 + bst r4,6 + bld r21,2 + bst r6,6 + bld r21,3 + bst r22,7 + bld r21,4 + bst r2,7 + bld r21,5 + bst r4,7 + bld r21,6 + bst r6,7 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,0 + bld r20,0 + bst r3,0 + bld r20,1 + bst r5,0 + bld r20,2 + bst r7,0 + bld r20,3 + bst r23,1 + bld r20,4 + bst r3,1 + bld r20,5 + bst r5,1 + bld r20,6 + bst r7,1 + bld r20,7 + bst r23,2 + bld r21,0 + bst r3,2 + bld r21,1 + bst r5,2 + bld r21,2 + bst r7,2 + bld r21,3 + bst r23,3 + bld r21,4 + bst r3,3 + bld r21,5 + bst r5,3 + bld r21,6 + bst r7,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,4 + bld r20,0 + bst r3,4 + bld r20,1 + bst r5,4 + bld r20,2 + bst r7,4 + bld r20,3 + bst r23,5 + bld r20,4 + bst r3,5 + bld r20,5 + bst r5,5 + bld r20,6 + bst r7,5 + bld r20,7 + bst r23,6 + bld r21,0 + bst r3,6 + bld r21,1 + bst r5,6 + bld r21,2 + bst r7,6 + bld r21,3 + bst r23,7 + bld r21,4 + bst r3,7 + bld r21,5 + bst r5,7 + bld r21,6 + bst r7,7 + bld r21,7 + st X+,r20 + st X+,r21 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64t_encrypt, .-gift64t_encrypt + + .text +.global gift64t_decrypt + .type gift64t_decrypt, @function +gift64t_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 30 + ld r8,Z + ldd r9,Z+1 + ldd r10,Z+2 + ldd r11,Z+3 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + mov r0,r9 + mov r9,r8 + mov r8,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,0 + bst r20,1 + bld r2,0 + bst r20,2 + bld r4,0 + bst r20,3 + bld r6,0 + bst r20,4 + bld r22,1 + bst r20,5 + bld r2,1 + bst r20,6 + bld r4,1 + bst r20,7 + bld r6,1 + bst r21,0 + bld r22,2 + bst r21,1 + bld r2,2 + bst r21,2 + bld r4,2 + bst r21,3 + bld r6,2 + bst r21,4 + bld r22,3 + bst r21,5 + bld r2,3 + bst r21,6 + bld r4,3 + bst r21,7 + bld r6,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r22,4 + bst r20,1 + bld r2,4 + bst r20,2 + bld r4,4 + bst r20,3 + bld r6,4 + bst r20,4 + bld r22,5 + bst r20,5 + bld r2,5 + bst r20,6 + bld r4,5 + bst r20,7 + bld r6,5 + bst r21,0 + bld r22,6 + bst r21,1 + bld r2,6 + bst r21,2 + bld r4,6 + bst r21,3 + bld r6,6 + bst r21,4 + bld r22,7 + bst r21,5 + bld r2,7 + bst r21,6 + bld r4,7 + bst r21,7 + bld r6,7 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,0 + bst r20,1 + bld r3,0 + bst r20,2 + bld r5,0 + bst r20,3 + bld r7,0 + bst r20,4 + bld r23,1 + bst r20,5 + bld r3,1 + bst r20,6 + bld r5,1 + bst r20,7 + bld r7,1 + bst r21,0 + bld r23,2 + bst r21,1 + bld r3,2 + bst r21,2 + bld r5,2 + bst r21,3 + bld r7,2 + bst r21,4 + bld r23,3 + bst r21,5 + bld r3,3 + bst r21,6 + bld r5,3 + bst r21,7 + bld r7,3 + ld r20,X+ + ld r21,X+ + bst r20,0 + bld r23,4 + bst r20,1 + bld r3,4 + bst r20,2 + bld r5,4 + bst r20,3 + bld r7,4 + bst r20,4 + bld r23,5 + bst r20,5 + bld r3,5 + bst r20,6 + bld r5,5 + bst r20,7 + bld r7,5 + bst r21,0 + bld r23,6 + bst r21,1 + bld r3,6 + bst r21,2 + bld r5,6 + bst r21,3 + bld r7,6 + bst r21,4 + bld r23,7 + bst r21,5 + bld r3,7 + bst r21,6 + bld r5,7 + bst r21,7 + bld r7,7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,11 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,5 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,2 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,33 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,48 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,24 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,44 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,22 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,43 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,53 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,58 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,29 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,14 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,39 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,51 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,57 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,60 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,30 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,47 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,55 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,59 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,61 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,62 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,31 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r8,Y+1 + ldd r9,Y+2 + ldd r10,Y+3 + ldd r11,Y+4 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,15 + ldi r21,128 + eor r6,r20 + eor r7,r21 + eor r4,r18 + eor r5,r18 + rcall 1185f + std Y+1,r8 + std Y+2,r9 + std Y+3,r10 + std Y+4,r11 + ldd r8,Y+5 + ldd r9,Y+6 + ldd r10,Y+7 + ldd r11,Y+8 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,7 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+5,r8 + std Y+6,r9 + std Y+7,r10 + std Y+8,r11 + ldd r8,Y+9 + ldd r9,Y+10 + ldd r10,Y+11 + ldd r11,Y+12 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,3 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + std Y+9,r8 + std Y+10,r9 + std Y+11,r10 + std Y+12,r11 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ldi r20,1 + ldi r21,128 + eor r6,r20 + eor r7,r21 + rcall 1185f + rjmp 1374f +1185: + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + bst r22,1 + bld r0,0 + bst r23,4 + bld r22,1 + bst r22,3 + bld r23,4 + bst r22,4 + bld r22,3 + bst r0,0 + bld r22,4 + bst r22,2 + bld r0,0 + bst r23,0 + bld r22,2 + bst r0,0 + bld r23,0 + bst r22,5 + bld r0,0 + bst r23,5 + bld r22,5 + bst r23,7 + bld r23,5 + bst r22,7 + bld r23,7 + bst r0,0 + bld r22,7 + bst r22,6 + bld r0,0 + bst r23,1 + bld r22,6 + bst r23,6 + bld r23,1 + bst r23,3 + bld r23,6 + bst r0,0 + bld r23,3 + bst r2,0 + bld r0,0 + bst r2,4 + bld r2,0 + bst r2,5 + bld r2,4 + bst r2,1 + bld r2,5 + bst r0,0 + bld r2,1 + bst r2,2 + bld r0,0 + bst r3,4 + bld r2,2 + bst r2,7 + bld r3,4 + bst r3,1 + bld r2,7 + bst r0,0 + bld r3,1 + bst r2,3 + bld r0,0 + bst r3,0 + bld r2,3 + bst r2,6 + bld r3,0 + bst r3,5 + bld r2,6 + bst r0,0 + bld r3,5 + bst r3,2 + bld r0,0 + bst r3,6 + bld r3,2 + bst r3,7 + bld r3,6 + bst r3,3 + bld r3,7 + bst r0,0 + bld r3,3 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r4,2 + bld r5,2 + bst r0,0 + bld r4,2 + bst r4,1 + bld r0,0 + bst r4,4 + bld r4,1 + bst r5,1 + bld r4,4 + bst r4,6 + bld r5,1 + bst r0,0 + bld r4,6 + bst r4,3 + bld r0,0 + bst r5,4 + bld r4,3 + bst r5,3 + bld r5,4 + bst r5,6 + bld r5,3 + bst r0,0 + bld r5,6 + bst r4,7 + bld r0,0 + bst r5,5 + bld r4,7 + bst r0,0 + bld r5,5 + bst r6,0 + bld r0,0 + bst r7,4 + bld r6,0 + bst r7,7 + bld r7,4 + bst r6,3 + bld r7,7 + bst r0,0 + bld r6,3 + bst r6,1 + bld r0,0 + bst r7,0 + bld r6,1 + bst r7,6 + bld r7,0 + bst r6,7 + bld r7,6 + bst r0,0 + bld r6,7 + bst r6,2 + bld r0,0 + bst r6,4 + bld r6,2 + bst r7,5 + bld r6,4 + bst r7,3 + bld r7,5 + bst r0,0 + bld r7,3 + bst r6,5 + bld r0,0 + bst r7,1 + bld r6,5 + bst r7,2 + bld r7,1 + bst r6,6 + bld r7,2 + bst r0,0 + bld r6,6 + movw r20,r6 + movw r6,r22 + movw r22,r20 + and r20,r2 + and r21,r3 + eor r4,r20 + eor r5,r21 + com r6 + com r7 + eor r2,r6 + eor r3,r7 + eor r6,r4 + eor r7,r5 + mov r0,r22 + or r0,r2 + eor r4,r0 + mov r0,r23 + or r0,r3 + eor r5,r0 + mov r0,r2 + and r0,r6 + eor r22,r0 + mov r0,r3 + and r0,r7 + eor r23,r0 + mov r0,r22 + and r0,r4 + eor r2,r0 + mov r0,r23 + and r0,r5 + eor r3,r0 + ret +1374: + ldd r26,Y+17 + ldd r27,Y+18 + bst r22,0 + bld r20,0 + bst r2,0 + bld r20,1 + bst r4,0 + bld r20,2 + bst r6,0 + bld r20,3 + bst r22,1 + bld r20,4 + bst r2,1 + bld r20,5 + bst r4,1 + bld r20,6 + bst r6,1 + bld r20,7 + bst r22,2 + bld r21,0 + bst r2,2 + bld r21,1 + bst r4,2 + bld r21,2 + bst r6,2 + bld r21,3 + bst r22,3 + bld r21,4 + bst r2,3 + bld r21,5 + bst r4,3 + bld r21,6 + bst r6,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r22,4 + bld r20,0 + bst r2,4 + bld r20,1 + bst r4,4 + bld r20,2 + bst r6,4 + bld r20,3 + bst r22,5 + bld r20,4 + bst r2,5 + bld r20,5 + bst r4,5 + bld r20,6 + bst r6,5 + bld r20,7 + bst r22,6 + bld r21,0 + bst r2,6 + bld r21,1 + bst r4,6 + bld r21,2 + bst r6,6 + bld r21,3 + bst r22,7 + bld r21,4 + bst r2,7 + bld r21,5 + bst r4,7 + bld r21,6 + bst r6,7 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,0 + bld r20,0 + bst r3,0 + bld r20,1 + bst r5,0 + bld r20,2 + bst r7,0 + bld r20,3 + bst r23,1 + bld r20,4 + bst r3,1 + bld r20,5 + bst r5,1 + bld r20,6 + bst r7,1 + bld r20,7 + bst r23,2 + bld r21,0 + bst r3,2 + bld r21,1 + bst r5,2 + bld r21,2 + bst r7,2 + bld r21,3 + bst r23,3 + bld r21,4 + bst r3,3 + bld r21,5 + bst r5,3 + bld r21,6 + bst r7,3 + bld r21,7 + st X+,r20 + st X+,r21 + bst r23,4 + bld r20,0 + bst r3,4 + bld r20,1 + bst r5,4 + bld r20,2 + bst r7,4 + bld r20,3 + bst r23,5 + bld r20,4 + bst r3,5 + bld r20,5 + bst r5,5 + bld r20,6 + bst r7,5 + bld r20,7 + bst r23,6 + bld r21,0 + bst r3,6 + bld r21,1 + bst r5,6 + bld r21,2 + bst r7,6 + bld r21,3 + bst r23,7 + bld r21,4 + bst r3,7 + bld r21,5 + bst r5,7 + bld r21,6 + bst r7,7 + bld r21,7 + st X+,r20 + st X+,r21 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift64t_decrypt, .-gift64t_decrypt + +#endif diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c index 321d079..81bc8a3 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.c @@ -24,6 +24,8 @@ #include "internal-util.h" #include +#if !GIFT64_LOW_MEMORY + /* Round constants for GIFT-64 in the fixsliced representation */ static uint32_t const GIFT64_RC[28] = { 0x22000011, 0x00002299, 0x11118811, 0x880000ff, 0x33111199, 0x990022ee, @@ -33,19 +35,6 @@ static uint32_t const GIFT64_RC[28] = { 0x22008811, 0x00002288, 0x00118811, 0x880000bb }; -int gift64b_init - (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len) -{ - if (!ks || !key || key_len != 16) - return 0; - ks->k[0] = be_load_word32(key); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key + 12); - gift64b_update_round_keys(ks); - return 1; -} - /* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ #define bit_permute_step(_y, mask, shift) \ do { \ @@ -249,7 +238,7 @@ int gift64b_init ((out & 0x00000F00U) << 8) | ((out & 0x0000F000U) << 12); \ } while (0) -void gift64b_update_round_keys(gift64b_key_schedule_t *ks) +void gift64n_update_round_keys(gift64n_key_schedule_t *ks) { uint32_t x; @@ -293,7 +282,7 @@ void gift64b_update_round_keys(gift64b_key_schedule_t *ks) * \param Tweak value or zero if there is no tweak. */ static void gift64b_encrypt_core - (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) + (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) { const uint32_t *rc = GIFT64_RC; uint32_t s0, s1, s2, s3, temp; @@ -391,7 +380,7 @@ static void gift64b_encrypt_core * \param Tweak value or zero if there is no tweak. */ static void gift64b_decrypt_core - (const gift64b_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) + (const gift64n_key_schedule_t *ks, uint32_t state[4], uint32_t tweak) { const uint32_t *rc = GIFT64_RC + 28 - 4; uint32_t s0, s1, s2, s3, temp; @@ -513,18 +502,14 @@ static void gift64b_decrypt_core state[3] = s3; } -int gift64n_init - (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) { /* Use the little-endian byte order from the LOTUS-AEAD submission */ - if (!ks || !key || key_len != 16) - return 0; ks->k[0] = le_load_word32(key + 12); ks->k[1] = le_load_word32(key + 8); ks->k[2] = le_load_word32(key + 4); ks->k[3] = le_load_word32(key); - gift64b_update_round_keys(ks); - return 1; + gift64n_update_round_keys(ks); } /** @@ -622,124 +607,599 @@ void gift64n_decrypt gift64n_to_nibbles(output, state); } +/* 4-bit tweak values expanded to 32-bit in fixsliced form */ +static uint32_t const GIFT64_tweaks[16] = { + 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, + 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, + 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff +}; + +void gift64t_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint16_t tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); + gift64n_to_nibbles(output, state); +} + +void gift64t_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint16_t tweak) +{ + uint32_t state[4]; + gift64n_to_words(state, input); + gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak & 0x0F]); + gift64n_to_nibbles(output, state); +} + +#elif !defined(__AVR__) /* GIFT64_LOW_MEMORY */ + +/* Round constants for GIFT-64 */ +static uint8_t const GIFT64_RC[28] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B +}; + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint16_t y = (_y); \ + uint16_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step_simple */ +#define bit_permute_step_simple(_y, mask, shift) \ + do { \ + (_y) = (((_y) & (mask)) << (shift)) | (((_y) >> (shift)) & (mask)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 4 bits with respect to the next: + * + * P0: 0 12 8 4 1 13 9 5 2 14 10 6 3 15 11 7 + * P1: 4 0 12 8 5 1 13 9 6 2 14 10 7 3 15 11 + * P2: 8 4 0 12 9 5 1 13 10 6 2 14 11 7 3 15 + * P3: 12 8 4 0 13 9 5 1 14 10 6 2 15 11 7 3 + * + * The most efficient permutation from the online generator was P1, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P1 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM1_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a, 3); \ + bit_permute_step(x, 0x00cc, 6); \ + bit_permute_step_simple(x, 0x0f0f, 4); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate12_16(_x); \ + } while (0) +#define PERM1(x) PERM1_INNER(x) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate4_16(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM1_INNER(_x); \ + (x) = leftRotate8_16(_x); \ + } while (0) + +#define INV_PERM1_INNER(x) \ + do { \ + bit_permute_step(x, 0x0505, 5); \ + bit_permute_step(x, 0x00cc, 6); \ + bit_permute_step_simple(x, 0x0f0f, 4); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate12_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) INV_PERM1_INNER(x) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate4_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = rightRotate8_16(x); \ + INV_PERM1_INNER(_x); \ + (x) = _x; \ + } while (0) + /** - * \brief Converts the GIFT-64 nibble-based representation into word-based - * (big-endian version). + * \brief Encrypts a 64-bit block with GIFT-64 (bit-sliced). * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. * - * The output words will be in fixsliced form. Technically the output will - * contain two blocks for gift64b_encrypt_core() to process in parallel but - * both blocks will have the same value. + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. */ -static void gift64nb_to_words(uint32_t output[4], const unsigned char *input) +static void gift64b_encrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { - uint32_t s0, s1, s2, s3; + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input block into 32-bit words */ - s0 = be_load_word32(input + 4); - s2 = be_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word16(input); + s1 = be_load_word16(input + 2); + s2 = be_load_word16(input + 4); + s3 = be_load_word16(input + 6); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + + /* Perform all 28 rounds */ + for (round = 0; round < 28; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 64-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bits in the block */ - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); +} - /* Split into two identical blocks in fixsliced form */ - s1 = s0; - s3 = s2; - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; +/** + * \brief Decrypts a 64-bit block with GIFT-64 (bit-sliced). + * + * \param ks Points to the GIFT-64 key schedule. + * \param output Output buffer which must be at least 8 bytes in length. + * \param input Input buffer which must be at least 8 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place decryption. + */ +static void gift64b_decrypt + (const gift64n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word16(input); + s1 = be_load_word16(input + 2); + s2 = be_load_word16(input + 4); + s3 = be_load_word16(input + 6); + + /* Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 28; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 7 times for the full 28 rounds. The overall + * effect is to apply a "14 right and 28 left" bit-rotation to every word + * in the key schedule. That is equivalent to "14 right and 12 left" + * on the 16-bit sub-words. + */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | + ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); + w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | + ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); + w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | + ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); + w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | + ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); + + /* Perform all 28 rounds */ + for (round = 28; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); } +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian byte order from the LOTUS-AEAD submission */ + ks->k[0] = le_load_word32(key + 12); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key); +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step_32(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + /** - * \brief Converts the GIFT-64 word-based representation into nibble-based - * (big-endian version). + * \brief Converts the GIFT-64 nibble-based representation into word-based. * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. * - * The input words are in fixsliced form. Technically there are two - * identical blocks in the input. We drop one when we write to the output. + * The \a input and \a output buffers can be the same buffer. */ -static void gift64nb_to_nibbles(unsigned char *output, const uint32_t input[4]) +static void gift64n_to_words + (unsigned char *output, const unsigned char *input) { - uint32_t s0, s1, s2, s3; + uint32_t s0, s1; - /* Load the state and split the two blocks into separate words */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - gift64b_swap_move(s0, s2, 0x0000FFFFU, 16); - gift64b_swap_move(s1, s3, 0x0000FFFFU, 16); - gift64b_swap_move(s0, s1, 0x0F0F0F0FU, 4); - gift64b_swap_move(s2, s3, 0x0F0F0F0FU, 4); + /* Load the input buffer into 32-bit words. We use the nibble order from + * the LOTUS-AEAD submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-64 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 4); + s1 = le_load_word32(input); - /* Rearrange the bits in the first block back into nibble form */ - gift64b_swap_move(s0, s0, 0x0000FF00U, 8); - gift64b_swap_move(s0, s0, 0x00CC00CCU, 6); - gift64b_swap_move(s0, s0, 0x0A0A0A0AU, 3); - gift64b_swap_move(s2, s2, 0x0000FF00U, 8); - gift64b_swap_move(s2, s2, 0x00CC00CCU, 6); - gift64b_swap_move(s2, s2, 0x0A0A0A0AU, 3); - be_store_word32(output, s2); - be_store_word32(output + 4, s0); + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step_32(x, 0x0a0a0a0a, 3); \ + bit_permute_step_32(x, 0x00cc00cc, 6); \ + bit_permute_step_32(x, 0x0000f0f0, 12); \ + bit_permute_step_32(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)(s0 >> 8); + output[3] = (uint8_t)(s1 >> 8); + output[4] = (uint8_t)(s0 >> 16); + output[5] = (uint8_t)(s1 >> 16); + output[6] = (uint8_t)(s0 >> 24); + output[7] = (uint8_t)(s1 >> 24); } -void gift64nb_encrypt +/** + * \brief Converts the GIFT-64 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift64n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s1 contains the least significant */ + s0 = (((uint32_t)(input[6])) << 24) | + (((uint32_t)(input[4])) << 16) | + (((uint32_t)(input[2])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[7])) << 24) | + (((uint32_t)(input[5])) << 16) | + (((uint32_t)(input[3])) << 8) | + ((uint32_t)(input[1])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step_32(x, 0x00aa00aa, 7); \ + bit_permute_step_32(x, 0x0000cccc, 14); \ + bit_permute_step_32(x, 0x00f000f0, 4); \ + bit_permute_step_32(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 4, s0); + le_store_word32(output, s1); +} + +void gift64n_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - uint32_t state[4]; - gift64nb_to_words(state, input); - gift64b_encrypt_core(ks, state, 0); - gift64nb_to_nibbles(output, state); + gift64n_to_words(output, input); + gift64b_encrypt(ks, output, output); + gift64n_to_nibbles(output, output); } -void gift64nb_decrypt +void gift64n_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - uint32_t state[4]; - gift64nb_to_words(state, input); - gift64b_decrypt_core(ks, state, 0); - gift64nb_to_nibbles(output, state); + gift64n_to_words(output, input); + gift64b_decrypt(ks, output, output); + gift64n_to_nibbles(output, output); } -/* 4-bit tweak values expanded to 32-bit in fixsliced form */ -static uint32_t const GIFT64_tweaks[16] = { - 0x00000000, 0xee11ee11, 0xdd22dd22, 0x33333333, 0xbb44bb44, 0x55555555, - 0x66666666, 0x88778877, 0x77887788, 0x99999999, 0xaaaaaaaa, 0x44bb44bb, - 0xcccccccc, 0x22dd22dd, 0x11ee11ee, 0xffffffff -}; - void gift64t_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint16_t tweak) { - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_encrypt_core(ks, state, GIFT64_tweaks[tweak]); - gift64n_to_nibbles(output, state); + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift64n_to_words(output, input); + s0 = be_load_word16(output); + s1 = be_load_word16(output + 2); + s2 = be_load_word16(output + 4); + s3 = be_load_word16(output + 6); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + + /* Perform all 28 rounds */ + for (round = 0; round < 28; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 64-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round]; + + /* AddTweak - XOR in the tweak every 4 rounds except the last */ + if (((round + 1) % 4) == 0 && round < 27) + s2 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); + gift64n_to_nibbles(output, output); } void gift64t_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint16_t tweak) { - uint32_t state[4]; - gift64n_to_words(state, input); - gift64b_decrypt_core(ks, state, GIFT64_tweaks[tweak]); - gift64n_to_nibbles(output, state); + uint16_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from nibbles */ + gift64n_to_words(output, input); + s0 = be_load_word16(output); + s1 = be_load_word16(output + 2); + s2 = be_load_word16(output + 4); + s3 = be_load_word16(output + 6); + + /* Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 28; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 7 times for the full 28 rounds. The overall + * effect is to apply a "14 right and 28 left" bit-rotation to every word + * in the key schedule. That is equivalent to "14 right and 12 left" + * on the 16-bit sub-words. + */ + w0 = ks->k[0]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[3]; + w0 = ((w0 & 0xC0000000U) >> 14) | ((w0 & 0x3FFF0000U) << 2) | + ((w0 & 0x0000000FU) << 12) | ((w0 & 0x0000FFF0U) >> 4); + w1 = ((w1 & 0xC0000000U) >> 14) | ((w1 & 0x3FFF0000U) << 2) | + ((w1 & 0x0000000FU) << 12) | ((w1 & 0x0000FFF0U) >> 4); + w2 = ((w2 & 0xC0000000U) >> 14) | ((w2 & 0x3FFF0000U) << 2) | + ((w2 & 0x0000000FU) << 12) | ((w2 & 0x0000FFF0U) >> 4); + w3 = ((w3 & 0xC0000000U) >> 14) | ((w3 & 0x3FFF0000U) << 2) | + ((w3 & 0x0000000FU) << 12) | ((w3 & 0x0000FFF0U) >> 4); + + /* Perform all 28 rounds */ + for (round = 28; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 4 rounds except the last */ + if ((round % 4) == 0 && round != 28) + s2 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s0 ^= (uint16_t)w3; + s1 ^= (uint16_t)(w3 >> 16); + s3 ^= 0x8000U ^ GIFT64_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in nibble form */ + be_store_word16(output, s0); + be_store_word16(output + 2, s1); + be_store_word16(output + 4, s2); + be_store_word16(output + 6, s3); + gift64n_to_nibbles(output, output); } + +#endif /* GIFT64_LOW_MEMORY */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h index 40479c7..010359b 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-gift64.h @@ -28,6 +28,7 @@ * \brief GIFT-64 block cipher. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ @@ -39,57 +40,63 @@ extern "C" { #endif /** + * \var GIFT64_LOW_MEMORY + * \brief Define this to 1 to use a low memory version of the key schedule. + * + * The default is to use the fix-sliced version of GIFT-64 which is very + * fast on 32-bit platforms but requires 48 bytes to store the key schedule. + * The large key schedule may be a problem on 8-bit and 16-bit platforms. + * The fix-sliced version also encrypts two blocks at a time in 32-bit + * words which is an unnecessary optimization for 8-bit platforms. + * + * GIFT64_LOW_MEMORY can be defined to 1 to select the original non + * fix-sliced version which only requires 16 bytes to store the key, + * with the rest of the key schedule expanded on the fly. + */ +#if !defined(GIFT64_LOW_MEMORY) +#if defined(__AVR__) +#define GIFT64_LOW_MEMORY 1 +#else +#define GIFT64_LOW_MEMORY 0 +#endif +#endif + +/** * \brief Size of a GIFT-64 block in bytes. */ #define GIFT64_BLOCK_SIZE 8 /** - * \brief Structure of the key schedule for GIFT-64 (bit-sliced). + * \brief Structure of the key schedule for GIFT-64. */ typedef struct { uint32_t k[4]; /**< Words of the key schedule */ +#if !GIFT64_LOW_MEMORY uint32_t rk[8]; /**< Pre-computed round keys for fixsliced form */ +#endif -} gift64b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-64 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int gift64b_init - (gift64b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +} gift64n_key_schedule_t; /** + * \fn void gift64n_update_round_keys(gift64n_key_schedule_t *ks); * \brief Updates the round keys after a change in the base key. * * \param ks Points to the key schedule to update. */ -void gift64b_update_round_keys(gift64b_key_schedule_t *ks); - -/** - * \brief Structure of the key schedule for GIFT-64 (nibble-based). - */ -typedef gift64b_key_schedule_t gift64n_key_schedule_t; +#if GIFT64_LOW_MEMORY +#define gift64n_update_round_keys(ks) do { ; } while (0) /* Not needed */ +#else +void gift64n_update_round_keys(gift64n_key_schedule_t *ks); +#endif /** * \brief Initializes the key schedule for GIFT-64 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift64n_init - (gift64n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift64n_init(gift64n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based). @@ -119,33 +126,23 @@ void gift64n_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); -/** - * \brief Encrypts a 64-bit block with GIFT-64 (nibble-based big-endian). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift64nb_encrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 64-bit block with GIFT-64 (nibble-based big-endian). - * - * \param ks Points to the GIFT-64 key schedule. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift64nb_decrypt - (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); +/* 4-bit tweak values expanded to 16-bit for TweGIFT-64 */ +#define GIFT64T_TWEAK_0 0x0000 /**< TweGIFT-64 tweak value 0 */ +#define GIFT64T_TWEAK_1 0xe1e1 /**< TweGIFT-64 tweak value 1 */ +#define GIFT64T_TWEAK_2 0xd2d2 /**< TweGIFT-64 tweak value 2 */ +#define GIFT64T_TWEAK_3 0x3333 /**< TweGIFT-64 tweak value 3 */ +#define GIFT64T_TWEAK_4 0xb4b4 /**< TweGIFT-64 tweak value 4 */ +#define GIFT64T_TWEAK_5 0x5555 /**< TweGIFT-64 tweak value 5 */ +#define GIFT64T_TWEAK_6 0x6666 /**< TweGIFT-64 tweak value 6 */ +#define GIFT64T_TWEAK_7 0x8787 /**< TweGIFT-64 tweak value 7 */ +#define GIFT64T_TWEAK_8 0x7878 /**< TweGIFT-64 tweak value 8 */ +#define GIFT64T_TWEAK_9 0x9999 /**< TweGIFT-64 tweak value 9 */ +#define GIFT64T_TWEAK_10 0xaaaa /**< TweGIFT-64 tweak value 10 */ +#define GIFT64T_TWEAK_11 0x4b4b /**< TweGIFT-64 tweak value 11 */ +#define GIFT64T_TWEAK_12 0xcccc /**< TweGIFT-64 tweak value 12 */ +#define GIFT64T_TWEAK_13 0x2d2d /**< TweGIFT-64 tweak value 13 */ +#define GIFT64T_TWEAK_14 0x1e1e /**< TweGIFT-64 tweak value 14 */ +#define GIFT64T_TWEAK_15 0xffff /**< TweGIFT-64 tweak value 15 */ /** * \brief Encrypts a 64-bit block with TweGIFT-64 (tweakable variant). @@ -153,7 +150,7 @@ void gift64nb_decrypt * \param ks Points to the GIFT-64 key schedule. * \param output Output buffer which must be at least 8 bytes in length. * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 16-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -165,7 +162,7 @@ void gift64nb_decrypt */ void gift64t_encrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint16_t tweak); /** * \brief Decrypts a 64-bit block with TweGIFT-64 (tweakable variant). @@ -173,7 +170,7 @@ void gift64t_encrypt * \param ks Points to the GIFT-64 key schedule. * \param output Output buffer which must be at least 8 bytes in length. * \param input Input buffer which must be at least 8 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 16-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -185,7 +182,7 @@ void gift64t_encrypt */ void gift64t_decrypt (const gift64n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint16_t tweak); #ifdef __cplusplus } diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c index e60b084..4a1efd0 100644 --- a/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c +++ b/lotus-locus/Implementations/crypto_aead/twegift64lotusaeadv1/rhys/lotus-locus.c @@ -57,7 +57,7 @@ STATIC_INLINE void lotus_or_locus_mul_2(gift64n_key_schedule_t *ks) ks->k[1] = (ks->k[1] << 1) | (ks->k[2] >> 31); ks->k[2] = (ks->k[2] << 1) | (ks->k[3] >> 31); ks->k[3] = (ks->k[3] << 1) ^ (mask & 0x87); - gift64b_update_round_keys(ks); + gift64n_update_round_keys(ks); } /** @@ -77,12 +77,12 @@ static void lotus_or_locus_init const unsigned char *nonce, unsigned char *T) { - gift64n_init(ks, key, LOTUS_AEAD_KEY_SIZE); + gift64n_init(ks, key); memset(deltaN, 0, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, 0); + gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_0); lw_xor_block_2_src(T, key, nonce, LOTUS_AEAD_KEY_SIZE); - gift64n_init(ks, T, LOTUS_AEAD_KEY_SIZE); - gift64t_encrypt(ks, deltaN, deltaN, 1); + gift64n_init(ks, T); + gift64t_encrypt(ks, deltaN, deltaN, GIFT64T_TWEAK_1); } /** @@ -105,7 +105,7 @@ static void lotus_or_locus_process_ad while (adlen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(ks); lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, 2); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); lw_xor_block(V, X, GIFT64_BLOCK_SIZE); ad += GIFT64_BLOCK_SIZE; adlen -= GIFT64_BLOCK_SIZE; @@ -116,10 +116,10 @@ static void lotus_or_locus_process_ad memcpy(X, deltaN, GIFT64_BLOCK_SIZE); lw_xor_block(X, ad, temp); X[temp] ^= 0x01; - gift64t_encrypt(ks, X, X, 3); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_3); } else { lw_xor_block_2_src(X, ad, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, X, X, 2); + gift64t_encrypt(ks, X, X, GIFT64T_TWEAK_2); } lw_xor_block(V, X, GIFT64_BLOCK_SIZE); } @@ -142,7 +142,7 @@ static void lotus_or_locus_gen_tag lotus_or_locus_mul_2(ks); lw_xor_block(W, deltaN, GIFT64_BLOCK_SIZE); lw_xor_block(W, V, GIFT64_BLOCK_SIZE); - gift64t_encrypt(ks, W, W, 6); + gift64t_encrypt(ks, W, W, GIFT64T_TWEAK_6); lw_xor_block_2_src(tag, W, deltaN, GIFT64_BLOCK_SIZE); } @@ -180,15 +180,15 @@ int lotus_aead_encrypt while (mlen > (GIFT64_BLOCK_SIZE * 2)) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X1, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, 4); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_4); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block_2_src (X2, m + GIFT64_BLOCK_SIZE, X2, GIFT64_BLOCK_SIZE); lw_xor_block_2_src(c, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block_2_src (c + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE * 2; @@ -199,9 +199,9 @@ int lotus_aead_encrypt lotus_or_locus_mul_2(&ks); memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, 12); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 12); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); if (temp <= GIFT64_BLOCK_SIZE) { lw_xor_block(WV, m, temp); lw_xor_block(X2, m, temp); @@ -212,9 +212,9 @@ int lotus_aead_encrypt c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, m, temp); lw_xor_block(X1, X2, temp); lw_xor_block_2_src(c, X1, m, temp); @@ -265,14 +265,14 @@ int lotus_aead_decrypt while (clen > (GIFT64_BLOCK_SIZE * 2)) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X1, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X1, 5); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_5); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 5); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_5); lw_xor_block(X2, c + GIFT64_BLOCK_SIZE, GIFT64_BLOCK_SIZE); lw_xor_block_2_src(m, X2, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 4); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_4); lw_xor_block_2_src (m + GIFT64_BLOCK_SIZE, X1, X2, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE * 2; @@ -283,9 +283,9 @@ int lotus_aead_decrypt lotus_or_locus_mul_2(&ks); memcpy(X1, deltaN, GIFT64_BLOCK_SIZE); X1[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X2, X1, 12); + gift64t_encrypt(&ks, X2, X1, GIFT64T_TWEAK_12); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 12); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_12); if (temp <= GIFT64_BLOCK_SIZE) { lw_xor_block_2_src(m, X2, c, temp); lw_xor_block(m, deltaN, temp); @@ -298,9 +298,9 @@ int lotus_aead_decrypt c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; temp -= GIFT64_BLOCK_SIZE; - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(WV, X2, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X2, X2, 13); + gift64t_encrypt(&ks, X2, X2, GIFT64T_TWEAK_13); lw_xor_block(X1, X2, temp); lw_xor_block_2_src(m, X1, c, temp); lw_xor_block(WV, m, temp); @@ -346,9 +346,9 @@ int locus_aead_encrypt while (mlen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X, m, deltaN, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 4); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 4); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block_2_src(c, X, deltaN, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; @@ -358,10 +358,10 @@ int locus_aead_encrypt lotus_or_locus_mul_2(&ks); memcpy(X, deltaN, GIFT64_BLOCK_SIZE); X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); lw_xor_block(WV, m, temp); - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(X, deltaN, temp); lw_xor_block_2_src(c, m, X, temp); c += temp; @@ -409,9 +409,9 @@ int locus_aead_decrypt while (clen > GIFT64_BLOCK_SIZE) { lotus_or_locus_mul_2(&ks); lw_xor_block_2_src(X, c, deltaN, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, 4); + gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_decrypt(&ks, X, X, 4); + gift64t_decrypt(&ks, X, X, GIFT64T_TWEAK_4); lw_xor_block_2_src(m, X, deltaN, GIFT64_BLOCK_SIZE); c += GIFT64_BLOCK_SIZE; m += GIFT64_BLOCK_SIZE; @@ -421,9 +421,9 @@ int locus_aead_decrypt lotus_or_locus_mul_2(&ks); memcpy(X, deltaN, GIFT64_BLOCK_SIZE); X[0] ^= (unsigned char)temp; - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(WV, X, GIFT64_BLOCK_SIZE); - gift64t_encrypt(&ks, X, X, 5); + gift64t_encrypt(&ks, X, X, GIFT64T_TWEAK_5); lw_xor_block(X, deltaN, temp); lw_xor_block_2_src(m, c, X, temp); lw_xor_block(WV, m, temp); diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.c b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.h b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/api.h b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/encrypt.c b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/encrypt.c deleted file mode 100644 index e1ea967..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "orange.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return orange_zest_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return orange_zest_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.c b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.c deleted file mode 100644 index b8743fe..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.c +++ /dev/null @@ -1,479 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-photon256.h" -#include "internal-util.h" - -/** - * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. - */ -#define PHOTON256_ROUNDS 12 - -/* Round constants for PHOTON-256 */ -static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { - 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, - 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, - 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a -}; - -/** - * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. - * - * \param x0 Slice with bit 0 of all nibbles. - * \param x1 Slice with bit 1 of all nibbles. - * \param x2 Slice with bit 2 of all nibbles. - * \param x3 Slice with bit 3 of all nibbles. - * - * This bit-sliced S-box implementation is based on the AVR version - * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. - */ -#define photon256_sbox(x0, x1, x2, x3) \ - do { \ - x1 ^= x2; \ - x3 ^= (x2 & x1); \ - t1 = x3; \ - x3 = (x3 & x1) ^ x2; \ - t2 = x3; \ - x3 ^= x0; \ - x3 = ~(x3); \ - x2 = x3; \ - t2 |= x0; \ - x0 ^= t1; \ - x1 ^= x0; \ - x2 |= x1; \ - x2 ^= t1; \ - x1 ^= t2; \ - x3 ^= x1; \ - } while (0) - -/** - * \brief Performs a field multiplication on the 8 nibbles in a row. - * - * \param a Field constant to multiply by. - * \param x Bit-sliced form of the row, with bits 0..3 of each nibble - * in bytes 0..3 of the word. - * - * \return a * x packed into the bytes of a word. - */ -static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) -{ - /* For each 4-bit nibble we need to do this: - * - * result = 0; - * for (bit = 0; bit < 4; ++ bit) { - * if ((a & (1 << bit)) != 0) - * result ^= x; - * if ((x & 0x08) != 0) { - * x = (x << 1) ^ 3; - * } else { - * x = (x << 1); - * } - * } - * - * We don't need to worry about constant time for "a" because it is a - * known constant that isn't data-dependent. But we do need to worry - * about constant time for "x" as it is data. - */ - uint32_t result = 0; - uint32_t t; - #define PARALLEL_CONDITIONAL_ADD(bit) \ - do { \ - if ((a) & (1 << (bit))) \ - result ^= x; \ - } while (0) - #define PARALELL_ROTATE() \ - do { \ - t = x >> 24; \ - x = (x << 8) ^ t ^ (t << 8); \ - } while (0) - PARALLEL_CONDITIONAL_ADD(0); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(1); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(2); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(3); - return result; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts a PHOTON-256 state into bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_to_sliced - (uint32_t out[PHOTON256_STATE_SIZE / 4], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. - * Then we rearrange the bytes to group all bits N into word N. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 - * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] - */ - uint32_t t0, t1, t2, t3; - #define TO_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - #define FROM_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - t0 = le_load_word32(in); - t1 = le_load_word32(in + 4); - t2 = le_load_word32(in + 8); - t3 = le_load_word32(in + 12); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); - t0 = le_load_word32(in + 16); - t1 = le_load_word32(in + 20); - t2 = le_load_word32(in + 24); - t3 = le_load_word32(in + 28); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); -} - -/** - * \brief Converts a PHOTON-256 state from bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_from_sliced - (unsigned char out[PHOTON256_STATE_SIZE], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* Do the reverse of photon256_to_sliced() */ - uint32_t x0, x1, x2, x3; - x0 = ((uint32_t)(in[0])) | - (((uint32_t)(in[4])) << 8) | - (((uint32_t)(in[8])) << 16) | - (((uint32_t)(in[12])) << 24); - x1 = ((uint32_t)(in[1])) | - (((uint32_t)(in[5])) << 8) | - (((uint32_t)(in[9])) << 16) | - (((uint32_t)(in[13])) << 24); - x2 = ((uint32_t)(in[2])) | - (((uint32_t)(in[6])) << 8) | - (((uint32_t)(in[10])) << 16) | - (((uint32_t)(in[14])) << 24); - x3 = ((uint32_t)(in[3])) | - (((uint32_t)(in[7])) << 8) | - (((uint32_t)(in[11])) << 16) | - (((uint32_t)(in[15])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out, x0); - le_store_word32(out + 4, x1); - le_store_word32(out + 8, x2); - le_store_word32(out + 12, x3); - x0 = ((uint32_t)(in[16])) | - (((uint32_t)(in[20])) << 8) | - (((uint32_t)(in[24])) << 16) | - (((uint32_t)(in[28])) << 24); - x1 = ((uint32_t)(in[17])) | - (((uint32_t)(in[21])) << 8) | - (((uint32_t)(in[25])) << 16) | - (((uint32_t)(in[29])) << 24); - x2 = ((uint32_t)(in[18])) | - (((uint32_t)(in[22])) << 8) | - (((uint32_t)(in[26])) << 16) | - (((uint32_t)(in[30])) << 24); - x3 = ((uint32_t)(in[19])) | - (((uint32_t)(in[23])) << 8) | - (((uint32_t)(in[27])) << 16) | - (((uint32_t)(in[31])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out + 16, x0); - le_store_word32(out + 20, x1); - le_store_word32(out + 24, x2); - le_store_word32(out + 28, x3); -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -/* Index the bit-sliced state bytes in little-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[(row)] = (uint8_t)(value); \ - S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[(row) + 12] = (uint8_t)(value); \ - S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#else -/* Index the bit-sliced state bytes in big-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[3 - (row)] = (uint8_t)(value); \ - S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[20 - (row)] = (uint8_t)(value); \ - S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#endif - -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) -{ - union { - uint32_t words[PHOTON256_STATE_SIZE / 4]; - uint8_t bytes[PHOTON256_STATE_SIZE]; - } S; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - uint8_t round; - - /* Convert the state into bit-sliced form */ - photon256_to_sliced(S.words, state); - - /* Perform all 12 permutation rounds */ - for (round = 0; round < PHOTON256_ROUNDS; ++round) { - /* Add the constants for this round */ - t0 = photon256_rc[round]; - S.words[0] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[1] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[2] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[3] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[4] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[5] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[6] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[7] ^= t0 & 0x01010101U; - - /* Apply the sbox to all nibbles in the state */ - photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); - photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); - - /* Rotate all rows left by the row number. - * - * We do this by applying permutations to the top and bottom words - * to rearrange the bits into the rotated form. Permutations - * generated with "http://programming.sirrida.de/calcperm.php". - * - * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 - * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] - * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 - * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 - */ - #define TOP_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x07030100, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - #define BOTTOM_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x080c0e0f, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - TOP_ROTATE_PERM(S.words[0]); - TOP_ROTATE_PERM(S.words[1]); - TOP_ROTATE_PERM(S.words[2]); - TOP_ROTATE_PERM(S.words[3]); - BOTTOM_ROTATE_PERM(S.words[4]); - BOTTOM_ROTATE_PERM(S.words[5]); - BOTTOM_ROTATE_PERM(S.words[6]); - BOTTOM_ROTATE_PERM(S.words[7]); - - /* Mix the columns */ - #define MUL(a, x) (photon256_field_multiply((a), (x))) - t0 = READ_ROW0(); - t1 = READ_ROW1(); - t2 = READ_ROW2(); - t3 = READ_ROW3(); - t4 = READ_ROW4(); - t5 = READ_ROW5(); - t6 = READ_ROW6(); - t7 = READ_ROW7(); - t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ - MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); - WRITE_ROW(0, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ - MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); - WRITE_ROW(1, t8); - t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ - MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); - WRITE_ROW(2, t8); - t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ - MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); - WRITE_ROW(3, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ - MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); - WRITE_ROW(4, t8); - t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ - MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); - WRITE_ROW(5, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ - MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); - WRITE_ROW(6, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ - MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); - WRITE_ROW(7, t8); - } - - /* Convert back from bit-sliced form to regular form */ - photon256_from_sliced(state, S.bytes); -} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.h b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.h deleted file mode 100644 index ce8729a..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-photon256.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PHOTON256_H -#define LW_INTERNAL_PHOTON256_H - -/** - * \file internal-photon256.h - * \brief Internal implementation of the PHOTON-256 permutation. - * - * Warning: The current implementation of PHOTON-256 is constant-time - * but not constant-cache. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the PHOTON-256 permutation state in bytes. - */ -#define PHOTON256_STATE_SIZE 32 - -/** - * \brief Permutes the PHOTON-256 state. - * - * \param state The state to be permuted. - */ -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-util.h b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.c b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.c deleted file mode 100644 index 641e117..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.c +++ /dev/null @@ -1,384 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "orange.h" -#include "internal-photon256.h" -#include "internal-util.h" -#include - -aead_cipher_t const orange_zest_cipher = { - "ORANGE-Zest", - ORANGE_ZEST_KEY_SIZE, - ORANGE_ZEST_NONCE_SIZE, - ORANGE_ZEST_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - orange_zest_aead_encrypt, - orange_zest_aead_decrypt -}; - -aead_hash_algorithm_t const orangish_hash_algorithm = { - "ORANGISH", - sizeof(int), - ORANGISH_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - orangish_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Doubles a block in the GF(128) field a number of times. - * - * \param block The block to be doubled. - * \param value The number of times to double the block. - */ -static void orange_block_double(unsigned char block[16], unsigned char value) -{ - unsigned index; - unsigned char mask; - while (value > 0) { - mask = (unsigned char)(((signed char)(block[15])) >> 7); - for (index = 15; index > 0; --index) - block[index] = (block[index] << 1) | (block[index - 1] >> 7); - block[0] = (block[0] << 1) ^ (mask & 0x87); - --value; - } -} - -/** - * \brief Rotates a block left by 1 bit. - * - * \param out The output block to be set to the rotated version. - * \param in The input block to be rotated, must not overlap with \a out. - */ -static void orange_block_rotate - (unsigned char out[16], const unsigned char in[16]) -{ - unsigned index; - for (index = 15; index > 0; --index) - out[index] = (in[index] << 1) | (in[index - 1] >> 7); - out[0] = (in[0] << 1) | (in[15] >> 7); -} - -/** - * \brief Hash input data with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param data Points to the data to be hashed. - * \param len Length of the data to be hashed, must not be zero. - * \param domain0 Domain separation value for full last block. - * \param domain1 Domain separation value for partial last block. - */ -static void orange_process_hash - (unsigned char state[PHOTON256_STATE_SIZE], - const unsigned char *data, unsigned long long len, - unsigned char domain0, unsigned char domain1) -{ - unsigned temp; - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - lw_xor_block(state, data, PHOTON256_STATE_SIZE); - data += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, domain1); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, domain0); - } - lw_xor_block(state, data, temp); -} - -/** - * \brief Applies the rho function to the ORANGE state. - * - * \param KS Output keystream to use to encrypt the plaintext or to - * decrypt the ciphertext. - * \param S Rolling key state. - * \param state Rolling PHOTON-256 permutation state. - */ -static void orange_rho - (unsigned char KS[32], unsigned char S[16], const unsigned char state[32]) -{ - orange_block_double(S, 1); - orange_block_rotate(KS, state); - lw_xor_block_2_src(KS + 16, state + 16, S, 16); - memcpy(S, state + 16, 16); -} - -/** - * \brief Encrypts plaintext with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param k Points to the key for the cipher. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param len Length of the plaintext in bytes, must not be zero. - */ -static void orange_encrypt - (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - unsigned char S[ORANGE_ZEST_KEY_SIZE]; - unsigned char KS[PHOTON256_STATE_SIZE]; - unsigned temp; - memcpy(S, k, ORANGE_ZEST_KEY_SIZE); - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - c += PHOTON256_STATE_SIZE; - m += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, 2); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, temp); - lw_xor_block(state, c, temp); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, 1); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - } -} - -/** - * \brief Decrypts ciphertext with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param k Points to the key for the cipher. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param len Length of the plaintext in bytes, must not be zero. - */ -static void orange_decrypt - (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - unsigned char S[ORANGE_ZEST_KEY_SIZE]; - unsigned char KS[PHOTON256_STATE_SIZE]; - unsigned temp; - memcpy(S, k, ORANGE_ZEST_KEY_SIZE); - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - orange_rho(KS, S, state); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); - c += PHOTON256_STATE_SIZE; - m += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, 2); - orange_rho(KS, S, state); - lw_xor_block(state, c, temp); - lw_xor_block_2_src(m, c, KS, temp); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, 1); - orange_rho(KS, S, state); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); - } -} - -/** - * \brief Generates the authentication tag for ORANGE-Zest. - * - * \param state PHOTON-256 permutation state. - * - * The tag will be left in the leading bytes of the state on exit. - */ -static void orange_generate_tag(unsigned char state[PHOTON256_STATE_SIZE]) -{ - /* Swap the two halves of the state and run the permutation again */ - unsigned posn; - for (posn = 0; posn < (PHOTON256_STATE_SIZE / 2); ++posn) { - unsigned char temp = state[posn]; - state[posn] = state[posn + (PHOTON256_STATE_SIZE / 2)]; - state[posn + (PHOTON256_STATE_SIZE / 2)] = temp; - } - photon256_permute(state); -} - -int orange_zest_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORANGE_ZEST_TAG_SIZE; - - /* Initialize the PHOTON-256 state with the nonce and key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Handle the associated data and message payload */ - if (adlen == 0) { - if (mlen == 0) { - state[16] ^= 2; /* domain separation */ - photon256_permute(state); - memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); - return 0; - } else { - state[16] ^= 1; /* domain separation */ - orange_encrypt(state, k, c, m, mlen); - } - } else { - orange_process_hash(state, ad, adlen, 1, 2); - if (mlen != 0) - orange_encrypt(state, k, c, m, mlen); - } - - /* Generate the authentication tag */ - orange_generate_tag(state); - memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); - return 0; -} - -int orange_zest_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORANGE_ZEST_TAG_SIZE) - return -1; - *mlen = clen - ORANGE_ZEST_TAG_SIZE; - - /* Initialize the PHOTON-256 state with the nonce and key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Handle the associated data and message payload */ - clen -= ORANGE_ZEST_TAG_SIZE; - if (adlen == 0) { - if (clen == 0) { - state[16] ^= 2; /* domain separation */ - photon256_permute(state); - return aead_check_tag(m, 0, state, c, ORANGE_ZEST_TAG_SIZE); - } else { - state[16] ^= 1; /* domain separation */ - orange_decrypt(state, k, m, c, clen); - } - } else { - orange_process_hash(state, ad, adlen, 1, 2); - if (clen != 0) - orange_decrypt(state, k, m, c, clen); - } - - /* Check the authentication tag */ - orange_generate_tag(state); - return aead_check_tag(m, clen, state, c + clen, ORANGE_ZEST_TAG_SIZE); -} - -/** - * \brief Rate of absorbing data into the ORANGISH hash state. - */ -#define ORANGISH_RATE 16 - -int orangish_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - unsigned temp; - memset(state, 0, sizeof(state)); - if (inlen == 0) { - /* No absorption necessary for a zero-length input */ - } else if (inlen < ORANGISH_RATE) { - /* Single partial block */ - temp = (unsigned)inlen; - memcpy(state, in, temp); - state[temp] ^= 0x01; /* padding */ - photon256_permute(state); - lw_xor_block(state + 16, in, temp); - state[16 + temp] ^= 0x01; /* padding */ - state[0] ^= 0x02; /* domain separation */ - } else if (inlen == ORANGISH_RATE) { - /* Single full block */ - memcpy(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - state[0] ^= 0x01; /* domain separation */ - } else { - /* Process double blocks until we run out */ - memcpy(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - in += ORANGISH_RATE; - inlen -= ORANGISH_RATE; - while (inlen > ORANGISH_RATE) { - lw_xor_block(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - in += ORANGISH_RATE; - inlen -= ORANGISH_RATE; - } - temp = (unsigned)inlen; - if (temp < ORANGISH_RATE) { - /* Last double block is partial */ - lw_xor_block(state, in, temp); - state[temp] ^= 0x01; /* padding */ - photon256_permute(state); - lw_xor_block(state + 16, in, temp); - state[16 + temp] ^= 0x01; /* padding */ - state[0] ^= 0x02; /* domain separation */ - } else { - /* Last double block is full */ - lw_xor_block(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - state[0] ^= 0x01; /* domain separation */ - } - } - photon256_permute(state); - memcpy(out, state, 16); - photon256_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.h b/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.h deleted file mode 100644 index de5b00c..0000000 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys-avr/orange.h +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ORANGE_H -#define LWCRYPTO_ORANGE_H - -#include "aead-common.h" - -/** - * \file orange.h - * \brief ORANGE authenticated encryption algorithm. - * - * ORANGE is a family of algorithms built around the PHOTON-256 permutation. - * There are two members of the family at present: - * - * \li ORANGE-Zest is an authenticated encryption algorithm with a 128-bit - * key, a 128-bit nonce, and a 128-bit tag. - * \li ORANGISH is a hash algorithm with a 256-bit output. - * - * References: https://www.isical.ac.in/~lightweight/Orange/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for ORANGE-Zest. - */ -#define ORANGE_ZEST_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for ORANGE-Zest. - */ -#define ORANGE_ZEST_TAG_SIZE 16 - -/** - * \brief Size of the nonce for ORANGE-Zest. - */ -#define ORANGE_ZEST_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for the ORANGISH hash algorithm. - */ -#define ORANGISH_HASH_SIZE 32 - -/** - * \brief Meta-information block for the ORANGE-Zest cipher. - */ -extern aead_cipher_t const orange_zest_cipher; - -/** - * \brief Meta-information block for the ORANGISH hash algorithm. - */ -extern aead_hash_algorithm_t const orangish_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with ORANGE-Zest. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa orange_zest_aead_decrypt() - */ -int orange_zest_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ORANGE-Zest. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa orange_zest_aead_encrypt() - */ -int orange_zest_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with ORANGISH to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ORANGISH_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int orangish_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h +++ b/orange/Implementations/crypto_aead/orangezestv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.c b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.h b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/api.h b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.c b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.c deleted file mode 100644 index b8743fe..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.c +++ /dev/null @@ -1,479 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-photon256.h" -#include "internal-util.h" - -/** - * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. - */ -#define PHOTON256_ROUNDS 12 - -/* Round constants for PHOTON-256 */ -static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { - 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, - 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, - 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a -}; - -/** - * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. - * - * \param x0 Slice with bit 0 of all nibbles. - * \param x1 Slice with bit 1 of all nibbles. - * \param x2 Slice with bit 2 of all nibbles. - * \param x3 Slice with bit 3 of all nibbles. - * - * This bit-sliced S-box implementation is based on the AVR version - * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. - */ -#define photon256_sbox(x0, x1, x2, x3) \ - do { \ - x1 ^= x2; \ - x3 ^= (x2 & x1); \ - t1 = x3; \ - x3 = (x3 & x1) ^ x2; \ - t2 = x3; \ - x3 ^= x0; \ - x3 = ~(x3); \ - x2 = x3; \ - t2 |= x0; \ - x0 ^= t1; \ - x1 ^= x0; \ - x2 |= x1; \ - x2 ^= t1; \ - x1 ^= t2; \ - x3 ^= x1; \ - } while (0) - -/** - * \brief Performs a field multiplication on the 8 nibbles in a row. - * - * \param a Field constant to multiply by. - * \param x Bit-sliced form of the row, with bits 0..3 of each nibble - * in bytes 0..3 of the word. - * - * \return a * x packed into the bytes of a word. - */ -static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) -{ - /* For each 4-bit nibble we need to do this: - * - * result = 0; - * for (bit = 0; bit < 4; ++ bit) { - * if ((a & (1 << bit)) != 0) - * result ^= x; - * if ((x & 0x08) != 0) { - * x = (x << 1) ^ 3; - * } else { - * x = (x << 1); - * } - * } - * - * We don't need to worry about constant time for "a" because it is a - * known constant that isn't data-dependent. But we do need to worry - * about constant time for "x" as it is data. - */ - uint32_t result = 0; - uint32_t t; - #define PARALLEL_CONDITIONAL_ADD(bit) \ - do { \ - if ((a) & (1 << (bit))) \ - result ^= x; \ - } while (0) - #define PARALELL_ROTATE() \ - do { \ - t = x >> 24; \ - x = (x << 8) ^ t ^ (t << 8); \ - } while (0) - PARALLEL_CONDITIONAL_ADD(0); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(1); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(2); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(3); - return result; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts a PHOTON-256 state into bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_to_sliced - (uint32_t out[PHOTON256_STATE_SIZE / 4], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. - * Then we rearrange the bytes to group all bits N into word N. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 - * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] - */ - uint32_t t0, t1, t2, t3; - #define TO_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - #define FROM_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - t0 = le_load_word32(in); - t1 = le_load_word32(in + 4); - t2 = le_load_word32(in + 8); - t3 = le_load_word32(in + 12); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); - t0 = le_load_word32(in + 16); - t1 = le_load_word32(in + 20); - t2 = le_load_word32(in + 24); - t3 = le_load_word32(in + 28); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); -} - -/** - * \brief Converts a PHOTON-256 state from bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_from_sliced - (unsigned char out[PHOTON256_STATE_SIZE], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* Do the reverse of photon256_to_sliced() */ - uint32_t x0, x1, x2, x3; - x0 = ((uint32_t)(in[0])) | - (((uint32_t)(in[4])) << 8) | - (((uint32_t)(in[8])) << 16) | - (((uint32_t)(in[12])) << 24); - x1 = ((uint32_t)(in[1])) | - (((uint32_t)(in[5])) << 8) | - (((uint32_t)(in[9])) << 16) | - (((uint32_t)(in[13])) << 24); - x2 = ((uint32_t)(in[2])) | - (((uint32_t)(in[6])) << 8) | - (((uint32_t)(in[10])) << 16) | - (((uint32_t)(in[14])) << 24); - x3 = ((uint32_t)(in[3])) | - (((uint32_t)(in[7])) << 8) | - (((uint32_t)(in[11])) << 16) | - (((uint32_t)(in[15])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out, x0); - le_store_word32(out + 4, x1); - le_store_word32(out + 8, x2); - le_store_word32(out + 12, x3); - x0 = ((uint32_t)(in[16])) | - (((uint32_t)(in[20])) << 8) | - (((uint32_t)(in[24])) << 16) | - (((uint32_t)(in[28])) << 24); - x1 = ((uint32_t)(in[17])) | - (((uint32_t)(in[21])) << 8) | - (((uint32_t)(in[25])) << 16) | - (((uint32_t)(in[29])) << 24); - x2 = ((uint32_t)(in[18])) | - (((uint32_t)(in[22])) << 8) | - (((uint32_t)(in[26])) << 16) | - (((uint32_t)(in[30])) << 24); - x3 = ((uint32_t)(in[19])) | - (((uint32_t)(in[23])) << 8) | - (((uint32_t)(in[27])) << 16) | - (((uint32_t)(in[31])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out + 16, x0); - le_store_word32(out + 20, x1); - le_store_word32(out + 24, x2); - le_store_word32(out + 28, x3); -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -/* Index the bit-sliced state bytes in little-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[(row)] = (uint8_t)(value); \ - S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[(row) + 12] = (uint8_t)(value); \ - S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#else -/* Index the bit-sliced state bytes in big-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[3 - (row)] = (uint8_t)(value); \ - S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[20 - (row)] = (uint8_t)(value); \ - S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#endif - -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) -{ - union { - uint32_t words[PHOTON256_STATE_SIZE / 4]; - uint8_t bytes[PHOTON256_STATE_SIZE]; - } S; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - uint8_t round; - - /* Convert the state into bit-sliced form */ - photon256_to_sliced(S.words, state); - - /* Perform all 12 permutation rounds */ - for (round = 0; round < PHOTON256_ROUNDS; ++round) { - /* Add the constants for this round */ - t0 = photon256_rc[round]; - S.words[0] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[1] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[2] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[3] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[4] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[5] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[6] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[7] ^= t0 & 0x01010101U; - - /* Apply the sbox to all nibbles in the state */ - photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); - photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); - - /* Rotate all rows left by the row number. - * - * We do this by applying permutations to the top and bottom words - * to rearrange the bits into the rotated form. Permutations - * generated with "http://programming.sirrida.de/calcperm.php". - * - * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 - * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] - * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 - * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 - */ - #define TOP_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x07030100, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - #define BOTTOM_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x080c0e0f, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - TOP_ROTATE_PERM(S.words[0]); - TOP_ROTATE_PERM(S.words[1]); - TOP_ROTATE_PERM(S.words[2]); - TOP_ROTATE_PERM(S.words[3]); - BOTTOM_ROTATE_PERM(S.words[4]); - BOTTOM_ROTATE_PERM(S.words[5]); - BOTTOM_ROTATE_PERM(S.words[6]); - BOTTOM_ROTATE_PERM(S.words[7]); - - /* Mix the columns */ - #define MUL(a, x) (photon256_field_multiply((a), (x))) - t0 = READ_ROW0(); - t1 = READ_ROW1(); - t2 = READ_ROW2(); - t3 = READ_ROW3(); - t4 = READ_ROW4(); - t5 = READ_ROW5(); - t6 = READ_ROW6(); - t7 = READ_ROW7(); - t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ - MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); - WRITE_ROW(0, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ - MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); - WRITE_ROW(1, t8); - t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ - MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); - WRITE_ROW(2, t8); - t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ - MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); - WRITE_ROW(3, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ - MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); - WRITE_ROW(4, t8); - t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ - MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); - WRITE_ROW(5, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ - MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); - WRITE_ROW(6, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ - MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); - WRITE_ROW(7, t8); - } - - /* Convert back from bit-sliced form to regular form */ - photon256_from_sliced(state, S.bytes); -} diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.h b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.h deleted file mode 100644 index ce8729a..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-photon256.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PHOTON256_H -#define LW_INTERNAL_PHOTON256_H - -/** - * \file internal-photon256.h - * \brief Internal implementation of the PHOTON-256 permutation. - * - * Warning: The current implementation of PHOTON-256 is constant-time - * but not constant-cache. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the PHOTON-256 permutation state in bytes. - */ -#define PHOTON256_STATE_SIZE 32 - -/** - * \brief Permutes the PHOTON-256 state. - * - * \param state The state to be permuted. - */ -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-util.h b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.c b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.c deleted file mode 100644 index 641e117..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.c +++ /dev/null @@ -1,384 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "orange.h" -#include "internal-photon256.h" -#include "internal-util.h" -#include - -aead_cipher_t const orange_zest_cipher = { - "ORANGE-Zest", - ORANGE_ZEST_KEY_SIZE, - ORANGE_ZEST_NONCE_SIZE, - ORANGE_ZEST_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - orange_zest_aead_encrypt, - orange_zest_aead_decrypt -}; - -aead_hash_algorithm_t const orangish_hash_algorithm = { - "ORANGISH", - sizeof(int), - ORANGISH_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - orangish_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Doubles a block in the GF(128) field a number of times. - * - * \param block The block to be doubled. - * \param value The number of times to double the block. - */ -static void orange_block_double(unsigned char block[16], unsigned char value) -{ - unsigned index; - unsigned char mask; - while (value > 0) { - mask = (unsigned char)(((signed char)(block[15])) >> 7); - for (index = 15; index > 0; --index) - block[index] = (block[index] << 1) | (block[index - 1] >> 7); - block[0] = (block[0] << 1) ^ (mask & 0x87); - --value; - } -} - -/** - * \brief Rotates a block left by 1 bit. - * - * \param out The output block to be set to the rotated version. - * \param in The input block to be rotated, must not overlap with \a out. - */ -static void orange_block_rotate - (unsigned char out[16], const unsigned char in[16]) -{ - unsigned index; - for (index = 15; index > 0; --index) - out[index] = (in[index] << 1) | (in[index - 1] >> 7); - out[0] = (in[0] << 1) | (in[15] >> 7); -} - -/** - * \brief Hash input data with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param data Points to the data to be hashed. - * \param len Length of the data to be hashed, must not be zero. - * \param domain0 Domain separation value for full last block. - * \param domain1 Domain separation value for partial last block. - */ -static void orange_process_hash - (unsigned char state[PHOTON256_STATE_SIZE], - const unsigned char *data, unsigned long long len, - unsigned char domain0, unsigned char domain1) -{ - unsigned temp; - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - lw_xor_block(state, data, PHOTON256_STATE_SIZE); - data += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, domain1); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, domain0); - } - lw_xor_block(state, data, temp); -} - -/** - * \brief Applies the rho function to the ORANGE state. - * - * \param KS Output keystream to use to encrypt the plaintext or to - * decrypt the ciphertext. - * \param S Rolling key state. - * \param state Rolling PHOTON-256 permutation state. - */ -static void orange_rho - (unsigned char KS[32], unsigned char S[16], const unsigned char state[32]) -{ - orange_block_double(S, 1); - orange_block_rotate(KS, state); - lw_xor_block_2_src(KS + 16, state + 16, S, 16); - memcpy(S, state + 16, 16); -} - -/** - * \brief Encrypts plaintext with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param k Points to the key for the cipher. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param len Length of the plaintext in bytes, must not be zero. - */ -static void orange_encrypt - (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, - unsigned char *c, const unsigned char *m, unsigned long long len) -{ - unsigned char S[ORANGE_ZEST_KEY_SIZE]; - unsigned char KS[PHOTON256_STATE_SIZE]; - unsigned temp; - memcpy(S, k, ORANGE_ZEST_KEY_SIZE); - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - c += PHOTON256_STATE_SIZE; - m += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, 2); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, temp); - lw_xor_block(state, c, temp); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, 1); - orange_rho(KS, S, state); - lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - } -} - -/** - * \brief Decrypts ciphertext with ORANGE. - * - * \param state PHOTON-256 permutation state. - * \param k Points to the key for the cipher. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param len Length of the plaintext in bytes, must not be zero. - */ -static void orange_decrypt - (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, - unsigned char *m, const unsigned char *c, unsigned long long len) -{ - unsigned char S[ORANGE_ZEST_KEY_SIZE]; - unsigned char KS[PHOTON256_STATE_SIZE]; - unsigned temp; - memcpy(S, k, ORANGE_ZEST_KEY_SIZE); - while (len > PHOTON256_STATE_SIZE) { - photon256_permute(state); - orange_rho(KS, S, state); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); - c += PHOTON256_STATE_SIZE; - m += PHOTON256_STATE_SIZE; - len -= PHOTON256_STATE_SIZE; - } - photon256_permute(state); - temp = (unsigned)len; - if (temp < PHOTON256_STATE_SIZE) { - orange_block_double(state + 16, 2); - orange_rho(KS, S, state); - lw_xor_block(state, c, temp); - lw_xor_block_2_src(m, c, KS, temp); - state[temp] ^= 0x01; /* padding */ - } else { - orange_block_double(state + 16, 1); - orange_rho(KS, S, state); - lw_xor_block(state, c, PHOTON256_STATE_SIZE); - lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); - } -} - -/** - * \brief Generates the authentication tag for ORANGE-Zest. - * - * \param state PHOTON-256 permutation state. - * - * The tag will be left in the leading bytes of the state on exit. - */ -static void orange_generate_tag(unsigned char state[PHOTON256_STATE_SIZE]) -{ - /* Swap the two halves of the state and run the permutation again */ - unsigned posn; - for (posn = 0; posn < (PHOTON256_STATE_SIZE / 2); ++posn) { - unsigned char temp = state[posn]; - state[posn] = state[posn + (PHOTON256_STATE_SIZE / 2)]; - state[posn + (PHOTON256_STATE_SIZE / 2)] = temp; - } - photon256_permute(state); -} - -int orange_zest_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORANGE_ZEST_TAG_SIZE; - - /* Initialize the PHOTON-256 state with the nonce and key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Handle the associated data and message payload */ - if (adlen == 0) { - if (mlen == 0) { - state[16] ^= 2; /* domain separation */ - photon256_permute(state); - memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); - return 0; - } else { - state[16] ^= 1; /* domain separation */ - orange_encrypt(state, k, c, m, mlen); - } - } else { - orange_process_hash(state, ad, adlen, 1, 2); - if (mlen != 0) - orange_encrypt(state, k, c, m, mlen); - } - - /* Generate the authentication tag */ - orange_generate_tag(state); - memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); - return 0; -} - -int orange_zest_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORANGE_ZEST_TAG_SIZE) - return -1; - *mlen = clen - ORANGE_ZEST_TAG_SIZE; - - /* Initialize the PHOTON-256 state with the nonce and key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Handle the associated data and message payload */ - clen -= ORANGE_ZEST_TAG_SIZE; - if (adlen == 0) { - if (clen == 0) { - state[16] ^= 2; /* domain separation */ - photon256_permute(state); - return aead_check_tag(m, 0, state, c, ORANGE_ZEST_TAG_SIZE); - } else { - state[16] ^= 1; /* domain separation */ - orange_decrypt(state, k, m, c, clen); - } - } else { - orange_process_hash(state, ad, adlen, 1, 2); - if (clen != 0) - orange_decrypt(state, k, m, c, clen); - } - - /* Check the authentication tag */ - orange_generate_tag(state); - return aead_check_tag(m, clen, state, c + clen, ORANGE_ZEST_TAG_SIZE); -} - -/** - * \brief Rate of absorbing data into the ORANGISH hash state. - */ -#define ORANGISH_RATE 16 - -int orangish_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - unsigned temp; - memset(state, 0, sizeof(state)); - if (inlen == 0) { - /* No absorption necessary for a zero-length input */ - } else if (inlen < ORANGISH_RATE) { - /* Single partial block */ - temp = (unsigned)inlen; - memcpy(state, in, temp); - state[temp] ^= 0x01; /* padding */ - photon256_permute(state); - lw_xor_block(state + 16, in, temp); - state[16 + temp] ^= 0x01; /* padding */ - state[0] ^= 0x02; /* domain separation */ - } else if (inlen == ORANGISH_RATE) { - /* Single full block */ - memcpy(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - state[0] ^= 0x01; /* domain separation */ - } else { - /* Process double blocks until we run out */ - memcpy(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - in += ORANGISH_RATE; - inlen -= ORANGISH_RATE; - while (inlen > ORANGISH_RATE) { - lw_xor_block(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - in += ORANGISH_RATE; - inlen -= ORANGISH_RATE; - } - temp = (unsigned)inlen; - if (temp < ORANGISH_RATE) { - /* Last double block is partial */ - lw_xor_block(state, in, temp); - state[temp] ^= 0x01; /* padding */ - photon256_permute(state); - lw_xor_block(state + 16, in, temp); - state[16 + temp] ^= 0x01; /* padding */ - state[0] ^= 0x02; /* domain separation */ - } else { - /* Last double block is full */ - lw_xor_block(state, in, ORANGISH_RATE); - photon256_permute(state); - lw_xor_block(state + 16, in, ORANGISH_RATE); - state[0] ^= 0x01; /* domain separation */ - } - } - photon256_permute(state); - memcpy(out, state, 16); - photon256_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.h b/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.h deleted file mode 100644 index de5b00c..0000000 --- a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/orange.h +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ORANGE_H -#define LWCRYPTO_ORANGE_H - -#include "aead-common.h" - -/** - * \file orange.h - * \brief ORANGE authenticated encryption algorithm. - * - * ORANGE is a family of algorithms built around the PHOTON-256 permutation. - * There are two members of the family at present: - * - * \li ORANGE-Zest is an authenticated encryption algorithm with a 128-bit - * key, a 128-bit nonce, and a 128-bit tag. - * \li ORANGISH is a hash algorithm with a 256-bit output. - * - * References: https://www.isical.ac.in/~lightweight/Orange/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for ORANGE-Zest. - */ -#define ORANGE_ZEST_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for ORANGE-Zest. - */ -#define ORANGE_ZEST_TAG_SIZE 16 - -/** - * \brief Size of the nonce for ORANGE-Zest. - */ -#define ORANGE_ZEST_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for the ORANGISH hash algorithm. - */ -#define ORANGISH_HASH_SIZE 32 - -/** - * \brief Meta-information block for the ORANGE-Zest cipher. - */ -extern aead_cipher_t const orange_zest_cipher; - -/** - * \brief Meta-information block for the ORANGISH hash algorithm. - */ -extern aead_hash_algorithm_t const orangish_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with ORANGE-Zest. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa orange_zest_aead_decrypt() - */ -int orange_zest_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with ORANGE-Zest. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa orange_zest_aead_encrypt() - */ -int orange_zest_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with ORANGISH to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ORANGISH_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int orangish_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/aead-common.c b/orange/Implementations/crypto_hash/orangishv1/rhys/aead-common.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/aead-common.c rename to orange/Implementations/crypto_hash/orangishv1/rhys/aead-common.c diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/aead-common.h b/orange/Implementations/crypto_hash/orangishv1/rhys/aead-common.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/aead-common.h rename to orange/Implementations/crypto_hash/orangishv1/rhys/aead-common.h diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys/api.h b/orange/Implementations/crypto_hash/orangishv1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/orange/Implementations/crypto_hash/orangishv1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys-avr/hash.c b/orange/Implementations/crypto_hash/orangishv1/rhys/hash.c similarity index 100% rename from orange/Implementations/crypto_hash/orangishv1/rhys-avr/hash.c rename to orange/Implementations/crypto_hash/orangishv1/rhys/hash.c diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.c b/orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.c new file mode 100644 index 0000000..b8743fe --- /dev/null +++ b/orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.c @@ -0,0 +1,479 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-photon256.h" +#include "internal-util.h" + +/** + * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. + */ +#define PHOTON256_ROUNDS 12 + +/* Round constants for PHOTON-256 */ +static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { + 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, + 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, + 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a +}; + +/** + * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. + * + * \param x0 Slice with bit 0 of all nibbles. + * \param x1 Slice with bit 1 of all nibbles. + * \param x2 Slice with bit 2 of all nibbles. + * \param x3 Slice with bit 3 of all nibbles. + * + * This bit-sliced S-box implementation is based on the AVR version + * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. + */ +#define photon256_sbox(x0, x1, x2, x3) \ + do { \ + x1 ^= x2; \ + x3 ^= (x2 & x1); \ + t1 = x3; \ + x3 = (x3 & x1) ^ x2; \ + t2 = x3; \ + x3 ^= x0; \ + x3 = ~(x3); \ + x2 = x3; \ + t2 |= x0; \ + x0 ^= t1; \ + x1 ^= x0; \ + x2 |= x1; \ + x2 ^= t1; \ + x1 ^= t2; \ + x3 ^= x1; \ + } while (0) + +/** + * \brief Performs a field multiplication on the 8 nibbles in a row. + * + * \param a Field constant to multiply by. + * \param x Bit-sliced form of the row, with bits 0..3 of each nibble + * in bytes 0..3 of the word. + * + * \return a * x packed into the bytes of a word. + */ +static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) +{ + /* For each 4-bit nibble we need to do this: + * + * result = 0; + * for (bit = 0; bit < 4; ++ bit) { + * if ((a & (1 << bit)) != 0) + * result ^= x; + * if ((x & 0x08) != 0) { + * x = (x << 1) ^ 3; + * } else { + * x = (x << 1); + * } + * } + * + * We don't need to worry about constant time for "a" because it is a + * known constant that isn't data-dependent. But we do need to worry + * about constant time for "x" as it is data. + */ + uint32_t result = 0; + uint32_t t; + #define PARALLEL_CONDITIONAL_ADD(bit) \ + do { \ + if ((a) & (1 << (bit))) \ + result ^= x; \ + } while (0) + #define PARALELL_ROTATE() \ + do { \ + t = x >> 24; \ + x = (x << 8) ^ t ^ (t << 8); \ + } while (0) + PARALLEL_CONDITIONAL_ADD(0); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(1); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(2); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(3); + return result; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts a PHOTON-256 state into bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_to_sliced + (uint32_t out[PHOTON256_STATE_SIZE / 4], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. + * Then we rearrange the bytes to group all bits N into word N. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 + * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] + */ + uint32_t t0, t1, t2, t3; + #define TO_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + #define FROM_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + t0 = le_load_word32(in); + t1 = le_load_word32(in + 4); + t2 = le_load_word32(in + 8); + t3 = le_load_word32(in + 12); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); + t0 = le_load_word32(in + 16); + t1 = le_load_word32(in + 20); + t2 = le_load_word32(in + 24); + t3 = le_load_word32(in + 28); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); +} + +/** + * \brief Converts a PHOTON-256 state from bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_from_sliced + (unsigned char out[PHOTON256_STATE_SIZE], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* Do the reverse of photon256_to_sliced() */ + uint32_t x0, x1, x2, x3; + x0 = ((uint32_t)(in[0])) | + (((uint32_t)(in[4])) << 8) | + (((uint32_t)(in[8])) << 16) | + (((uint32_t)(in[12])) << 24); + x1 = ((uint32_t)(in[1])) | + (((uint32_t)(in[5])) << 8) | + (((uint32_t)(in[9])) << 16) | + (((uint32_t)(in[13])) << 24); + x2 = ((uint32_t)(in[2])) | + (((uint32_t)(in[6])) << 8) | + (((uint32_t)(in[10])) << 16) | + (((uint32_t)(in[14])) << 24); + x3 = ((uint32_t)(in[3])) | + (((uint32_t)(in[7])) << 8) | + (((uint32_t)(in[11])) << 16) | + (((uint32_t)(in[15])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out, x0); + le_store_word32(out + 4, x1); + le_store_word32(out + 8, x2); + le_store_word32(out + 12, x3); + x0 = ((uint32_t)(in[16])) | + (((uint32_t)(in[20])) << 8) | + (((uint32_t)(in[24])) << 16) | + (((uint32_t)(in[28])) << 24); + x1 = ((uint32_t)(in[17])) | + (((uint32_t)(in[21])) << 8) | + (((uint32_t)(in[25])) << 16) | + (((uint32_t)(in[29])) << 24); + x2 = ((uint32_t)(in[18])) | + (((uint32_t)(in[22])) << 8) | + (((uint32_t)(in[26])) << 16) | + (((uint32_t)(in[30])) << 24); + x3 = ((uint32_t)(in[19])) | + (((uint32_t)(in[23])) << 8) | + (((uint32_t)(in[27])) << 16) | + (((uint32_t)(in[31])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out + 16, x0); + le_store_word32(out + 20, x1); + le_store_word32(out + 24, x2); + le_store_word32(out + 28, x3); +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +/* Index the bit-sliced state bytes in little-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[(row)] = (uint8_t)(value); \ + S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[(row) + 12] = (uint8_t)(value); \ + S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#else +/* Index the bit-sliced state bytes in big-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[3 - (row)] = (uint8_t)(value); \ + S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[20 - (row)] = (uint8_t)(value); \ + S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#endif + +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) +{ + union { + uint32_t words[PHOTON256_STATE_SIZE / 4]; + uint8_t bytes[PHOTON256_STATE_SIZE]; + } S; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + uint8_t round; + + /* Convert the state into bit-sliced form */ + photon256_to_sliced(S.words, state); + + /* Perform all 12 permutation rounds */ + for (round = 0; round < PHOTON256_ROUNDS; ++round) { + /* Add the constants for this round */ + t0 = photon256_rc[round]; + S.words[0] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[1] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[2] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[3] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[4] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[5] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[6] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[7] ^= t0 & 0x01010101U; + + /* Apply the sbox to all nibbles in the state */ + photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); + photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); + + /* Rotate all rows left by the row number. + * + * We do this by applying permutations to the top and bottom words + * to rearrange the bits into the rotated form. Permutations + * generated with "http://programming.sirrida.de/calcperm.php". + * + * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 + * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] + * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 + * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 + */ + #define TOP_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x07030100, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + #define BOTTOM_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x080c0e0f, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + TOP_ROTATE_PERM(S.words[0]); + TOP_ROTATE_PERM(S.words[1]); + TOP_ROTATE_PERM(S.words[2]); + TOP_ROTATE_PERM(S.words[3]); + BOTTOM_ROTATE_PERM(S.words[4]); + BOTTOM_ROTATE_PERM(S.words[5]); + BOTTOM_ROTATE_PERM(S.words[6]); + BOTTOM_ROTATE_PERM(S.words[7]); + + /* Mix the columns */ + #define MUL(a, x) (photon256_field_multiply((a), (x))) + t0 = READ_ROW0(); + t1 = READ_ROW1(); + t2 = READ_ROW2(); + t3 = READ_ROW3(); + t4 = READ_ROW4(); + t5 = READ_ROW5(); + t6 = READ_ROW6(); + t7 = READ_ROW7(); + t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ + MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); + WRITE_ROW(0, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ + MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); + WRITE_ROW(1, t8); + t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ + MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); + WRITE_ROW(2, t8); + t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ + MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); + WRITE_ROW(3, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ + MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); + WRITE_ROW(4, t8); + t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ + MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); + WRITE_ROW(5, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ + MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); + WRITE_ROW(6, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ + MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); + WRITE_ROW(7, t8); + } + + /* Convert back from bit-sliced form to regular form */ + photon256_from_sliced(state, S.bytes); +} diff --git a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.h b/orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.h similarity index 73% rename from gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.h rename to orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.h index c81ead1..ce8729a 100644 --- a/gimli/Implementations/crypto_hash/gimli24v1/rhys-avr/internal-gimli24.h +++ b/orange/Implementations/crypto_hash/orangishv1/rhys/internal-photon256.h @@ -20,16 +20,15 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_GIMLI24_H -#define LW_INTERNAL_GIMLI24_H - -#include "internal-util.h" +#ifndef LW_INTERNAL_PHOTON256_H +#define LW_INTERNAL_PHOTON256_H /** - * \file internal-gimli24.h - * \brief Internal implementation of the GIMLI-24 permutation. + * \file internal-photon256.h + * \brief Internal implementation of the PHOTON-256 permutation. * - * References: https://gimli.cr.yp.to/ + * Warning: The current implementation of PHOTON-256 is constant-time + * but not constant-cache. */ #ifdef __cplusplus @@ -37,13 +36,16 @@ extern "C" { #endif /** - * \brief Permutes the GIMLI-24 state. - * - * \param state The GIMLI-24 state to be permuted. + * \brief Size of the PHOTON-256 permutation state in bytes. + */ +#define PHOTON256_STATE_SIZE 32 + +/** + * \brief Permutes the PHOTON-256 state. * - * The input and output \a state will be in little-endian byte order. + * \param state The state to be permuted. */ -void gimli24_permute(uint32_t state[12]); +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); #ifdef __cplusplus } diff --git a/drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-util.h b/orange/Implementations/crypto_hash/orangishv1/rhys/internal-util.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon128/rhys-avr/internal-util.h rename to orange/Implementations/crypto_hash/orangishv1/rhys/internal-util.h diff --git a/orange/Implementations/crypto_hash/orangishv1/rhys/orange.c b/orange/Implementations/crypto_hash/orangishv1/rhys/orange.c new file mode 100644 index 0000000..641e117 --- /dev/null +++ b/orange/Implementations/crypto_hash/orangishv1/rhys/orange.c @@ -0,0 +1,384 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "orange.h" +#include "internal-photon256.h" +#include "internal-util.h" +#include + +aead_cipher_t const orange_zest_cipher = { + "ORANGE-Zest", + ORANGE_ZEST_KEY_SIZE, + ORANGE_ZEST_NONCE_SIZE, + ORANGE_ZEST_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + orange_zest_aead_encrypt, + orange_zest_aead_decrypt +}; + +aead_hash_algorithm_t const orangish_hash_algorithm = { + "ORANGISH", + sizeof(int), + ORANGISH_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + orangish_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Doubles a block in the GF(128) field a number of times. + * + * \param block The block to be doubled. + * \param value The number of times to double the block. + */ +static void orange_block_double(unsigned char block[16], unsigned char value) +{ + unsigned index; + unsigned char mask; + while (value > 0) { + mask = (unsigned char)(((signed char)(block[15])) >> 7); + for (index = 15; index > 0; --index) + block[index] = (block[index] << 1) | (block[index - 1] >> 7); + block[0] = (block[0] << 1) ^ (mask & 0x87); + --value; + } +} + +/** + * \brief Rotates a block left by 1 bit. + * + * \param out The output block to be set to the rotated version. + * \param in The input block to be rotated, must not overlap with \a out. + */ +static void orange_block_rotate + (unsigned char out[16], const unsigned char in[16]) +{ + unsigned index; + for (index = 15; index > 0; --index) + out[index] = (in[index] << 1) | (in[index - 1] >> 7); + out[0] = (in[0] << 1) | (in[15] >> 7); +} + +/** + * \brief Hash input data with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param data Points to the data to be hashed. + * \param len Length of the data to be hashed, must not be zero. + * \param domain0 Domain separation value for full last block. + * \param domain1 Domain separation value for partial last block. + */ +static void orange_process_hash + (unsigned char state[PHOTON256_STATE_SIZE], + const unsigned char *data, unsigned long long len, + unsigned char domain0, unsigned char domain1) +{ + unsigned temp; + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + lw_xor_block(state, data, PHOTON256_STATE_SIZE); + data += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, domain1); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, domain0); + } + lw_xor_block(state, data, temp); +} + +/** + * \brief Applies the rho function to the ORANGE state. + * + * \param KS Output keystream to use to encrypt the plaintext or to + * decrypt the ciphertext. + * \param S Rolling key state. + * \param state Rolling PHOTON-256 permutation state. + */ +static void orange_rho + (unsigned char KS[32], unsigned char S[16], const unsigned char state[32]) +{ + orange_block_double(S, 1); + orange_block_rotate(KS, state); + lw_xor_block_2_src(KS + 16, state + 16, S, 16); + memcpy(S, state + 16, 16); +} + +/** + * \brief Encrypts plaintext with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param k Points to the key for the cipher. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param len Length of the plaintext in bytes, must not be zero. + */ +static void orange_encrypt + (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, + unsigned char *c, const unsigned char *m, unsigned long long len) +{ + unsigned char S[ORANGE_ZEST_KEY_SIZE]; + unsigned char KS[PHOTON256_STATE_SIZE]; + unsigned temp; + memcpy(S, k, ORANGE_ZEST_KEY_SIZE); + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + c += PHOTON256_STATE_SIZE; + m += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, 2); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, temp); + lw_xor_block(state, c, temp); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, 1); + orange_rho(KS, S, state); + lw_xor_block_2_src(c, m, KS, PHOTON256_STATE_SIZE); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + } +} + +/** + * \brief Decrypts ciphertext with ORANGE. + * + * \param state PHOTON-256 permutation state. + * \param k Points to the key for the cipher. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param len Length of the plaintext in bytes, must not be zero. + */ +static void orange_decrypt + (unsigned char state[PHOTON256_STATE_SIZE], const unsigned char *k, + unsigned char *m, const unsigned char *c, unsigned long long len) +{ + unsigned char S[ORANGE_ZEST_KEY_SIZE]; + unsigned char KS[PHOTON256_STATE_SIZE]; + unsigned temp; + memcpy(S, k, ORANGE_ZEST_KEY_SIZE); + while (len > PHOTON256_STATE_SIZE) { + photon256_permute(state); + orange_rho(KS, S, state); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); + c += PHOTON256_STATE_SIZE; + m += PHOTON256_STATE_SIZE; + len -= PHOTON256_STATE_SIZE; + } + photon256_permute(state); + temp = (unsigned)len; + if (temp < PHOTON256_STATE_SIZE) { + orange_block_double(state + 16, 2); + orange_rho(KS, S, state); + lw_xor_block(state, c, temp); + lw_xor_block_2_src(m, c, KS, temp); + state[temp] ^= 0x01; /* padding */ + } else { + orange_block_double(state + 16, 1); + orange_rho(KS, S, state); + lw_xor_block(state, c, PHOTON256_STATE_SIZE); + lw_xor_block_2_src(m, c, KS, PHOTON256_STATE_SIZE); + } +} + +/** + * \brief Generates the authentication tag for ORANGE-Zest. + * + * \param state PHOTON-256 permutation state. + * + * The tag will be left in the leading bytes of the state on exit. + */ +static void orange_generate_tag(unsigned char state[PHOTON256_STATE_SIZE]) +{ + /* Swap the two halves of the state and run the permutation again */ + unsigned posn; + for (posn = 0; posn < (PHOTON256_STATE_SIZE / 2); ++posn) { + unsigned char temp = state[posn]; + state[posn] = state[posn + (PHOTON256_STATE_SIZE / 2)]; + state[posn + (PHOTON256_STATE_SIZE / 2)] = temp; + } + photon256_permute(state); +} + +int orange_zest_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ORANGE_ZEST_TAG_SIZE; + + /* Initialize the PHOTON-256 state with the nonce and key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Handle the associated data and message payload */ + if (adlen == 0) { + if (mlen == 0) { + state[16] ^= 2; /* domain separation */ + photon256_permute(state); + memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); + return 0; + } else { + state[16] ^= 1; /* domain separation */ + orange_encrypt(state, k, c, m, mlen); + } + } else { + orange_process_hash(state, ad, adlen, 1, 2); + if (mlen != 0) + orange_encrypt(state, k, c, m, mlen); + } + + /* Generate the authentication tag */ + orange_generate_tag(state); + memcpy(c + mlen, state, ORANGE_ZEST_TAG_SIZE); + return 0; +} + +int orange_zest_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ORANGE_ZEST_TAG_SIZE) + return -1; + *mlen = clen - ORANGE_ZEST_TAG_SIZE; + + /* Initialize the PHOTON-256 state with the nonce and key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Handle the associated data and message payload */ + clen -= ORANGE_ZEST_TAG_SIZE; + if (adlen == 0) { + if (clen == 0) { + state[16] ^= 2; /* domain separation */ + photon256_permute(state); + return aead_check_tag(m, 0, state, c, ORANGE_ZEST_TAG_SIZE); + } else { + state[16] ^= 1; /* domain separation */ + orange_decrypt(state, k, m, c, clen); + } + } else { + orange_process_hash(state, ad, adlen, 1, 2); + if (clen != 0) + orange_decrypt(state, k, m, c, clen); + } + + /* Check the authentication tag */ + orange_generate_tag(state); + return aead_check_tag(m, clen, state, c + clen, ORANGE_ZEST_TAG_SIZE); +} + +/** + * \brief Rate of absorbing data into the ORANGISH hash state. + */ +#define ORANGISH_RATE 16 + +int orangish_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + unsigned temp; + memset(state, 0, sizeof(state)); + if (inlen == 0) { + /* No absorption necessary for a zero-length input */ + } else if (inlen < ORANGISH_RATE) { + /* Single partial block */ + temp = (unsigned)inlen; + memcpy(state, in, temp); + state[temp] ^= 0x01; /* padding */ + photon256_permute(state); + lw_xor_block(state + 16, in, temp); + state[16 + temp] ^= 0x01; /* padding */ + state[0] ^= 0x02; /* domain separation */ + } else if (inlen == ORANGISH_RATE) { + /* Single full block */ + memcpy(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + state[0] ^= 0x01; /* domain separation */ + } else { + /* Process double blocks until we run out */ + memcpy(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + in += ORANGISH_RATE; + inlen -= ORANGISH_RATE; + while (inlen > ORANGISH_RATE) { + lw_xor_block(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + in += ORANGISH_RATE; + inlen -= ORANGISH_RATE; + } + temp = (unsigned)inlen; + if (temp < ORANGISH_RATE) { + /* Last double block is partial */ + lw_xor_block(state, in, temp); + state[temp] ^= 0x01; /* padding */ + photon256_permute(state); + lw_xor_block(state + 16, in, temp); + state[16 + temp] ^= 0x01; /* padding */ + state[0] ^= 0x02; /* domain separation */ + } else { + /* Last double block is full */ + lw_xor_block(state, in, ORANGISH_RATE); + photon256_permute(state); + lw_xor_block(state + 16, in, ORANGISH_RATE); + state[0] ^= 0x01; /* domain separation */ + } + } + photon256_permute(state); + memcpy(out, state, 16); + photon256_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.h b/orange/Implementations/crypto_hash/orangishv1/rhys/orange.h similarity index 68% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.h rename to orange/Implementations/crypto_hash/orangishv1/rhys/orange.h index d38ee16..de5b00c 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/estate.h +++ b/orange/Implementations/crypto_hash/orangishv1/rhys/orange.h @@ -20,31 +20,23 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_ESTATE_H -#define LWCRYPTO_ESTATE_H +#ifndef LWCRYPTO_ORANGE_H +#define LWCRYPTO_ORANGE_H #include "aead-common.h" /** - * \file estate.h - * \brief ESTATE authenticated encryption algorithm. + * \file orange.h + * \brief ORANGE authenticated encryption algorithm. * - * ESTATE_TweGIFT-128 is an authenticated encryption algorithm with a - * 128-bit key, a 128-bit nonce, and a 128-bit tag. It is a two-pass - * algorithm that is built around a tweaked version of the GIFT-128 block - * cipher, the FCBC authentication mode, and the OFB encryption mode. + * ORANGE is a family of algorithms built around the PHOTON-256 permutation. + * There are two members of the family at present: * - * ESTATE is resistant against nonce reuse as long as the combination - * of the associated data and plaintext is unique. + * \li ORANGE-Zest is an authenticated encryption algorithm with a 128-bit + * key, a 128-bit nonce, and a 128-bit tag. + * \li ORANGISH is a hash algorithm with a 256-bit output. * - * If a nonce is reused then two packets with the same nonce, associated data, - * and plaintext will encrypt to the same ciphertext. This will leak that - * the same plaintext has been sent for a second time but will not reveal - * the plaintext itself. - * - * The ESTATE family also includes variants build around tweaked versions - * of the AES block cipher. We do not implement those variants in this - * library. + * References: https://www.isical.ac.in/~lightweight/Orange/ */ #ifdef __cplusplus @@ -52,27 +44,37 @@ extern "C" { #endif /** - * \brief Size of the key for ESTATE_TweGIFT-128. + * \brief Size of the key for ORANGE-Zest. + */ +#define ORANGE_ZEST_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for ORANGE-Zest. + */ +#define ORANGE_ZEST_TAG_SIZE 16 + +/** + * \brief Size of the nonce for ORANGE-Zest. */ -#define ESTATE_TWEGIFT_KEY_SIZE 16 +#define ORANGE_ZEST_NONCE_SIZE 16 /** - * \brief Size of the authentication tag for ESTATE_TweGIFT-128. + * \brief Size of the hash output for the ORANGISH hash algorithm. */ -#define ESTATE_TWEGIFT_TAG_SIZE 16 +#define ORANGISH_HASH_SIZE 32 /** - * \brief Size of the nonce for ESTATE_TweGIFT-128. + * \brief Meta-information block for the ORANGE-Zest cipher. */ -#define ESTATE_TWEGIFT_NONCE_SIZE 16 +extern aead_cipher_t const orange_zest_cipher; /** - * \brief Meta-information block for the ESTATE_TweGIFT-128 cipher. + * \brief Meta-information block for the ORANGISH hash algorithm. */ -extern aead_cipher_t const estate_twegift_cipher; +extern aead_hash_algorithm_t const orangish_hash_algorithm; /** - * \brief Encrypts and authenticates a packet with ESTATE_TweGIFT-128. + * \brief Encrypts and authenticates a packet with ORANGE-Zest. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -90,9 +92,9 @@ extern aead_cipher_t const estate_twegift_cipher; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa estate_twegift_aead_decrypt() + * \sa orange_zest_aead_decrypt() */ -int estate_twegift_aead_encrypt +int orange_zest_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -101,7 +103,7 @@ int estate_twegift_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ESTATE_TweGIFT-128. + * \brief Decrypts and authenticates a packet with ORANGE-Zest. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -120,9 +122,9 @@ int estate_twegift_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa estate_twegift_aead_encrypt() + * \sa orange_zest_aead_encrypt() */ -int estate_twegift_aead_decrypt +int orange_zest_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -130,6 +132,20 @@ int estate_twegift_aead_decrypt const unsigned char *npub, const unsigned char *k); +/** + * \brief Hashes a block of input data with ORANGISH to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ORANGISH_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int orangish_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + #ifdef __cplusplus } #endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/api.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/api.h deleted file mode 100644 index bd8cdcb..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 8 -#define CRYPTO_ABYTES 12 -#define CRYPTO_NOOVERLAP 1 diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/encrypt.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/encrypt.c deleted file mode 100644 index 681e037..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "oribatida.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return oribatida_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return oribatida_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp-avr.S b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp-avr.S deleted file mode 100644 index 65fba20..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp-avr.S +++ /dev/null @@ -1,949 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global simp_256_permute - .type simp_256_permute, @function -simp_256_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r23,245 - mov r10,r23 - ldi r17,14 - mov r11,r17 - ldi r16,44 - mov r12,r16 - ldi r23,25 - mov r13,r23 - ldi r23,133 - mov r14,r23 - ldi r23,248 - mov r15,r23 - ldi r24,105 - ldi r25,51 -14: - ldi r23,17 -16: - ldd r29,Z+16 - ldd r28,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - mov r2,r29 - mov r3,r18 - mov r4,r19 - mov r5,r20 - mov r6,r21 - mov r7,r26 - mov r8,r27 - mov r9,r28 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r28 - rol r29 - adc r18,r1 - and r2,r18 - and r3,r19 - and r4,r20 - and r5,r21 - and r6,r26 - and r7,r27 - and r8,r28 - and r9,r29 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r28 - rol r29 - adc r18,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - ldd r0,Z+8 - eor r9,r0 - ldd r0,Z+9 - eor r8,r0 - ldd r0,Z+10 - eor r7,r0 - ldd r0,Z+11 - eor r6,r0 - ldd r0,Z+12 - eor r5,r0 - ldd r0,Z+13 - eor r4,r0 - ldd r0,Z+14 - eor r3,r0 - ldd r0,Z+15 - eor r2,r0 - ldd r0,Z+24 - eor r0,r9 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r8 - std Z+25,r0 - ldd r0,Z+26 - eor r0,r7 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r6 - std Z+27,r0 - ldd r0,Z+28 - eor r0,r5 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r4 - std Z+29,r0 - ldd r0,Z+30 - eor r0,r3 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r2 - std Z+31,r0 - ld r29,Z - ldd r28,Z+1 - ldd r27,Z+2 - ldd r26,Z+3 - ldd r21,Z+4 - ldd r20,Z+5 - ldd r19,Z+6 - ldd r18,Z+7 - mov r0,r1 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r29,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - movw r8,r28 - bst r2,0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - bld r9,7 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - ldi r17,252 - eor r18,r17 - com r19 - com r20 - com r21 - com r26 - com r27 - com r28 - com r29 - mov r0,r1 - bst r10,0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - bld r25,5 - bld r0,0 - eor r18,r0 - ldd r0,Z+8 - eor r0,r29 - std Z+8,r0 - ldd r0,Z+9 - eor r0,r28 - std Z+9,r0 - ldd r0,Z+10 - eor r0,r27 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r26 - std Z+11,r0 - ldd r0,Z+12 - eor r0,r21 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r20 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r19 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r18 - std Z+15,r0 - ldd r9,Z+24 - ldd r8,Z+25 - ldd r7,Z+26 - ldd r6,Z+27 - ldd r5,Z+28 - ldd r4,Z+29 - ldd r3,Z+30 - ldd r2,Z+31 - mov r18,r9 - mov r19,r2 - mov r20,r3 - mov r21,r4 - mov r26,r5 - mov r27,r6 - mov r28,r7 - mov r29,r8 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - adc r2,r1 - and r18,r2 - and r19,r3 - and r20,r4 - and r21,r5 - and r26,r6 - and r27,r7 - and r28,r8 - and r29,r9 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - adc r2,r1 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - ld r0,Z - eor r29,r0 - ldd r0,Z+1 - eor r28,r0 - ldd r0,Z+2 - eor r27,r0 - ldd r0,Z+3 - eor r26,r0 - ldd r0,Z+4 - eor r21,r0 - ldd r0,Z+5 - eor r20,r0 - ldd r0,Z+6 - eor r19,r0 - ldd r0,Z+7 - eor r18,r0 - ldd r0,Z+16 - eor r0,r29 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r28 - std Z+17,r0 - ldd r0,Z+18 - eor r0,r27 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r26 - std Z+19,r0 - ldd r0,Z+20 - eor r0,r21 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r20 - std Z+21,r0 - ldd r0,Z+22 - eor r0,r19 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r18 - std Z+23,r0 - ldd r29,Z+8 - ldd r28,Z+9 - ldd r27,Z+10 - ldd r26,Z+11 - ldd r21,Z+12 - ldd r20,Z+13 - ldd r19,Z+14 - ldd r18,Z+15 - mov r0,r1 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r29,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - movw r8,r28 - bst r18,0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - bld r29,7 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - eor r2,r17 - com r3 - com r4 - com r5 - com r6 - com r7 - com r8 - com r9 - mov r0,r1 - bst r10,0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - bld r25,5 - bld r0,0 - eor r2,r0 - ld r0,Z - eor r0,r9 - st Z,r0 - ldd r0,Z+1 - eor r0,r8 - std Z+1,r0 - ldd r0,Z+2 - eor r0,r7 - std Z+2,r0 - ldd r0,Z+3 - eor r0,r6 - std Z+3,r0 - ldd r0,Z+4 - eor r0,r5 - std Z+4,r0 - ldd r0,Z+5 - eor r0,r4 - std Z+5,r0 - ldd r0,Z+6 - eor r0,r3 - std Z+6,r0 - ldd r0,Z+7 - eor r0,r2 - std Z+7,r0 - dec r23 - breq 5407f - rjmp 16b -5407: - dec r22 - brne 5409f - rjmp 475f -5409: - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - ldd r6,Z+20 - ldd r7,Z+21 - ldd r8,Z+22 - ldd r9,Z+23 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - std Z+4,r6 - std Z+5,r7 - std Z+6,r8 - std Z+7,r9 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - ldd r2,Z+24 - ldd r3,Z+25 - ldd r4,Z+26 - ldd r5,Z+27 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - std Z+12,r6 - std Z+13,r7 - std Z+14,r8 - std Z+15,r9 - std Z+24,r18 - std Z+25,r19 - std Z+26,r20 - std Z+27,r21 - std Z+28,r26 - std Z+29,r27 - std Z+30,r28 - std Z+31,r29 - rjmp 14b -475: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size simp_256_permute, .-simp_256_permute - - .text -.global simp_192_permute - .type simp_192_permute, @function -simp_192_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r25,245 - mov r8,r25 - ldi r24,14 - mov r9,r24 - ldi r23,44 - mov r10,r23 - ldi r17,25 - mov r11,r17 - ldi r16,133 - mov r12,r16 - ldi r23,248 - mov r13,r23 - ldi r23,105 - mov r14,r23 - ldi r23,51 - mov r15,r23 -16: - ldi r23,13 -18: - ldd r27,Z+12 - ldd r26,Z+13 - ldd r21,Z+14 - ldd r20,Z+15 - ldd r19,Z+16 - ldd r18,Z+17 - mov r2,r27 - mov r3,r18 - mov r4,r19 - mov r5,r20 - mov r6,r21 - mov r7,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - adc r18,r1 - and r2,r18 - and r3,r19 - and r4,r20 - and r5,r21 - and r6,r26 - and r7,r27 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - adc r18,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - ldd r0,Z+6 - eor r7,r0 - ldd r0,Z+7 - eor r6,r0 - ldd r0,Z+8 - eor r5,r0 - ldd r0,Z+9 - eor r4,r0 - ldd r0,Z+10 - eor r3,r0 - ldd r0,Z+11 - eor r2,r0 - ldd r0,Z+18 - eor r0,r7 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r6 - std Z+19,r0 - ldd r0,Z+20 - eor r0,r5 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r4 - std Z+21,r0 - ldd r0,Z+22 - eor r0,r3 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r2 - std Z+23,r0 - ld r27,Z - ldd r26,Z+1 - ldd r21,Z+2 - ldd r20,Z+3 - ldd r19,Z+4 - ldd r18,Z+5 - mov r0,r1 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r27,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - bst r2,0 - lsr r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - bld r7,7 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - ldi r25,252 - eor r18,r25 - com r19 - com r20 - com r21 - com r26 - com r27 - mov r0,r1 - bst r8,0 - lsr r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - ror r9 - ror r8 - bld r15,5 - bld r0,0 - eor r18,r0 - ldd r0,Z+6 - eor r0,r27 - std Z+6,r0 - ldd r0,Z+7 - eor r0,r26 - std Z+7,r0 - ldd r0,Z+8 - eor r0,r21 - std Z+8,r0 - ldd r0,Z+9 - eor r0,r20 - std Z+9,r0 - ldd r0,Z+10 - eor r0,r19 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r18 - std Z+11,r0 - ldd r7,Z+18 - ldd r6,Z+19 - ldd r5,Z+20 - ldd r4,Z+21 - ldd r3,Z+22 - ldd r2,Z+23 - mov r18,r7 - mov r19,r2 - mov r20,r3 - mov r21,r4 - mov r26,r5 - mov r27,r6 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - adc r2,r1 - and r18,r2 - and r19,r3 - and r20,r4 - and r21,r5 - and r26,r6 - and r27,r7 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - adc r2,r1 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - ld r0,Z - eor r27,r0 - ldd r0,Z+1 - eor r26,r0 - ldd r0,Z+2 - eor r21,r0 - ldd r0,Z+3 - eor r20,r0 - ldd r0,Z+4 - eor r19,r0 - ldd r0,Z+5 - eor r18,r0 - ldd r0,Z+12 - eor r0,r27 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r26 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r21 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r20 - std Z+15,r0 - ldd r0,Z+16 - eor r0,r19 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r18 - std Z+17,r0 - ldd r27,Z+6 - ldd r26,Z+7 - ldd r21,Z+8 - ldd r20,Z+9 - ldd r19,Z+10 - ldd r18,Z+11 - mov r0,r1 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r27,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - bst r18,0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - bld r27,7 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r2,r25 - com r3 - com r4 - com r5 - com r6 - com r7 - mov r0,r1 - bst r8,0 - lsr r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - ror r9 - ror r8 - bld r15,5 - bld r0,0 - eor r2,r0 - ld r0,Z - eor r0,r7 - st Z,r0 - ldd r0,Z+1 - eor r0,r6 - std Z+1,r0 - ldd r0,Z+2 - eor r0,r5 - std Z+2,r0 - ldd r0,Z+3 - eor r0,r4 - std Z+3,r0 - ldd r0,Z+4 - eor r0,r3 - std Z+4,r0 - ldd r0,Z+5 - eor r0,r2 - std Z+5,r0 - dec r23 - breq 5323f - rjmp 18b -5323: - dec r22 - breq 375f - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+12 - ldd r3,Z+13 - ldd r4,Z+14 - ldd r5,Z+15 - ldd r6,Z+16 - ldd r7,Z+17 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - std Z+4,r6 - std Z+5,r7 - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - std Z+16,r26 - std Z+17,r27 - ldd r18,Z+6 - ldd r19,Z+7 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r26,Z+10 - ldd r27,Z+11 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - std Z+6,r2 - std Z+7,r3 - std Z+8,r4 - std Z+9,r5 - std Z+10,r6 - std Z+11,r7 - std Z+18,r18 - std Z+19,r19 - std Z+20,r20 - std Z+21,r21 - std Z+22,r26 - std Z+23,r27 - rjmp 16b -375: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size simp_192_permute, .-simp_192_permute - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.c deleted file mode 100644 index 5d2144e..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.c +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-simp.h" - -#if !defined(__AVR__) - -/** - * \brief Number of rounds for the inner block cipher within SimP-256. - */ -#define SIMP_256_ROUNDS 34 - -/** - * \brief Number of rounds for the inner block cipher within SimP-192. - */ -#define SIMP_192_ROUNDS 26 - -/** - * \brief Round constants for each of the rounds in SimP-256 or SimP-192. - * - * Bit i is the round constant for round i, repeated every 62 rounds. - */ -#define SIMP_RC 0x3369F885192C0EF5ULL - -void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps) -{ - uint64_t z = SIMP_RC; - uint64_t x0, x1, x2, x3, t0, t1; - unsigned round; - - /* Load the state into local variables */ - x0 = be_load_word64(state); - x1 = be_load_word64(state + 8); - x2 = be_load_word64(state + 16); - x3 = be_load_word64(state + 24); - - /* Perform all steps */ - for (; steps > 0; --steps) { - /* Perform all rounds for this step, two at a time */ - for (round = 0; round < (SIMP_256_ROUNDS / 2); ++round) { - t1 = x3 ^ (leftRotate1_64(x2) & leftRotate8_64(x2)) ^ - leftRotate2_64(x2) ^ x1; - t0 = x1 ^ rightRotate3_64(x0) ^ rightRotate4_64(x0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - x2 = x2 ^ (leftRotate1_64(t1) & leftRotate8_64(t1)) ^ - leftRotate2_64(t1) ^ x0; - x0 = x0 ^ rightRotate3_64(t0) ^ rightRotate4_64(t0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - x1 = t0; - x3 = t1; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - } - - /* Swap the words of the state for all steps except the last */ - if (steps > 1) { - t0 = x0; - t1 = x1; - x0 = x2; - x1 = x3; - x2 = t0; - x3 = t1; - } - } - - /* Write the local variables back to the state */ - be_store_word64(state, x0); - be_store_word64(state + 8, x1); - be_store_word64(state + 16, x2); - be_store_word64(state + 24, x3); -} - -/* Load a big-endian 48-bit word from a byte buffer */ -#define be_load_word48(ptr) \ - ((((uint64_t)((ptr)[0])) << 40) | \ - (((uint64_t)((ptr)[1])) << 32) | \ - (((uint64_t)((ptr)[2])) << 24) | \ - (((uint64_t)((ptr)[3])) << 16) | \ - (((uint64_t)((ptr)[4])) << 8) | \ - ((uint64_t)((ptr)[5]))) - -/* Store a big-endian 48-bit word into a byte buffer */ -#define be_store_word48(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 40); \ - (ptr)[1] = (uint8_t)(_x >> 32); \ - (ptr)[2] = (uint8_t)(_x >> 24); \ - (ptr)[3] = (uint8_t)(_x >> 16); \ - (ptr)[4] = (uint8_t)(_x >> 8); \ - (ptr)[5] = (uint8_t)_x; \ - } while (0) - -/* 48-bit rotations with the high bits set to garbage - truncated later */ -#define rightRotate3_48(x) (((x) >> 3) | ((x) << 45)) -#define rightRotate4_48(x) (((x) >> 4) | ((x) << 44)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 47)) -#define leftRotate2_48(x) (((x) << 2) | ((x) >> 46)) -#define leftRotate8_48(x) (((x) << 8) | ((x) >> 40)) - -void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) -{ - uint64_t z = SIMP_RC; - uint64_t x0, x1, x2, x3, t0, t1; - unsigned round; - - /* Load the state into local variables */ - x0 = be_load_word48(state); - x1 = be_load_word48(state + 6); - x2 = be_load_word48(state + 12); - x3 = be_load_word48(state + 18); - - /* Perform all steps */ - for (; steps > 0; --steps) { - /* Perform all rounds for this step, two at a time */ - for (round = 0; round < (SIMP_192_ROUNDS / 2); ++round) { - t1 = x3 ^ (leftRotate1_48(x2) & leftRotate8_48(x2)) ^ - leftRotate2_48(x2) ^ x1; - t0 = x1 ^ rightRotate3_48(x0) ^ rightRotate4_48(x0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - t0 &= 0x0000FFFFFFFFFFFFULL; /* Truncate back to 48 bits */ - t1 &= 0x0000FFFFFFFFFFFFULL; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - x2 = x2 ^ (leftRotate1_48(t1) & leftRotate8_48(t1)) ^ - leftRotate2_48(t1) ^ x0; - x0 = x0 ^ rightRotate3_48(t0) ^ rightRotate4_48(t0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - x0 &= 0x0000FFFFFFFFFFFFULL; - x2 &= 0x0000FFFFFFFFFFFFULL; - x1 = t0; - x3 = t1; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - } - - /* Swap the words of the state for all steps except the last */ - if (steps > 1) { - t0 = x0; - t1 = x1; - x0 = x2; - x1 = x3; - x2 = t0; - x3 = t1; - } - } - - /* Write the local variables back to the state */ - be_store_word48(state, x0); - be_store_word48(state + 6, x1); - be_store_word48(state + 12, x2); - be_store_word48(state + 18, x3); -} - -#endif /* !__AVR__ */ diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.h deleted file mode 100644 index 3a95e80..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-simp.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SIMP_H -#define LW_INTERNAL_SIMP_H - -#include "internal-util.h" - -/** - * \file internal-simp.h - * \brief SimP permutation family. - * - * SimP-256 and SimP-192 are used by the Oribatida submission to - * round 2 of the NIST Lightweight Cryptography Competition. - * The permutations are built around reduced-round variants of the - * Simon-128-128 and Simon-96-96 block ciphers. - * - * References: https://www.isical.ac.in/~lightweight/oribatida/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief State size of the SimP-256 permutation. - */ -#define SIMP_256_STATE_SIZE 32 - -/** - * \brief State size of the SimP-192 permutation. - */ -#define SIMP_192_STATE_SIZE 24 - -/** - * \brief Permutes a state with SimP-256. - * - * \param state State to be permuted. - * \param steps Number of steps to perform (usually 2 or 4). - */ -void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps); - -/** - * \brief Permutes a state with SimP-192. - * - * \param state State to be permuted. - * \param steps Number of steps to perform (usually 2 or 4). - */ -void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.c deleted file mode 100644 index 55a3914..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.c +++ /dev/null @@ -1,480 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "oribatida.h" -#include "internal-simp.h" -#include - -/** - * \brief Rate for processing data for the Oribatida-256-64 state. - */ -#define ORIBATIDA_256_RATE 16 - -/** - * \brief Size of the masking value for Oribatida-256-64. - */ -#define ORIBATIDA_256_MASK_SIZE 8 - -/** - * \brief Rate for processing data for the Oribatida-192-96 state. - */ -#define ORIBATIDA_192_RATE 12 - -/** - * \brief Size of the masking value for Oribatida-192-96. - */ -#define ORIBATIDA_192_MASK_SIZE 12 - -aead_cipher_t const oribatida_256_cipher = { - "Oribatida-256-64", - ORIBATIDA_256_KEY_SIZE, - ORIBATIDA_256_NONCE_SIZE, - ORIBATIDA_256_TAG_SIZE, - AEAD_FLAG_NONE, - oribatida_256_aead_encrypt, - oribatida_256_aead_decrypt -}; - -aead_cipher_t const oribatida_192_cipher = { - "Oribatida-192-96", - ORIBATIDA_192_KEY_SIZE, - ORIBATIDA_192_NONCE_SIZE, - ORIBATIDA_192_TAG_SIZE, - AEAD_FLAG_NONE, - oribatida_192_aead_encrypt, - oribatida_192_aead_decrypt -}; - -/* Definitions for domain separation values */ -#define ORIBATIDA_NUM_DOMAINS 3 -#define ORIBATIDA_DOMAIN_NONCE 0 -#define ORIBATIDA_DOMAIN_AD 1 -#define ORIBATIDA_DOMAIN_MSG 2 - -/** - * \brief Gets the domain separation values to use for different phases - * of the Oribatida encryption process. - * - * \param domains Returns the domain separation values to use. - * \param adlen Length of the associated data. - * \param mlen Length of the plaintext message. - * \param rate Rate of processing message blocks, 12 or 16. - */ -static void oribatida_get_domains - (unsigned char domains[ORIBATIDA_NUM_DOMAINS], - unsigned long long adlen, unsigned long long mlen, unsigned rate) -{ - /* Domain separation value for the nonce */ - if (adlen == 0 && mlen == 0) { - domains[ORIBATIDA_DOMAIN_NONCE] = 9; - } else { - domains[ORIBATIDA_DOMAIN_NONCE] = 5; - } - - /* Domain separation value for associated data processing */ - if (mlen == 0) { - if ((adlen % rate) == 0) - domains[ORIBATIDA_DOMAIN_AD] = 12; - else - domains[ORIBATIDA_DOMAIN_AD] = 14; - } else { - if ((adlen % rate) == 0) - domains[ORIBATIDA_DOMAIN_AD] = 4; - else - domains[ORIBATIDA_DOMAIN_AD] = 6; - } - - /* Domain separation value for message processing */ - if ((mlen % rate) == 0) { - domains[ORIBATIDA_DOMAIN_MSG] = 13; - } else { - domains[ORIBATIDA_DOMAIN_MSG] = 15; - } -} - -/** - * \brief Initializes the Oribatida-256-64 state. - * - * \param state Oribatida-256-64 permutation state. - * \param mask Oribatida-256-64 masking state. - * \param domains Precomputed domain separation values. - * \param k Points to the key. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void oribatida_256_init - (unsigned char state[SIMP_256_STATE_SIZE], - unsigned char mask[ORIBATIDA_256_MASK_SIZE], - const unsigned char domains[ORIBATIDA_NUM_DOMAINS], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state with the key and nonce */ - memcpy(state, npub, ORIBATIDA_256_NONCE_SIZE); - memcpy(state + ORIBATIDA_256_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); - - /* Use the current state as the mask for zero-length associated data */ - if (adlen == 0) { - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - } - - /* Add the domain separation value for the nonce */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; - - /* Run the permutation for the first time */ - simp_256_permute(state, 4); - - /* If there is no associated data, then we are done */ - if (adlen == 0) - return; - - /* Use the current state as the mask for non-zero length associated data */ - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - - /* Process all associated data blocks except the last */ - while (adlen > ORIBATIDA_256_RATE) { - lw_xor_block(state, ad, ORIBATIDA_256_RATE); - simp_256_permute(state, 2); - ad += ORIBATIDA_256_RATE; - adlen -= ORIBATIDA_256_RATE; - } - - /* Process the final associated data block */ - temp = (unsigned)adlen; - if (temp == ORIBATIDA_256_RATE) { - lw_xor_block(state, ad, ORIBATIDA_256_RATE); - } else { - lw_xor_block(state, ad, temp); - state[temp] ^= 0x80; /* padding */ - } - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; - simp_256_permute(state, 4); -} - -/** - * \brief Initializes the Oribatida-192-96 state. - * - * \param state Oribatida-192-96 permutation state. - * \param mask Oribatida-192-96 masking state. - * \param domains Precomputed domain separation values. - * \param k Points to the key. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void oribatida_192_init - (unsigned char state[SIMP_192_STATE_SIZE], - unsigned char mask[ORIBATIDA_192_MASK_SIZE], - const unsigned char domains[ORIBATIDA_NUM_DOMAINS], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state with the key and nonce */ - memcpy(state, npub, ORIBATIDA_192_NONCE_SIZE); - memcpy(state + ORIBATIDA_192_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); - - /* Use the current state as the mask for zero-length associated data */ - if (adlen == 0) { - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - } - - /* Add the domain separation value for the nonce */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; - - /* Run the permutation for the first time */ - simp_192_permute(state, 4); - - /* If there is no associated data, then we are done */ - if (adlen == 0) - return; - - /* Use the current state as the mask for non-zero length associated data */ - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - - /* Process all associated data blocks except the last */ - while (adlen > ORIBATIDA_192_RATE) { - lw_xor_block(state, ad, ORIBATIDA_192_RATE); - simp_192_permute(state, 2); - ad += ORIBATIDA_192_RATE; - adlen -= ORIBATIDA_192_RATE; - } - - /* Process the final associated data block */ - temp = (unsigned)adlen; - if (temp == ORIBATIDA_192_RATE) { - lw_xor_block(state, ad, ORIBATIDA_192_RATE); - } else { - lw_xor_block(state, ad, temp); - state[temp] ^= 0x80; /* padding */ - } - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; - simp_192_permute(state, 4); -} - -int oribatida_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_256_STATE_SIZE]; - unsigned char mask[ORIBATIDA_256_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORIBATIDA_256_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_256_RATE); - oribatida_256_init(state, mask, domains, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen > ORIBATIDA_256_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); - lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - simp_256_permute(state, 4); - c += ORIBATIDA_256_RATE; - m += ORIBATIDA_256_RATE; - mlen -= ORIBATIDA_256_RATE; - } - if (mlen == ORIBATIDA_256_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); - lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } else if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state, m, temp); - if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { - lw_xor_block - (c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, - temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); - } - state[temp] ^= 0x80; /* padding */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } - - /* Generate the authentication tag */ - memcpy(c + mlen, state, ORIBATIDA_256_TAG_SIZE); - return 0; -} - -int oribatida_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_256_STATE_SIZE]; - unsigned char mask[ORIBATIDA_256_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - unsigned char block[ORIBATIDA_256_RATE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORIBATIDA_256_TAG_SIZE) - return -1; - *mlen = clen - ORIBATIDA_256_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - clen -= ORIBATIDA_256_TAG_SIZE; - oribatida_get_domains(domains, adlen, clen, ORIBATIDA_256_RATE); - oribatida_256_init(state, mask, domains, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - while (clen > ORIBATIDA_256_RATE) { - memcpy(block, c, ORIBATIDA_256_RATE); - lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - simp_256_permute(state, 4); - c += ORIBATIDA_256_RATE; - m += ORIBATIDA_256_RATE; - clen -= ORIBATIDA_256_RATE; - } - if (clen == ORIBATIDA_256_RATE) { - memcpy(block, c, ORIBATIDA_256_RATE); - lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } else if (clen > 0) { - unsigned temp = (unsigned)clen; - memcpy(block, c, temp); - if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { - lw_xor_block - (block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, - temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); - } - lw_xor_block_swap(m, state, block, temp); - state[temp] ^= 0x80; /* padding */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } - c += clen; - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_256_TAG_SIZE); -} - -int oribatida_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_192_STATE_SIZE]; - unsigned char mask[ORIBATIDA_192_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORIBATIDA_192_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_192_RATE); - oribatida_192_init(state, mask, domains, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen > ORIBATIDA_192_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); - lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - simp_192_permute(state, 4); - c += ORIBATIDA_192_RATE; - m += ORIBATIDA_192_RATE; - mlen -= ORIBATIDA_192_RATE; - } - if (mlen == ORIBATIDA_192_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); - lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } else if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state, m, temp); - if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { - lw_xor_block - (c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, - temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); - } - state[temp] ^= 0x80; /* padding */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } - - /* Generate the authentication tag */ - memcpy(c + mlen, state, ORIBATIDA_192_TAG_SIZE); - return 0; -} - -int oribatida_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_192_STATE_SIZE]; - unsigned char mask[ORIBATIDA_192_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - unsigned char block[ORIBATIDA_192_RATE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORIBATIDA_192_TAG_SIZE) - return -1; - *mlen = clen - ORIBATIDA_192_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - clen -= ORIBATIDA_192_TAG_SIZE; - oribatida_get_domains(domains, adlen, clen, ORIBATIDA_192_RATE); - oribatida_192_init(state, mask, domains, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - while (clen > ORIBATIDA_192_RATE) { - memcpy(block, c, ORIBATIDA_192_RATE); - lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - simp_192_permute(state, 4); - c += ORIBATIDA_192_RATE; - m += ORIBATIDA_192_RATE; - clen -= ORIBATIDA_192_RATE; - } - if (clen == ORIBATIDA_192_RATE) { - memcpy(block, c, ORIBATIDA_192_RATE); - lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } else if (clen > 0) { - unsigned temp = (unsigned)clen; - memcpy(block, c, temp); - if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { - lw_xor_block - (block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, - temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); - } - lw_xor_block_swap(m, state, block, temp); - state[temp] ^= 0x80; /* padding */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } - c += clen; - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_192_TAG_SIZE); -} diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.h deleted file mode 100644 index dbc374b..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys-avr/oribatida.h +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ORIBATIDA_H -#define LWCRYPTO_ORIBATIDA_H - -#include "aead-common.h" - -/** - * \file oribatida.h - * \brief Oribatida authenticated encryption algorithm. - * - * Oribatida is a family of authenticated encryption algorithms based on the - * SimP-256 and SimP-192 permutations which are built around reduced-round - * variants of the Simon-128-128 and Simon-96-96 block ciphers. - * There are two algorithms in the family: - * - * \li Oribatida-256-64 with a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * built around the SimP-256 permutation. This is the primary member of - * the family. - * \li Oribatida-192-96 with a 128-bit key, a 64-bit nonce, and a 96-bit tag, - * built around the SimP-192 permutation. - * - * References: https://www.isical.ac.in/~lightweight/oribatida/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Oribatida-256-64. - */ -#define ORIBATIDA_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Oribatida-256-64. - */ -#define ORIBATIDA_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Oribatida-256-64. - */ -#define ORIBATIDA_256_NONCE_SIZE 16 - -/** - * \brief Size of the key for Oribatida-192-96. - */ -#define ORIBATIDA_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Oribatida-192-96. - */ -#define ORIBATIDA_192_TAG_SIZE 12 - -/** - * \brief Size of the nonce for Oribatida-192-96. - */ -#define ORIBATIDA_192_NONCE_SIZE 8 - -/** - * \brief Meta-information block for the Oribatida-256-64 cipher. - */ -extern aead_cipher_t const oribatida_256_cipher; - -/** - * \brief Meta-information block for the Oribatida-192-96 cipher. - */ -extern aead_cipher_t const oribatida_192_cipher; - -/** - * \brief Encrypts and authenticates a packet with Oribatida-256-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa oribatida_256_aead_decrypt() - */ -int oribatida_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Oribatida-256-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa oribatida_256_aead_encrypt() - */ -int oribatida_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Oribatida-192-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa oribatida_192_aead_decrypt() - */ -int oribatida_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Oribatida-192-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa oribatida_192_aead_encrypt() - */ -int oribatida_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp-avr.S b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp-avr.S new file mode 100644 index 0000000..65fba20 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp-avr.S @@ -0,0 +1,949 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global simp_256_permute + .type simp_256_permute, @function +simp_256_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r23,245 + mov r10,r23 + ldi r17,14 + mov r11,r17 + ldi r16,44 + mov r12,r16 + ldi r23,25 + mov r13,r23 + ldi r23,133 + mov r14,r23 + ldi r23,248 + mov r15,r23 + ldi r24,105 + ldi r25,51 +14: + ldi r23,17 +16: + ldd r29,Z+16 + ldd r28,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + mov r2,r29 + mov r3,r18 + mov r4,r19 + mov r5,r20 + mov r6,r21 + mov r7,r26 + mov r8,r27 + mov r9,r28 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r28 + rol r29 + adc r18,r1 + and r2,r18 + and r3,r19 + and r4,r20 + and r5,r21 + and r6,r26 + and r7,r27 + and r8,r28 + and r9,r29 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r28 + rol r29 + adc r18,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + ldd r0,Z+8 + eor r9,r0 + ldd r0,Z+9 + eor r8,r0 + ldd r0,Z+10 + eor r7,r0 + ldd r0,Z+11 + eor r6,r0 + ldd r0,Z+12 + eor r5,r0 + ldd r0,Z+13 + eor r4,r0 + ldd r0,Z+14 + eor r3,r0 + ldd r0,Z+15 + eor r2,r0 + ldd r0,Z+24 + eor r0,r9 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r8 + std Z+25,r0 + ldd r0,Z+26 + eor r0,r7 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r6 + std Z+27,r0 + ldd r0,Z+28 + eor r0,r5 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r4 + std Z+29,r0 + ldd r0,Z+30 + eor r0,r3 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r2 + std Z+31,r0 + ld r29,Z + ldd r28,Z+1 + ldd r27,Z+2 + ldd r26,Z+3 + ldd r21,Z+4 + ldd r20,Z+5 + ldd r19,Z+6 + ldd r18,Z+7 + mov r0,r1 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r29,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + movw r8,r28 + bst r2,0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + bld r9,7 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + ldi r17,252 + eor r18,r17 + com r19 + com r20 + com r21 + com r26 + com r27 + com r28 + com r29 + mov r0,r1 + bst r10,0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + bld r25,5 + bld r0,0 + eor r18,r0 + ldd r0,Z+8 + eor r0,r29 + std Z+8,r0 + ldd r0,Z+9 + eor r0,r28 + std Z+9,r0 + ldd r0,Z+10 + eor r0,r27 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r26 + std Z+11,r0 + ldd r0,Z+12 + eor r0,r21 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r20 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r19 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r18 + std Z+15,r0 + ldd r9,Z+24 + ldd r8,Z+25 + ldd r7,Z+26 + ldd r6,Z+27 + ldd r5,Z+28 + ldd r4,Z+29 + ldd r3,Z+30 + ldd r2,Z+31 + mov r18,r9 + mov r19,r2 + mov r20,r3 + mov r21,r4 + mov r26,r5 + mov r27,r6 + mov r28,r7 + mov r29,r8 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + adc r2,r1 + and r18,r2 + and r19,r3 + and r20,r4 + and r21,r5 + and r26,r6 + and r27,r7 + and r28,r8 + and r29,r9 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + adc r2,r1 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + ld r0,Z + eor r29,r0 + ldd r0,Z+1 + eor r28,r0 + ldd r0,Z+2 + eor r27,r0 + ldd r0,Z+3 + eor r26,r0 + ldd r0,Z+4 + eor r21,r0 + ldd r0,Z+5 + eor r20,r0 + ldd r0,Z+6 + eor r19,r0 + ldd r0,Z+7 + eor r18,r0 + ldd r0,Z+16 + eor r0,r29 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r28 + std Z+17,r0 + ldd r0,Z+18 + eor r0,r27 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r26 + std Z+19,r0 + ldd r0,Z+20 + eor r0,r21 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r20 + std Z+21,r0 + ldd r0,Z+22 + eor r0,r19 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r18 + std Z+23,r0 + ldd r29,Z+8 + ldd r28,Z+9 + ldd r27,Z+10 + ldd r26,Z+11 + ldd r21,Z+12 + ldd r20,Z+13 + ldd r19,Z+14 + ldd r18,Z+15 + mov r0,r1 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r29,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + movw r8,r28 + bst r18,0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + bld r29,7 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + eor r2,r17 + com r3 + com r4 + com r5 + com r6 + com r7 + com r8 + com r9 + mov r0,r1 + bst r10,0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + bld r25,5 + bld r0,0 + eor r2,r0 + ld r0,Z + eor r0,r9 + st Z,r0 + ldd r0,Z+1 + eor r0,r8 + std Z+1,r0 + ldd r0,Z+2 + eor r0,r7 + std Z+2,r0 + ldd r0,Z+3 + eor r0,r6 + std Z+3,r0 + ldd r0,Z+4 + eor r0,r5 + std Z+4,r0 + ldd r0,Z+5 + eor r0,r4 + std Z+5,r0 + ldd r0,Z+6 + eor r0,r3 + std Z+6,r0 + ldd r0,Z+7 + eor r0,r2 + std Z+7,r0 + dec r23 + breq 5407f + rjmp 16b +5407: + dec r22 + brne 5409f + rjmp 475f +5409: + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + ldd r6,Z+20 + ldd r7,Z+21 + ldd r8,Z+22 + ldd r9,Z+23 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + std Z+4,r6 + std Z+5,r7 + std Z+6,r8 + std Z+7,r9 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + ldd r2,Z+24 + ldd r3,Z+25 + ldd r4,Z+26 + ldd r5,Z+27 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + std Z+12,r6 + std Z+13,r7 + std Z+14,r8 + std Z+15,r9 + std Z+24,r18 + std Z+25,r19 + std Z+26,r20 + std Z+27,r21 + std Z+28,r26 + std Z+29,r27 + std Z+30,r28 + std Z+31,r29 + rjmp 14b +475: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size simp_256_permute, .-simp_256_permute + + .text +.global simp_192_permute + .type simp_192_permute, @function +simp_192_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r25,245 + mov r8,r25 + ldi r24,14 + mov r9,r24 + ldi r23,44 + mov r10,r23 + ldi r17,25 + mov r11,r17 + ldi r16,133 + mov r12,r16 + ldi r23,248 + mov r13,r23 + ldi r23,105 + mov r14,r23 + ldi r23,51 + mov r15,r23 +16: + ldi r23,13 +18: + ldd r27,Z+12 + ldd r26,Z+13 + ldd r21,Z+14 + ldd r20,Z+15 + ldd r19,Z+16 + ldd r18,Z+17 + mov r2,r27 + mov r3,r18 + mov r4,r19 + mov r5,r20 + mov r6,r21 + mov r7,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + adc r18,r1 + and r2,r18 + and r3,r19 + and r4,r20 + and r5,r21 + and r6,r26 + and r7,r27 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + adc r18,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + ldd r0,Z+6 + eor r7,r0 + ldd r0,Z+7 + eor r6,r0 + ldd r0,Z+8 + eor r5,r0 + ldd r0,Z+9 + eor r4,r0 + ldd r0,Z+10 + eor r3,r0 + ldd r0,Z+11 + eor r2,r0 + ldd r0,Z+18 + eor r0,r7 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r6 + std Z+19,r0 + ldd r0,Z+20 + eor r0,r5 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r4 + std Z+21,r0 + ldd r0,Z+22 + eor r0,r3 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r2 + std Z+23,r0 + ld r27,Z + ldd r26,Z+1 + ldd r21,Z+2 + ldd r20,Z+3 + ldd r19,Z+4 + ldd r18,Z+5 + mov r0,r1 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r27,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + bst r2,0 + lsr r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + bld r7,7 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + ldi r25,252 + eor r18,r25 + com r19 + com r20 + com r21 + com r26 + com r27 + mov r0,r1 + bst r8,0 + lsr r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + ror r9 + ror r8 + bld r15,5 + bld r0,0 + eor r18,r0 + ldd r0,Z+6 + eor r0,r27 + std Z+6,r0 + ldd r0,Z+7 + eor r0,r26 + std Z+7,r0 + ldd r0,Z+8 + eor r0,r21 + std Z+8,r0 + ldd r0,Z+9 + eor r0,r20 + std Z+9,r0 + ldd r0,Z+10 + eor r0,r19 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r18 + std Z+11,r0 + ldd r7,Z+18 + ldd r6,Z+19 + ldd r5,Z+20 + ldd r4,Z+21 + ldd r3,Z+22 + ldd r2,Z+23 + mov r18,r7 + mov r19,r2 + mov r20,r3 + mov r21,r4 + mov r26,r5 + mov r27,r6 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + adc r2,r1 + and r18,r2 + and r19,r3 + and r20,r4 + and r21,r5 + and r26,r6 + and r27,r7 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + adc r2,r1 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + ld r0,Z + eor r27,r0 + ldd r0,Z+1 + eor r26,r0 + ldd r0,Z+2 + eor r21,r0 + ldd r0,Z+3 + eor r20,r0 + ldd r0,Z+4 + eor r19,r0 + ldd r0,Z+5 + eor r18,r0 + ldd r0,Z+12 + eor r0,r27 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r26 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r21 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r20 + std Z+15,r0 + ldd r0,Z+16 + eor r0,r19 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r18 + std Z+17,r0 + ldd r27,Z+6 + ldd r26,Z+7 + ldd r21,Z+8 + ldd r20,Z+9 + ldd r19,Z+10 + ldd r18,Z+11 + mov r0,r1 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r27,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + bst r18,0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + bld r27,7 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r2,r25 + com r3 + com r4 + com r5 + com r6 + com r7 + mov r0,r1 + bst r8,0 + lsr r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + ror r9 + ror r8 + bld r15,5 + bld r0,0 + eor r2,r0 + ld r0,Z + eor r0,r7 + st Z,r0 + ldd r0,Z+1 + eor r0,r6 + std Z+1,r0 + ldd r0,Z+2 + eor r0,r5 + std Z+2,r0 + ldd r0,Z+3 + eor r0,r4 + std Z+3,r0 + ldd r0,Z+4 + eor r0,r3 + std Z+4,r0 + ldd r0,Z+5 + eor r0,r2 + std Z+5,r0 + dec r23 + breq 5323f + rjmp 18b +5323: + dec r22 + breq 375f + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+12 + ldd r3,Z+13 + ldd r4,Z+14 + ldd r5,Z+15 + ldd r6,Z+16 + ldd r7,Z+17 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + std Z+4,r6 + std Z+5,r7 + std Z+12,r18 + std Z+13,r19 + std Z+14,r20 + std Z+15,r21 + std Z+16,r26 + std Z+17,r27 + ldd r18,Z+6 + ldd r19,Z+7 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r26,Z+10 + ldd r27,Z+11 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + std Z+6,r2 + std Z+7,r3 + std Z+8,r4 + std Z+9,r5 + std Z+10,r6 + std Z+11,r7 + std Z+18,r18 + std Z+19,r19 + std Z+20,r20 + std Z+21,r21 + std Z+22,r26 + std Z+23,r27 + rjmp 16b +375: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size simp_192_permute, .-simp_192_permute + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c index 4ca50d0..5d2144e 100644 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-simp.c @@ -22,6 +22,8 @@ #include "internal-simp.h" +#if !defined(__AVR__) + /** * \brief Number of rounds for the inner block cipher within SimP-256. */ @@ -166,3 +168,5 @@ void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) be_store_word48(state + 12, x2); be_store_word48(state + 18, x3); } + +#endif /* !__AVR__ */ diff --git a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h index e79158c..e30166d 100644 --- a/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h +++ b/oribatida/Implementations/crypto_aead/oribatida192v12/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/api.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/encrypt.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/encrypt.c deleted file mode 100644 index fd7d71e..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "oribatida.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return oribatida_256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return oribatida_256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp-avr.S b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp-avr.S deleted file mode 100644 index 65fba20..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp-avr.S +++ /dev/null @@ -1,949 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global simp_256_permute - .type simp_256_permute, @function -simp_256_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r23,245 - mov r10,r23 - ldi r17,14 - mov r11,r17 - ldi r16,44 - mov r12,r16 - ldi r23,25 - mov r13,r23 - ldi r23,133 - mov r14,r23 - ldi r23,248 - mov r15,r23 - ldi r24,105 - ldi r25,51 -14: - ldi r23,17 -16: - ldd r29,Z+16 - ldd r28,Z+17 - ldd r27,Z+18 - ldd r26,Z+19 - ldd r21,Z+20 - ldd r20,Z+21 - ldd r19,Z+22 - ldd r18,Z+23 - mov r2,r29 - mov r3,r18 - mov r4,r19 - mov r5,r20 - mov r6,r21 - mov r7,r26 - mov r8,r27 - mov r9,r28 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r28 - rol r29 - adc r18,r1 - and r2,r18 - and r3,r19 - and r4,r20 - and r5,r21 - and r6,r26 - and r7,r27 - and r8,r28 - and r9,r29 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - rol r28 - rol r29 - adc r18,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - ldd r0,Z+8 - eor r9,r0 - ldd r0,Z+9 - eor r8,r0 - ldd r0,Z+10 - eor r7,r0 - ldd r0,Z+11 - eor r6,r0 - ldd r0,Z+12 - eor r5,r0 - ldd r0,Z+13 - eor r4,r0 - ldd r0,Z+14 - eor r3,r0 - ldd r0,Z+15 - eor r2,r0 - ldd r0,Z+24 - eor r0,r9 - std Z+24,r0 - ldd r0,Z+25 - eor r0,r8 - std Z+25,r0 - ldd r0,Z+26 - eor r0,r7 - std Z+26,r0 - ldd r0,Z+27 - eor r0,r6 - std Z+27,r0 - ldd r0,Z+28 - eor r0,r5 - std Z+28,r0 - ldd r0,Z+29 - eor r0,r4 - std Z+29,r0 - ldd r0,Z+30 - eor r0,r3 - std Z+30,r0 - ldd r0,Z+31 - eor r0,r2 - std Z+31,r0 - ld r29,Z - ldd r28,Z+1 - ldd r27,Z+2 - ldd r26,Z+3 - ldd r21,Z+4 - ldd r20,Z+5 - ldd r19,Z+6 - ldd r18,Z+7 - mov r0,r1 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r29,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - movw r8,r28 - bst r2,0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - bld r9,7 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - ldi r17,252 - eor r18,r17 - com r19 - com r20 - com r21 - com r26 - com r27 - com r28 - com r29 - mov r0,r1 - bst r10,0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - bld r25,5 - bld r0,0 - eor r18,r0 - ldd r0,Z+8 - eor r0,r29 - std Z+8,r0 - ldd r0,Z+9 - eor r0,r28 - std Z+9,r0 - ldd r0,Z+10 - eor r0,r27 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r26 - std Z+11,r0 - ldd r0,Z+12 - eor r0,r21 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r20 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r19 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r18 - std Z+15,r0 - ldd r9,Z+24 - ldd r8,Z+25 - ldd r7,Z+26 - ldd r6,Z+27 - ldd r5,Z+28 - ldd r4,Z+29 - ldd r3,Z+30 - ldd r2,Z+31 - mov r18,r9 - mov r19,r2 - mov r20,r3 - mov r21,r4 - mov r26,r5 - mov r27,r6 - mov r28,r7 - mov r29,r8 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - adc r2,r1 - and r18,r2 - and r19,r3 - and r20,r4 - and r21,r5 - and r26,r6 - and r27,r7 - and r28,r8 - and r29,r9 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - rol r8 - rol r9 - adc r2,r1 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - ld r0,Z - eor r29,r0 - ldd r0,Z+1 - eor r28,r0 - ldd r0,Z+2 - eor r27,r0 - ldd r0,Z+3 - eor r26,r0 - ldd r0,Z+4 - eor r21,r0 - ldd r0,Z+5 - eor r20,r0 - ldd r0,Z+6 - eor r19,r0 - ldd r0,Z+7 - eor r18,r0 - ldd r0,Z+16 - eor r0,r29 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r28 - std Z+17,r0 - ldd r0,Z+18 - eor r0,r27 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r26 - std Z+19,r0 - ldd r0,Z+20 - eor r0,r21 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r20 - std Z+21,r0 - ldd r0,Z+22 - eor r0,r19 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r18 - std Z+23,r0 - ldd r29,Z+8 - ldd r28,Z+9 - ldd r27,Z+10 - ldd r26,Z+11 - ldd r21,Z+12 - ldd r20,Z+13 - ldd r19,Z+14 - ldd r18,Z+15 - mov r0,r1 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r29,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - movw r8,r28 - bst r18,0 - lsr r29 - ror r28 - ror r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - bld r29,7 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - eor r2,r17 - com r3 - com r4 - com r5 - com r6 - com r7 - com r8 - com r9 - mov r0,r1 - bst r10,0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - bld r25,5 - bld r0,0 - eor r2,r0 - ld r0,Z - eor r0,r9 - st Z,r0 - ldd r0,Z+1 - eor r0,r8 - std Z+1,r0 - ldd r0,Z+2 - eor r0,r7 - std Z+2,r0 - ldd r0,Z+3 - eor r0,r6 - std Z+3,r0 - ldd r0,Z+4 - eor r0,r5 - std Z+4,r0 - ldd r0,Z+5 - eor r0,r4 - std Z+5,r0 - ldd r0,Z+6 - eor r0,r3 - std Z+6,r0 - ldd r0,Z+7 - eor r0,r2 - std Z+7,r0 - dec r23 - breq 5407f - rjmp 16b -5407: - dec r22 - brne 5409f - rjmp 475f -5409: - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - ldd r2,Z+16 - ldd r3,Z+17 - ldd r4,Z+18 - ldd r5,Z+19 - ldd r6,Z+20 - ldd r7,Z+21 - ldd r8,Z+22 - ldd r9,Z+23 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - std Z+4,r6 - std Z+5,r7 - std Z+6,r8 - std Z+7,r9 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - ldd r2,Z+24 - ldd r3,Z+25 - ldd r4,Z+26 - ldd r5,Z+27 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - std Z+12,r6 - std Z+13,r7 - std Z+14,r8 - std Z+15,r9 - std Z+24,r18 - std Z+25,r19 - std Z+26,r20 - std Z+27,r21 - std Z+28,r26 - std Z+29,r27 - std Z+30,r28 - std Z+31,r29 - rjmp 14b -475: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size simp_256_permute, .-simp_256_permute - - .text -.global simp_192_permute - .type simp_192_permute, @function -simp_192_permute: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ldi r25,245 - mov r8,r25 - ldi r24,14 - mov r9,r24 - ldi r23,44 - mov r10,r23 - ldi r17,25 - mov r11,r17 - ldi r16,133 - mov r12,r16 - ldi r23,248 - mov r13,r23 - ldi r23,105 - mov r14,r23 - ldi r23,51 - mov r15,r23 -16: - ldi r23,13 -18: - ldd r27,Z+12 - ldd r26,Z+13 - ldd r21,Z+14 - ldd r20,Z+15 - ldd r19,Z+16 - ldd r18,Z+17 - mov r2,r27 - mov r3,r18 - mov r4,r19 - mov r5,r20 - mov r6,r21 - mov r7,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - adc r18,r1 - and r2,r18 - and r3,r19 - and r4,r20 - and r5,r21 - and r6,r26 - and r7,r27 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r26 - rol r27 - adc r18,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - ldd r0,Z+6 - eor r7,r0 - ldd r0,Z+7 - eor r6,r0 - ldd r0,Z+8 - eor r5,r0 - ldd r0,Z+9 - eor r4,r0 - ldd r0,Z+10 - eor r3,r0 - ldd r0,Z+11 - eor r2,r0 - ldd r0,Z+18 - eor r0,r7 - std Z+18,r0 - ldd r0,Z+19 - eor r0,r6 - std Z+19,r0 - ldd r0,Z+20 - eor r0,r5 - std Z+20,r0 - ldd r0,Z+21 - eor r0,r4 - std Z+21,r0 - ldd r0,Z+22 - eor r0,r3 - std Z+22,r0 - ldd r0,Z+23 - eor r0,r2 - std Z+23,r0 - ld r27,Z - ldd r26,Z+1 - ldd r21,Z+2 - ldd r20,Z+3 - ldd r19,Z+4 - ldd r18,Z+5 - mov r0,r1 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r27,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - bst r2,0 - lsr r7 - ror r6 - ror r5 - ror r4 - ror r3 - ror r2 - bld r7,7 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - ldi r25,252 - eor r18,r25 - com r19 - com r20 - com r21 - com r26 - com r27 - mov r0,r1 - bst r8,0 - lsr r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - ror r9 - ror r8 - bld r15,5 - bld r0,0 - eor r18,r0 - ldd r0,Z+6 - eor r0,r27 - std Z+6,r0 - ldd r0,Z+7 - eor r0,r26 - std Z+7,r0 - ldd r0,Z+8 - eor r0,r21 - std Z+8,r0 - ldd r0,Z+9 - eor r0,r20 - std Z+9,r0 - ldd r0,Z+10 - eor r0,r19 - std Z+10,r0 - ldd r0,Z+11 - eor r0,r18 - std Z+11,r0 - ldd r7,Z+18 - ldd r6,Z+19 - ldd r5,Z+20 - ldd r4,Z+21 - ldd r3,Z+22 - ldd r2,Z+23 - mov r18,r7 - mov r19,r2 - mov r20,r3 - mov r21,r4 - mov r26,r5 - mov r27,r6 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - adc r2,r1 - and r18,r2 - and r19,r3 - and r20,r4 - and r21,r5 - and r26,r6 - and r27,r7 - lsl r2 - rol r3 - rol r4 - rol r5 - rol r6 - rol r7 - adc r2,r1 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - eor r26,r6 - eor r27,r7 - ld r0,Z - eor r27,r0 - ldd r0,Z+1 - eor r26,r0 - ldd r0,Z+2 - eor r21,r0 - ldd r0,Z+3 - eor r20,r0 - ldd r0,Z+4 - eor r19,r0 - ldd r0,Z+5 - eor r18,r0 - ldd r0,Z+12 - eor r0,r27 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r26 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r21 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r20 - std Z+15,r0 - ldd r0,Z+16 - eor r0,r19 - std Z+16,r0 - ldd r0,Z+17 - eor r0,r18 - std Z+17,r0 - ldd r27,Z+6 - ldd r26,Z+7 - ldd r21,Z+8 - ldd r20,Z+9 - ldd r19,Z+10 - ldd r18,Z+11 - mov r0,r1 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - ror r0 - or r27,r0 - movw r2,r18 - movw r4,r20 - movw r6,r26 - bst r18,0 - lsr r27 - ror r26 - ror r21 - ror r20 - ror r19 - ror r18 - bld r27,7 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - eor r6,r26 - eor r7,r27 - eor r2,r25 - com r3 - com r4 - com r5 - com r6 - com r7 - mov r0,r1 - bst r8,0 - lsr r15 - ror r14 - ror r13 - ror r12 - ror r11 - ror r10 - ror r9 - ror r8 - bld r15,5 - bld r0,0 - eor r2,r0 - ld r0,Z - eor r0,r7 - st Z,r0 - ldd r0,Z+1 - eor r0,r6 - std Z+1,r0 - ldd r0,Z+2 - eor r0,r5 - std Z+2,r0 - ldd r0,Z+3 - eor r0,r4 - std Z+3,r0 - ldd r0,Z+4 - eor r0,r3 - std Z+4,r0 - ldd r0,Z+5 - eor r0,r2 - std Z+5,r0 - dec r23 - breq 5323f - rjmp 18b -5323: - dec r22 - breq 375f - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r2,Z+12 - ldd r3,Z+13 - ldd r4,Z+14 - ldd r5,Z+15 - ldd r6,Z+16 - ldd r7,Z+17 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - std Z+4,r6 - std Z+5,r7 - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - std Z+16,r26 - std Z+17,r27 - ldd r18,Z+6 - ldd r19,Z+7 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r26,Z+10 - ldd r27,Z+11 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - std Z+6,r2 - std Z+7,r3 - std Z+8,r4 - std Z+9,r5 - std Z+10,r6 - std Z+11,r7 - std Z+18,r18 - std Z+19,r19 - std Z+20,r20 - std Z+21,r21 - std Z+22,r26 - std Z+23,r27 - rjmp 16b -375: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size simp_192_permute, .-simp_192_permute - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.c deleted file mode 100644 index 5d2144e..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.c +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-simp.h" - -#if !defined(__AVR__) - -/** - * \brief Number of rounds for the inner block cipher within SimP-256. - */ -#define SIMP_256_ROUNDS 34 - -/** - * \brief Number of rounds for the inner block cipher within SimP-192. - */ -#define SIMP_192_ROUNDS 26 - -/** - * \brief Round constants for each of the rounds in SimP-256 or SimP-192. - * - * Bit i is the round constant for round i, repeated every 62 rounds. - */ -#define SIMP_RC 0x3369F885192C0EF5ULL - -void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps) -{ - uint64_t z = SIMP_RC; - uint64_t x0, x1, x2, x3, t0, t1; - unsigned round; - - /* Load the state into local variables */ - x0 = be_load_word64(state); - x1 = be_load_word64(state + 8); - x2 = be_load_word64(state + 16); - x3 = be_load_word64(state + 24); - - /* Perform all steps */ - for (; steps > 0; --steps) { - /* Perform all rounds for this step, two at a time */ - for (round = 0; round < (SIMP_256_ROUNDS / 2); ++round) { - t1 = x3 ^ (leftRotate1_64(x2) & leftRotate8_64(x2)) ^ - leftRotate2_64(x2) ^ x1; - t0 = x1 ^ rightRotate3_64(x0) ^ rightRotate4_64(x0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - x2 = x2 ^ (leftRotate1_64(t1) & leftRotate8_64(t1)) ^ - leftRotate2_64(t1) ^ x0; - x0 = x0 ^ rightRotate3_64(t0) ^ rightRotate4_64(t0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - x1 = t0; - x3 = t1; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - } - - /* Swap the words of the state for all steps except the last */ - if (steps > 1) { - t0 = x0; - t1 = x1; - x0 = x2; - x1 = x3; - x2 = t0; - x3 = t1; - } - } - - /* Write the local variables back to the state */ - be_store_word64(state, x0); - be_store_word64(state + 8, x1); - be_store_word64(state + 16, x2); - be_store_word64(state + 24, x3); -} - -/* Load a big-endian 48-bit word from a byte buffer */ -#define be_load_word48(ptr) \ - ((((uint64_t)((ptr)[0])) << 40) | \ - (((uint64_t)((ptr)[1])) << 32) | \ - (((uint64_t)((ptr)[2])) << 24) | \ - (((uint64_t)((ptr)[3])) << 16) | \ - (((uint64_t)((ptr)[4])) << 8) | \ - ((uint64_t)((ptr)[5]))) - -/* Store a big-endian 48-bit word into a byte buffer */ -#define be_store_word48(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 40); \ - (ptr)[1] = (uint8_t)(_x >> 32); \ - (ptr)[2] = (uint8_t)(_x >> 24); \ - (ptr)[3] = (uint8_t)(_x >> 16); \ - (ptr)[4] = (uint8_t)(_x >> 8); \ - (ptr)[5] = (uint8_t)_x; \ - } while (0) - -/* 48-bit rotations with the high bits set to garbage - truncated later */ -#define rightRotate3_48(x) (((x) >> 3) | ((x) << 45)) -#define rightRotate4_48(x) (((x) >> 4) | ((x) << 44)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 47)) -#define leftRotate2_48(x) (((x) << 2) | ((x) >> 46)) -#define leftRotate8_48(x) (((x) << 8) | ((x) >> 40)) - -void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) -{ - uint64_t z = SIMP_RC; - uint64_t x0, x1, x2, x3, t0, t1; - unsigned round; - - /* Load the state into local variables */ - x0 = be_load_word48(state); - x1 = be_load_word48(state + 6); - x2 = be_load_word48(state + 12); - x3 = be_load_word48(state + 18); - - /* Perform all steps */ - for (; steps > 0; --steps) { - /* Perform all rounds for this step, two at a time */ - for (round = 0; round < (SIMP_192_ROUNDS / 2); ++round) { - t1 = x3 ^ (leftRotate1_48(x2) & leftRotate8_48(x2)) ^ - leftRotate2_48(x2) ^ x1; - t0 = x1 ^ rightRotate3_48(x0) ^ rightRotate4_48(x0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - t0 &= 0x0000FFFFFFFFFFFFULL; /* Truncate back to 48 bits */ - t1 &= 0x0000FFFFFFFFFFFFULL; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - x2 = x2 ^ (leftRotate1_48(t1) & leftRotate8_48(t1)) ^ - leftRotate2_48(t1) ^ x0; - x0 = x0 ^ rightRotate3_48(t0) ^ rightRotate4_48(t0) ^ - 0xFFFFFFFFFFFFFFFCULL ^ (z & 1); - x0 &= 0x0000FFFFFFFFFFFFULL; - x2 &= 0x0000FFFFFFFFFFFFULL; - x1 = t0; - x3 = t1; - z = (z >> 1) | (z << 61); /* z repeats every 62 rounds */ - } - - /* Swap the words of the state for all steps except the last */ - if (steps > 1) { - t0 = x0; - t1 = x1; - x0 = x2; - x1 = x3; - x2 = t0; - x3 = t1; - } - } - - /* Write the local variables back to the state */ - be_store_word48(state, x0); - be_store_word48(state + 6, x1); - be_store_word48(state + 12, x2); - be_store_word48(state + 18, x3); -} - -#endif /* !__AVR__ */ diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.h deleted file mode 100644 index 3a95e80..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-simp.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SIMP_H -#define LW_INTERNAL_SIMP_H - -#include "internal-util.h" - -/** - * \file internal-simp.h - * \brief SimP permutation family. - * - * SimP-256 and SimP-192 are used by the Oribatida submission to - * round 2 of the NIST Lightweight Cryptography Competition. - * The permutations are built around reduced-round variants of the - * Simon-128-128 and Simon-96-96 block ciphers. - * - * References: https://www.isical.ac.in/~lightweight/oribatida/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief State size of the SimP-256 permutation. - */ -#define SIMP_256_STATE_SIZE 32 - -/** - * \brief State size of the SimP-192 permutation. - */ -#define SIMP_192_STATE_SIZE 24 - -/** - * \brief Permutes a state with SimP-256. - * - * \param state State to be permuted. - * \param steps Number of steps to perform (usually 2 or 4). - */ -void simp_256_permute(unsigned char state[SIMP_256_STATE_SIZE], unsigned steps); - -/** - * \brief Permutes a state with SimP-192. - * - * \param state State to be permuted. - * \param steps Number of steps to perform (usually 2 or 4). - */ -void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.c deleted file mode 100644 index 55a3914..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.c +++ /dev/null @@ -1,480 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "oribatida.h" -#include "internal-simp.h" -#include - -/** - * \brief Rate for processing data for the Oribatida-256-64 state. - */ -#define ORIBATIDA_256_RATE 16 - -/** - * \brief Size of the masking value for Oribatida-256-64. - */ -#define ORIBATIDA_256_MASK_SIZE 8 - -/** - * \brief Rate for processing data for the Oribatida-192-96 state. - */ -#define ORIBATIDA_192_RATE 12 - -/** - * \brief Size of the masking value for Oribatida-192-96. - */ -#define ORIBATIDA_192_MASK_SIZE 12 - -aead_cipher_t const oribatida_256_cipher = { - "Oribatida-256-64", - ORIBATIDA_256_KEY_SIZE, - ORIBATIDA_256_NONCE_SIZE, - ORIBATIDA_256_TAG_SIZE, - AEAD_FLAG_NONE, - oribatida_256_aead_encrypt, - oribatida_256_aead_decrypt -}; - -aead_cipher_t const oribatida_192_cipher = { - "Oribatida-192-96", - ORIBATIDA_192_KEY_SIZE, - ORIBATIDA_192_NONCE_SIZE, - ORIBATIDA_192_TAG_SIZE, - AEAD_FLAG_NONE, - oribatida_192_aead_encrypt, - oribatida_192_aead_decrypt -}; - -/* Definitions for domain separation values */ -#define ORIBATIDA_NUM_DOMAINS 3 -#define ORIBATIDA_DOMAIN_NONCE 0 -#define ORIBATIDA_DOMAIN_AD 1 -#define ORIBATIDA_DOMAIN_MSG 2 - -/** - * \brief Gets the domain separation values to use for different phases - * of the Oribatida encryption process. - * - * \param domains Returns the domain separation values to use. - * \param adlen Length of the associated data. - * \param mlen Length of the plaintext message. - * \param rate Rate of processing message blocks, 12 or 16. - */ -static void oribatida_get_domains - (unsigned char domains[ORIBATIDA_NUM_DOMAINS], - unsigned long long adlen, unsigned long long mlen, unsigned rate) -{ - /* Domain separation value for the nonce */ - if (adlen == 0 && mlen == 0) { - domains[ORIBATIDA_DOMAIN_NONCE] = 9; - } else { - domains[ORIBATIDA_DOMAIN_NONCE] = 5; - } - - /* Domain separation value for associated data processing */ - if (mlen == 0) { - if ((adlen % rate) == 0) - domains[ORIBATIDA_DOMAIN_AD] = 12; - else - domains[ORIBATIDA_DOMAIN_AD] = 14; - } else { - if ((adlen % rate) == 0) - domains[ORIBATIDA_DOMAIN_AD] = 4; - else - domains[ORIBATIDA_DOMAIN_AD] = 6; - } - - /* Domain separation value for message processing */ - if ((mlen % rate) == 0) { - domains[ORIBATIDA_DOMAIN_MSG] = 13; - } else { - domains[ORIBATIDA_DOMAIN_MSG] = 15; - } -} - -/** - * \brief Initializes the Oribatida-256-64 state. - * - * \param state Oribatida-256-64 permutation state. - * \param mask Oribatida-256-64 masking state. - * \param domains Precomputed domain separation values. - * \param k Points to the key. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void oribatida_256_init - (unsigned char state[SIMP_256_STATE_SIZE], - unsigned char mask[ORIBATIDA_256_MASK_SIZE], - const unsigned char domains[ORIBATIDA_NUM_DOMAINS], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state with the key and nonce */ - memcpy(state, npub, ORIBATIDA_256_NONCE_SIZE); - memcpy(state + ORIBATIDA_256_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); - - /* Use the current state as the mask for zero-length associated data */ - if (adlen == 0) { - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - } - - /* Add the domain separation value for the nonce */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; - - /* Run the permutation for the first time */ - simp_256_permute(state, 4); - - /* If there is no associated data, then we are done */ - if (adlen == 0) - return; - - /* Use the current state as the mask for non-zero length associated data */ - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - - /* Process all associated data blocks except the last */ - while (adlen > ORIBATIDA_256_RATE) { - lw_xor_block(state, ad, ORIBATIDA_256_RATE); - simp_256_permute(state, 2); - ad += ORIBATIDA_256_RATE; - adlen -= ORIBATIDA_256_RATE; - } - - /* Process the final associated data block */ - temp = (unsigned)adlen; - if (temp == ORIBATIDA_256_RATE) { - lw_xor_block(state, ad, ORIBATIDA_256_RATE); - } else { - lw_xor_block(state, ad, temp); - state[temp] ^= 0x80; /* padding */ - } - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; - simp_256_permute(state, 4); -} - -/** - * \brief Initializes the Oribatida-192-96 state. - * - * \param state Oribatida-192-96 permutation state. - * \param mask Oribatida-192-96 masking state. - * \param domains Precomputed domain separation values. - * \param k Points to the key. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void oribatida_192_init - (unsigned char state[SIMP_192_STATE_SIZE], - unsigned char mask[ORIBATIDA_192_MASK_SIZE], - const unsigned char domains[ORIBATIDA_NUM_DOMAINS], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state with the key and nonce */ - memcpy(state, npub, ORIBATIDA_192_NONCE_SIZE); - memcpy(state + ORIBATIDA_192_NONCE_SIZE, k, ORIBATIDA_256_KEY_SIZE); - - /* Use the current state as the mask for zero-length associated data */ - if (adlen == 0) { - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - } - - /* Add the domain separation value for the nonce */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_NONCE]; - - /* Run the permutation for the first time */ - simp_192_permute(state, 4); - - /* If there is no associated data, then we are done */ - if (adlen == 0) - return; - - /* Use the current state as the mask for non-zero length associated data */ - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - - /* Process all associated data blocks except the last */ - while (adlen > ORIBATIDA_192_RATE) { - lw_xor_block(state, ad, ORIBATIDA_192_RATE); - simp_192_permute(state, 2); - ad += ORIBATIDA_192_RATE; - adlen -= ORIBATIDA_192_RATE; - } - - /* Process the final associated data block */ - temp = (unsigned)adlen; - if (temp == ORIBATIDA_192_RATE) { - lw_xor_block(state, ad, ORIBATIDA_192_RATE); - } else { - lw_xor_block(state, ad, temp); - state[temp] ^= 0x80; /* padding */ - } - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_AD]; - simp_192_permute(state, 4); -} - -int oribatida_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_256_STATE_SIZE]; - unsigned char mask[ORIBATIDA_256_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORIBATIDA_256_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_256_RATE); - oribatida_256_init(state, mask, domains, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen > ORIBATIDA_256_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); - lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - simp_256_permute(state, 4); - c += ORIBATIDA_256_RATE; - m += ORIBATIDA_256_RATE; - mlen -= ORIBATIDA_256_RATE; - } - if (mlen == ORIBATIDA_256_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_256_RATE); - lw_xor_block(c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } else if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state, m, temp); - if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { - lw_xor_block - (c + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, - temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); - } - state[temp] ^= 0x80; /* padding */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } - - /* Generate the authentication tag */ - memcpy(c + mlen, state, ORIBATIDA_256_TAG_SIZE); - return 0; -} - -int oribatida_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_256_STATE_SIZE]; - unsigned char mask[ORIBATIDA_256_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - unsigned char block[ORIBATIDA_256_RATE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORIBATIDA_256_TAG_SIZE) - return -1; - *mlen = clen - ORIBATIDA_256_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - clen -= ORIBATIDA_256_TAG_SIZE; - oribatida_get_domains(domains, adlen, clen, ORIBATIDA_256_RATE); - oribatida_256_init(state, mask, domains, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - while (clen > ORIBATIDA_256_RATE) { - memcpy(block, c, ORIBATIDA_256_RATE); - lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); - memcpy(mask, state + SIMP_256_STATE_SIZE - ORIBATIDA_256_MASK_SIZE, - ORIBATIDA_256_MASK_SIZE); - simp_256_permute(state, 4); - c += ORIBATIDA_256_RATE; - m += ORIBATIDA_256_RATE; - clen -= ORIBATIDA_256_RATE; - } - if (clen == ORIBATIDA_256_RATE) { - memcpy(block, c, ORIBATIDA_256_RATE); - lw_xor_block(block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, - mask, ORIBATIDA_256_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_256_RATE); - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } else if (clen > 0) { - unsigned temp = (unsigned)clen; - memcpy(block, c, temp); - if (temp > (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)) { - lw_xor_block - (block + ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE, mask, - temp - (ORIBATIDA_256_RATE - ORIBATIDA_256_MASK_SIZE)); - } - lw_xor_block_swap(m, state, block, temp); - state[temp] ^= 0x80; /* padding */ - state[SIMP_256_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_256_permute(state, 4); - } - c += clen; - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_256_TAG_SIZE); -} - -int oribatida_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_192_STATE_SIZE]; - unsigned char mask[ORIBATIDA_192_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ORIBATIDA_192_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - oribatida_get_domains(domains, adlen, mlen, ORIBATIDA_192_RATE); - oribatida_192_init(state, mask, domains, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen > ORIBATIDA_192_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); - lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - simp_192_permute(state, 4); - c += ORIBATIDA_192_RATE; - m += ORIBATIDA_192_RATE; - mlen -= ORIBATIDA_192_RATE; - } - if (mlen == ORIBATIDA_192_RATE) { - lw_xor_block_2_dest(c, state, m, ORIBATIDA_192_RATE); - lw_xor_block(c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } else if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state, m, temp); - if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { - lw_xor_block - (c + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, - temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); - } - state[temp] ^= 0x80; /* padding */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } - - /* Generate the authentication tag */ - memcpy(c + mlen, state, ORIBATIDA_192_TAG_SIZE); - return 0; -} - -int oribatida_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SIMP_192_STATE_SIZE]; - unsigned char mask[ORIBATIDA_192_MASK_SIZE]; - unsigned char domains[ORIBATIDA_NUM_DOMAINS]; - unsigned char block[ORIBATIDA_192_RATE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ORIBATIDA_192_TAG_SIZE) - return -1; - *mlen = clen - ORIBATIDA_192_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - clen -= ORIBATIDA_192_TAG_SIZE; - oribatida_get_domains(domains, adlen, clen, ORIBATIDA_192_RATE); - oribatida_192_init(state, mask, domains, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - while (clen > ORIBATIDA_192_RATE) { - memcpy(block, c, ORIBATIDA_192_RATE); - lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); - memcpy(mask, state + SIMP_192_STATE_SIZE - ORIBATIDA_192_MASK_SIZE, - ORIBATIDA_192_MASK_SIZE); - simp_192_permute(state, 4); - c += ORIBATIDA_192_RATE; - m += ORIBATIDA_192_RATE; - clen -= ORIBATIDA_192_RATE; - } - if (clen == ORIBATIDA_192_RATE) { - memcpy(block, c, ORIBATIDA_192_RATE); - lw_xor_block(block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, - mask, ORIBATIDA_192_MASK_SIZE); - lw_xor_block_swap(m, state, block, ORIBATIDA_192_RATE); - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } else if (clen > 0) { - unsigned temp = (unsigned)clen; - memcpy(block, c, temp); - if (temp > (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)) { - lw_xor_block - (block + ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE, mask, - temp - (ORIBATIDA_192_RATE - ORIBATIDA_192_MASK_SIZE)); - } - lw_xor_block_swap(m, state, block, temp); - state[temp] ^= 0x80; /* padding */ - state[SIMP_192_STATE_SIZE - 1] ^= domains[ORIBATIDA_DOMAIN_MSG]; - simp_192_permute(state, 4); - } - c += clen; - - /* Check the authentication tag */ - return aead_check_tag(mtemp, *mlen, state, c, ORIBATIDA_192_TAG_SIZE); -} diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.h deleted file mode 100644 index dbc374b..0000000 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys-avr/oribatida.h +++ /dev/null @@ -1,212 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ORIBATIDA_H -#define LWCRYPTO_ORIBATIDA_H - -#include "aead-common.h" - -/** - * \file oribatida.h - * \brief Oribatida authenticated encryption algorithm. - * - * Oribatida is a family of authenticated encryption algorithms based on the - * SimP-256 and SimP-192 permutations which are built around reduced-round - * variants of the Simon-128-128 and Simon-96-96 block ciphers. - * There are two algorithms in the family: - * - * \li Oribatida-256-64 with a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * built around the SimP-256 permutation. This is the primary member of - * the family. - * \li Oribatida-192-96 with a 128-bit key, a 64-bit nonce, and a 96-bit tag, - * built around the SimP-192 permutation. - * - * References: https://www.isical.ac.in/~lightweight/oribatida/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Oribatida-256-64. - */ -#define ORIBATIDA_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Oribatida-256-64. - */ -#define ORIBATIDA_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Oribatida-256-64. - */ -#define ORIBATIDA_256_NONCE_SIZE 16 - -/** - * \brief Size of the key for Oribatida-192-96. - */ -#define ORIBATIDA_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Oribatida-192-96. - */ -#define ORIBATIDA_192_TAG_SIZE 12 - -/** - * \brief Size of the nonce for Oribatida-192-96. - */ -#define ORIBATIDA_192_NONCE_SIZE 8 - -/** - * \brief Meta-information block for the Oribatida-256-64 cipher. - */ -extern aead_cipher_t const oribatida_256_cipher; - -/** - * \brief Meta-information block for the Oribatida-192-96 cipher. - */ -extern aead_cipher_t const oribatida_192_cipher; - -/** - * \brief Encrypts and authenticates a packet with Oribatida-256-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa oribatida_256_aead_decrypt() - */ -int oribatida_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Oribatida-256-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa oribatida_256_aead_encrypt() - */ -int oribatida_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Oribatida-192-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa oribatida_192_aead_decrypt() - */ -int oribatida_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Oribatida-192-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa oribatida_192_aead_encrypt() - */ -int oribatida_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp-avr.S b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp-avr.S new file mode 100644 index 0000000..65fba20 --- /dev/null +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp-avr.S @@ -0,0 +1,949 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global simp_256_permute + .type simp_256_permute, @function +simp_256_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r23,245 + mov r10,r23 + ldi r17,14 + mov r11,r17 + ldi r16,44 + mov r12,r16 + ldi r23,25 + mov r13,r23 + ldi r23,133 + mov r14,r23 + ldi r23,248 + mov r15,r23 + ldi r24,105 + ldi r25,51 +14: + ldi r23,17 +16: + ldd r29,Z+16 + ldd r28,Z+17 + ldd r27,Z+18 + ldd r26,Z+19 + ldd r21,Z+20 + ldd r20,Z+21 + ldd r19,Z+22 + ldd r18,Z+23 + mov r2,r29 + mov r3,r18 + mov r4,r19 + mov r5,r20 + mov r6,r21 + mov r7,r26 + mov r8,r27 + mov r9,r28 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r28 + rol r29 + adc r18,r1 + and r2,r18 + and r3,r19 + and r4,r20 + and r5,r21 + and r6,r26 + and r7,r27 + and r8,r28 + and r9,r29 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + rol r28 + rol r29 + adc r18,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + ldd r0,Z+8 + eor r9,r0 + ldd r0,Z+9 + eor r8,r0 + ldd r0,Z+10 + eor r7,r0 + ldd r0,Z+11 + eor r6,r0 + ldd r0,Z+12 + eor r5,r0 + ldd r0,Z+13 + eor r4,r0 + ldd r0,Z+14 + eor r3,r0 + ldd r0,Z+15 + eor r2,r0 + ldd r0,Z+24 + eor r0,r9 + std Z+24,r0 + ldd r0,Z+25 + eor r0,r8 + std Z+25,r0 + ldd r0,Z+26 + eor r0,r7 + std Z+26,r0 + ldd r0,Z+27 + eor r0,r6 + std Z+27,r0 + ldd r0,Z+28 + eor r0,r5 + std Z+28,r0 + ldd r0,Z+29 + eor r0,r4 + std Z+29,r0 + ldd r0,Z+30 + eor r0,r3 + std Z+30,r0 + ldd r0,Z+31 + eor r0,r2 + std Z+31,r0 + ld r29,Z + ldd r28,Z+1 + ldd r27,Z+2 + ldd r26,Z+3 + ldd r21,Z+4 + ldd r20,Z+5 + ldd r19,Z+6 + ldd r18,Z+7 + mov r0,r1 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r29,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + movw r8,r28 + bst r2,0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + bld r9,7 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + ldi r17,252 + eor r18,r17 + com r19 + com r20 + com r21 + com r26 + com r27 + com r28 + com r29 + mov r0,r1 + bst r10,0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + bld r25,5 + bld r0,0 + eor r18,r0 + ldd r0,Z+8 + eor r0,r29 + std Z+8,r0 + ldd r0,Z+9 + eor r0,r28 + std Z+9,r0 + ldd r0,Z+10 + eor r0,r27 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r26 + std Z+11,r0 + ldd r0,Z+12 + eor r0,r21 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r20 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r19 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r18 + std Z+15,r0 + ldd r9,Z+24 + ldd r8,Z+25 + ldd r7,Z+26 + ldd r6,Z+27 + ldd r5,Z+28 + ldd r4,Z+29 + ldd r3,Z+30 + ldd r2,Z+31 + mov r18,r9 + mov r19,r2 + mov r20,r3 + mov r21,r4 + mov r26,r5 + mov r27,r6 + mov r28,r7 + mov r29,r8 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + adc r2,r1 + and r18,r2 + and r19,r3 + and r20,r4 + and r21,r5 + and r26,r6 + and r27,r7 + and r28,r8 + and r29,r9 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + rol r8 + rol r9 + adc r2,r1 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + ld r0,Z + eor r29,r0 + ldd r0,Z+1 + eor r28,r0 + ldd r0,Z+2 + eor r27,r0 + ldd r0,Z+3 + eor r26,r0 + ldd r0,Z+4 + eor r21,r0 + ldd r0,Z+5 + eor r20,r0 + ldd r0,Z+6 + eor r19,r0 + ldd r0,Z+7 + eor r18,r0 + ldd r0,Z+16 + eor r0,r29 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r28 + std Z+17,r0 + ldd r0,Z+18 + eor r0,r27 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r26 + std Z+19,r0 + ldd r0,Z+20 + eor r0,r21 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r20 + std Z+21,r0 + ldd r0,Z+22 + eor r0,r19 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r18 + std Z+23,r0 + ldd r29,Z+8 + ldd r28,Z+9 + ldd r27,Z+10 + ldd r26,Z+11 + ldd r21,Z+12 + ldd r20,Z+13 + ldd r19,Z+14 + ldd r18,Z+15 + mov r0,r1 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r29,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + movw r8,r28 + bst r18,0 + lsr r29 + ror r28 + ror r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + bld r29,7 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + eor r2,r17 + com r3 + com r4 + com r5 + com r6 + com r7 + com r8 + com r9 + mov r0,r1 + bst r10,0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + bld r25,5 + bld r0,0 + eor r2,r0 + ld r0,Z + eor r0,r9 + st Z,r0 + ldd r0,Z+1 + eor r0,r8 + std Z+1,r0 + ldd r0,Z+2 + eor r0,r7 + std Z+2,r0 + ldd r0,Z+3 + eor r0,r6 + std Z+3,r0 + ldd r0,Z+4 + eor r0,r5 + std Z+4,r0 + ldd r0,Z+5 + eor r0,r4 + std Z+5,r0 + ldd r0,Z+6 + eor r0,r3 + std Z+6,r0 + ldd r0,Z+7 + eor r0,r2 + std Z+7,r0 + dec r23 + breq 5407f + rjmp 16b +5407: + dec r22 + brne 5409f + rjmp 475f +5409: + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + ldd r2,Z+16 + ldd r3,Z+17 + ldd r4,Z+18 + ldd r5,Z+19 + ldd r6,Z+20 + ldd r7,Z+21 + ldd r8,Z+22 + ldd r9,Z+23 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + std Z+4,r6 + std Z+5,r7 + std Z+6,r8 + std Z+7,r9 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + ldd r2,Z+24 + ldd r3,Z+25 + ldd r4,Z+26 + ldd r5,Z+27 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + std Z+12,r6 + std Z+13,r7 + std Z+14,r8 + std Z+15,r9 + std Z+24,r18 + std Z+25,r19 + std Z+26,r20 + std Z+27,r21 + std Z+28,r26 + std Z+29,r27 + std Z+30,r28 + std Z+31,r29 + rjmp 14b +475: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size simp_256_permute, .-simp_256_permute + + .text +.global simp_192_permute + .type simp_192_permute, @function +simp_192_permute: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ldi r25,245 + mov r8,r25 + ldi r24,14 + mov r9,r24 + ldi r23,44 + mov r10,r23 + ldi r17,25 + mov r11,r17 + ldi r16,133 + mov r12,r16 + ldi r23,248 + mov r13,r23 + ldi r23,105 + mov r14,r23 + ldi r23,51 + mov r15,r23 +16: + ldi r23,13 +18: + ldd r27,Z+12 + ldd r26,Z+13 + ldd r21,Z+14 + ldd r20,Z+15 + ldd r19,Z+16 + ldd r18,Z+17 + mov r2,r27 + mov r3,r18 + mov r4,r19 + mov r5,r20 + mov r6,r21 + mov r7,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + adc r18,r1 + and r2,r18 + and r3,r19 + and r4,r20 + and r5,r21 + and r6,r26 + and r7,r27 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r26 + rol r27 + adc r18,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + ldd r0,Z+6 + eor r7,r0 + ldd r0,Z+7 + eor r6,r0 + ldd r0,Z+8 + eor r5,r0 + ldd r0,Z+9 + eor r4,r0 + ldd r0,Z+10 + eor r3,r0 + ldd r0,Z+11 + eor r2,r0 + ldd r0,Z+18 + eor r0,r7 + std Z+18,r0 + ldd r0,Z+19 + eor r0,r6 + std Z+19,r0 + ldd r0,Z+20 + eor r0,r5 + std Z+20,r0 + ldd r0,Z+21 + eor r0,r4 + std Z+21,r0 + ldd r0,Z+22 + eor r0,r3 + std Z+22,r0 + ldd r0,Z+23 + eor r0,r2 + std Z+23,r0 + ld r27,Z + ldd r26,Z+1 + ldd r21,Z+2 + ldd r20,Z+3 + ldd r19,Z+4 + ldd r18,Z+5 + mov r0,r1 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r27,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + bst r2,0 + lsr r7 + ror r6 + ror r5 + ror r4 + ror r3 + ror r2 + bld r7,7 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + ldi r25,252 + eor r18,r25 + com r19 + com r20 + com r21 + com r26 + com r27 + mov r0,r1 + bst r8,0 + lsr r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + ror r9 + ror r8 + bld r15,5 + bld r0,0 + eor r18,r0 + ldd r0,Z+6 + eor r0,r27 + std Z+6,r0 + ldd r0,Z+7 + eor r0,r26 + std Z+7,r0 + ldd r0,Z+8 + eor r0,r21 + std Z+8,r0 + ldd r0,Z+9 + eor r0,r20 + std Z+9,r0 + ldd r0,Z+10 + eor r0,r19 + std Z+10,r0 + ldd r0,Z+11 + eor r0,r18 + std Z+11,r0 + ldd r7,Z+18 + ldd r6,Z+19 + ldd r5,Z+20 + ldd r4,Z+21 + ldd r3,Z+22 + ldd r2,Z+23 + mov r18,r7 + mov r19,r2 + mov r20,r3 + mov r21,r4 + mov r26,r5 + mov r27,r6 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + adc r2,r1 + and r18,r2 + and r19,r3 + and r20,r4 + and r21,r5 + and r26,r6 + and r27,r7 + lsl r2 + rol r3 + rol r4 + rol r5 + rol r6 + rol r7 + adc r2,r1 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + eor r26,r6 + eor r27,r7 + ld r0,Z + eor r27,r0 + ldd r0,Z+1 + eor r26,r0 + ldd r0,Z+2 + eor r21,r0 + ldd r0,Z+3 + eor r20,r0 + ldd r0,Z+4 + eor r19,r0 + ldd r0,Z+5 + eor r18,r0 + ldd r0,Z+12 + eor r0,r27 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r26 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r21 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r20 + std Z+15,r0 + ldd r0,Z+16 + eor r0,r19 + std Z+16,r0 + ldd r0,Z+17 + eor r0,r18 + std Z+17,r0 + ldd r27,Z+6 + ldd r26,Z+7 + ldd r21,Z+8 + ldd r20,Z+9 + ldd r19,Z+10 + ldd r18,Z+11 + mov r0,r1 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + ror r0 + or r27,r0 + movw r2,r18 + movw r4,r20 + movw r6,r26 + bst r18,0 + lsr r27 + ror r26 + ror r21 + ror r20 + ror r19 + ror r18 + bld r27,7 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + eor r6,r26 + eor r7,r27 + eor r2,r25 + com r3 + com r4 + com r5 + com r6 + com r7 + mov r0,r1 + bst r8,0 + lsr r15 + ror r14 + ror r13 + ror r12 + ror r11 + ror r10 + ror r9 + ror r8 + bld r15,5 + bld r0,0 + eor r2,r0 + ld r0,Z + eor r0,r7 + st Z,r0 + ldd r0,Z+1 + eor r0,r6 + std Z+1,r0 + ldd r0,Z+2 + eor r0,r5 + std Z+2,r0 + ldd r0,Z+3 + eor r0,r4 + std Z+3,r0 + ldd r0,Z+4 + eor r0,r3 + std Z+4,r0 + ldd r0,Z+5 + eor r0,r2 + std Z+5,r0 + dec r23 + breq 5323f + rjmp 18b +5323: + dec r22 + breq 375f + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r2,Z+12 + ldd r3,Z+13 + ldd r4,Z+14 + ldd r5,Z+15 + ldd r6,Z+16 + ldd r7,Z+17 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + std Z+4,r6 + std Z+5,r7 + std Z+12,r18 + std Z+13,r19 + std Z+14,r20 + std Z+15,r21 + std Z+16,r26 + std Z+17,r27 + ldd r18,Z+6 + ldd r19,Z+7 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r26,Z+10 + ldd r27,Z+11 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + std Z+6,r2 + std Z+7,r3 + std Z+8,r4 + std Z+9,r5 + std Z+10,r6 + std Z+11,r7 + std Z+18,r18 + std Z+19,r19 + std Z+20,r20 + std Z+21,r21 + std Z+22,r26 + std Z+23,r27 + rjmp 16b +375: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size simp_192_permute, .-simp_192_permute + +#endif diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c index 4ca50d0..5d2144e 100644 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-simp.c @@ -22,6 +22,8 @@ #include "internal-simp.h" +#if !defined(__AVR__) + /** * \brief Number of rounds for the inner block cipher within SimP-256. */ @@ -166,3 +168,5 @@ void simp_192_permute(unsigned char state[SIMP_192_STATE_SIZE], unsigned steps) be_store_word48(state + 12, x2); be_store_word48(state + 18, x3); } + +#endif /* !__AVR__ */ diff --git a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h index e79158c..e30166d 100644 --- a/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h +++ b/oribatida/Implementations/crypto_aead/oribatida256v12/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/api.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/encrypt.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/encrypt.c deleted file mode 100644 index a36c2ea..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "photon-beetle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return photon_beetle_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return photon_beetle_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.c deleted file mode 100644 index b8743fe..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.c +++ /dev/null @@ -1,479 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-photon256.h" -#include "internal-util.h" - -/** - * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. - */ -#define PHOTON256_ROUNDS 12 - -/* Round constants for PHOTON-256 */ -static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { - 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, - 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, - 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a -}; - -/** - * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. - * - * \param x0 Slice with bit 0 of all nibbles. - * \param x1 Slice with bit 1 of all nibbles. - * \param x2 Slice with bit 2 of all nibbles. - * \param x3 Slice with bit 3 of all nibbles. - * - * This bit-sliced S-box implementation is based on the AVR version - * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. - */ -#define photon256_sbox(x0, x1, x2, x3) \ - do { \ - x1 ^= x2; \ - x3 ^= (x2 & x1); \ - t1 = x3; \ - x3 = (x3 & x1) ^ x2; \ - t2 = x3; \ - x3 ^= x0; \ - x3 = ~(x3); \ - x2 = x3; \ - t2 |= x0; \ - x0 ^= t1; \ - x1 ^= x0; \ - x2 |= x1; \ - x2 ^= t1; \ - x1 ^= t2; \ - x3 ^= x1; \ - } while (0) - -/** - * \brief Performs a field multiplication on the 8 nibbles in a row. - * - * \param a Field constant to multiply by. - * \param x Bit-sliced form of the row, with bits 0..3 of each nibble - * in bytes 0..3 of the word. - * - * \return a * x packed into the bytes of a word. - */ -static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) -{ - /* For each 4-bit nibble we need to do this: - * - * result = 0; - * for (bit = 0; bit < 4; ++ bit) { - * if ((a & (1 << bit)) != 0) - * result ^= x; - * if ((x & 0x08) != 0) { - * x = (x << 1) ^ 3; - * } else { - * x = (x << 1); - * } - * } - * - * We don't need to worry about constant time for "a" because it is a - * known constant that isn't data-dependent. But we do need to worry - * about constant time for "x" as it is data. - */ - uint32_t result = 0; - uint32_t t; - #define PARALLEL_CONDITIONAL_ADD(bit) \ - do { \ - if ((a) & (1 << (bit))) \ - result ^= x; \ - } while (0) - #define PARALELL_ROTATE() \ - do { \ - t = x >> 24; \ - x = (x << 8) ^ t ^ (t << 8); \ - } while (0) - PARALLEL_CONDITIONAL_ADD(0); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(1); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(2); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(3); - return result; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts a PHOTON-256 state into bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_to_sliced - (uint32_t out[PHOTON256_STATE_SIZE / 4], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. - * Then we rearrange the bytes to group all bits N into word N. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 - * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] - */ - uint32_t t0, t1, t2, t3; - #define TO_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - #define FROM_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - t0 = le_load_word32(in); - t1 = le_load_word32(in + 4); - t2 = le_load_word32(in + 8); - t3 = le_load_word32(in + 12); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); - t0 = le_load_word32(in + 16); - t1 = le_load_word32(in + 20); - t2 = le_load_word32(in + 24); - t3 = le_load_word32(in + 28); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); -} - -/** - * \brief Converts a PHOTON-256 state from bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_from_sliced - (unsigned char out[PHOTON256_STATE_SIZE], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* Do the reverse of photon256_to_sliced() */ - uint32_t x0, x1, x2, x3; - x0 = ((uint32_t)(in[0])) | - (((uint32_t)(in[4])) << 8) | - (((uint32_t)(in[8])) << 16) | - (((uint32_t)(in[12])) << 24); - x1 = ((uint32_t)(in[1])) | - (((uint32_t)(in[5])) << 8) | - (((uint32_t)(in[9])) << 16) | - (((uint32_t)(in[13])) << 24); - x2 = ((uint32_t)(in[2])) | - (((uint32_t)(in[6])) << 8) | - (((uint32_t)(in[10])) << 16) | - (((uint32_t)(in[14])) << 24); - x3 = ((uint32_t)(in[3])) | - (((uint32_t)(in[7])) << 8) | - (((uint32_t)(in[11])) << 16) | - (((uint32_t)(in[15])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out, x0); - le_store_word32(out + 4, x1); - le_store_word32(out + 8, x2); - le_store_word32(out + 12, x3); - x0 = ((uint32_t)(in[16])) | - (((uint32_t)(in[20])) << 8) | - (((uint32_t)(in[24])) << 16) | - (((uint32_t)(in[28])) << 24); - x1 = ((uint32_t)(in[17])) | - (((uint32_t)(in[21])) << 8) | - (((uint32_t)(in[25])) << 16) | - (((uint32_t)(in[29])) << 24); - x2 = ((uint32_t)(in[18])) | - (((uint32_t)(in[22])) << 8) | - (((uint32_t)(in[26])) << 16) | - (((uint32_t)(in[30])) << 24); - x3 = ((uint32_t)(in[19])) | - (((uint32_t)(in[23])) << 8) | - (((uint32_t)(in[27])) << 16) | - (((uint32_t)(in[31])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out + 16, x0); - le_store_word32(out + 20, x1); - le_store_word32(out + 24, x2); - le_store_word32(out + 28, x3); -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -/* Index the bit-sliced state bytes in little-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[(row)] = (uint8_t)(value); \ - S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[(row) + 12] = (uint8_t)(value); \ - S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#else -/* Index the bit-sliced state bytes in big-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[3 - (row)] = (uint8_t)(value); \ - S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[20 - (row)] = (uint8_t)(value); \ - S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#endif - -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) -{ - union { - uint32_t words[PHOTON256_STATE_SIZE / 4]; - uint8_t bytes[PHOTON256_STATE_SIZE]; - } S; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - uint8_t round; - - /* Convert the state into bit-sliced form */ - photon256_to_sliced(S.words, state); - - /* Perform all 12 permutation rounds */ - for (round = 0; round < PHOTON256_ROUNDS; ++round) { - /* Add the constants for this round */ - t0 = photon256_rc[round]; - S.words[0] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[1] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[2] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[3] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[4] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[5] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[6] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[7] ^= t0 & 0x01010101U; - - /* Apply the sbox to all nibbles in the state */ - photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); - photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); - - /* Rotate all rows left by the row number. - * - * We do this by applying permutations to the top and bottom words - * to rearrange the bits into the rotated form. Permutations - * generated with "http://programming.sirrida.de/calcperm.php". - * - * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 - * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] - * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 - * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 - */ - #define TOP_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x07030100, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - #define BOTTOM_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x080c0e0f, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - TOP_ROTATE_PERM(S.words[0]); - TOP_ROTATE_PERM(S.words[1]); - TOP_ROTATE_PERM(S.words[2]); - TOP_ROTATE_PERM(S.words[3]); - BOTTOM_ROTATE_PERM(S.words[4]); - BOTTOM_ROTATE_PERM(S.words[5]); - BOTTOM_ROTATE_PERM(S.words[6]); - BOTTOM_ROTATE_PERM(S.words[7]); - - /* Mix the columns */ - #define MUL(a, x) (photon256_field_multiply((a), (x))) - t0 = READ_ROW0(); - t1 = READ_ROW1(); - t2 = READ_ROW2(); - t3 = READ_ROW3(); - t4 = READ_ROW4(); - t5 = READ_ROW5(); - t6 = READ_ROW6(); - t7 = READ_ROW7(); - t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ - MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); - WRITE_ROW(0, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ - MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); - WRITE_ROW(1, t8); - t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ - MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); - WRITE_ROW(2, t8); - t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ - MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); - WRITE_ROW(3, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ - MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); - WRITE_ROW(4, t8); - t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ - MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); - WRITE_ROW(5, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ - MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); - WRITE_ROW(6, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ - MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); - WRITE_ROW(7, t8); - } - - /* Convert back from bit-sliced form to regular form */ - photon256_from_sliced(state, S.bytes); -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.h deleted file mode 100644 index ce8729a..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-photon256.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PHOTON256_H -#define LW_INTERNAL_PHOTON256_H - -/** - * \file internal-photon256.h - * \brief Internal implementation of the PHOTON-256 permutation. - * - * Warning: The current implementation of PHOTON-256 is constant-time - * but not constant-cache. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the PHOTON-256 permutation state in bytes. - */ -#define PHOTON256_STATE_SIZE 32 - -/** - * \brief Permutes the PHOTON-256 state. - * - * \param state The state to be permuted. - */ -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.c deleted file mode 100644 index f44bdad..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.c +++ /dev/null @@ -1,451 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "photon-beetle.h" -#include "internal-photon256.h" -#include "internal-util.h" -#include - -aead_cipher_t const photon_beetle_128_cipher = { - "PHOTON-Beetle-AEAD-ENC-128", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_128_aead_encrypt, - photon_beetle_128_aead_decrypt -}; - -aead_cipher_t const photon_beetle_32_cipher = { - "PHOTON-Beetle-AEAD-ENC-32", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_32_aead_encrypt, - photon_beetle_32_aead_decrypt -}; - -aead_hash_algorithm_t const photon_beetle_hash_algorithm = { - "PHOTON-Beetle-HASH", - sizeof(int), - PHOTON_BEETLE_HASH_SIZE, - AEAD_FLAG_NONE, - photon_beetle_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. - */ -#define PHOTON_BEETLE_128_RATE 16 - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. - */ -#define PHOTON_BEETLE_32_RATE 4 - -/* Shifts a domain constant from the spec to the correct bit position */ -#define DOMAIN(c) ((c) << 5) - -/** - * \brief Processes the associated data for PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be non-zero. - * \param rate Rate of absorption for the data. - * \param mempty Non-zero if the message is empty. - */ -static void photon_beetle_process_ad - (unsigned char state[PHOTON256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen, - unsigned rate, int mempty) -{ - unsigned temp; - - /* Absorb as many full rate blocks as possible */ - while (adlen > rate) { - photon256_permute(state); - lw_xor_block(state, ad, rate); - ad += rate; - adlen -= rate; - } - - /* Pad and absorb the last block */ - temp = (unsigned)adlen; - photon256_permute(state); - lw_xor_block(state, ad, temp); - if (temp < rate) - state[temp] ^= 0x01; /* padding */ - - /* Add the domain constant to finalize associated data processing */ - if (mempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); - else if (mempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Rotates part of the PHOTON-256 state right by one bit. - * - * \param out Output state buffer. - * \param in Input state buffer, must not overlap with \a out. - * \param len Length of the state buffer. - */ -static void photon_beetle_rotate1 - (unsigned char *out, const unsigned char *in, unsigned len) -{ - unsigned posn; - for (posn = 0; posn < (len - 1); ++posn) - out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); - out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); -} - -/** - * \brief Encrypts a plaintext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_encrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *c, const unsigned char *m, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - } else { - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - lw_xor_block_2_src(c, m, shuffle, temp); - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Decrypts a ciphertext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_decrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *m, const unsigned char *c, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - } else { - lw_xor_block_2_src(m, c, shuffle, temp); - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - unsigned temp; - - /* Absorb the input data */ - if (inlen == 0) { - /* No input data at all */ - memset(state, 0, sizeof(state) - 1); - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else if (inlen <= PHOTON_BEETLE_128_RATE) { - /* Only one block of input data, which may require padding */ - temp = (unsigned)inlen; - memcpy(state, in, temp); - memset(state + temp, 0, sizeof(state) - temp - 1); - if (temp < PHOTON_BEETLE_128_RATE) { - state[temp] = 0x01; - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else { - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); - } - } else { - /* Initialize the state with the first block, then absorb the rest */ - memcpy(state, in, PHOTON_BEETLE_128_RATE); - memset(state + PHOTON_BEETLE_128_RATE, 0, - sizeof(state) - PHOTON_BEETLE_128_RATE); - in += PHOTON_BEETLE_128_RATE; - inlen -= PHOTON_BEETLE_128_RATE; - while (inlen > PHOTON_BEETLE_32_RATE) { - photon256_permute(state); - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - in += PHOTON_BEETLE_32_RATE; - inlen -= PHOTON_BEETLE_32_RATE; - } - photon256_permute(state); - temp = (unsigned)inlen; - if (temp == PHOTON_BEETLE_32_RATE) { - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } else { - lw_xor_block(state, in, temp); - state[temp] ^= 0x01; - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); - } - } - - /* Generate the output hash */ - photon256_permute(state); - memcpy(out, state, 16); - photon256_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.h deleted file mode 100644 index 2d94a7e..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys-avr/photon-beetle.h +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_PHOTON_BEETLE_H -#define LWCRYPTO_PHOTON_BEETLE_H - -#include "aead-common.h" - -/** - * \file photon-beetle.h - * \brief PHOTON-Beetle authenticated encryption algorithm. - * - * PHOTON-Beetle is a family of authenticated encryption algorithms based - * on the PHOTON-256 permutation and using the Beetle sponge mode. - * There are three algorithms in the family: - * - * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 16 byte blocks. This is the primary - * member of the family for encryption. - * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 4 byte blocks. - * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is - * handled as a 16 byte block, and then the remaining bytes are processed - * in 4 byte blocks. - * - * References: https://www.isical.ac.in/~lightweight/beetle/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for PHOTON-Beetle-HASH. - */ -#define PHOTON_BEETLE_HASH_SIZE 32 - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. - */ -extern aead_cipher_t const photon_beetle_128_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. - */ -extern aead_cipher_t const photon_beetle_32_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. - */ -extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_128_aead_decrypt() - */ -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_128_aead_encrypt() - */ -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_32_aead_decrypt() - */ -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_32_aead_encrypt() - */ -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with PHOTON-Beetle-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * PHOTON_BEETLE_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/api.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/encrypt.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/encrypt.c deleted file mode 100644 index 17af9cd..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "photon-beetle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return photon_beetle_32_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return photon_beetle_32_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.c deleted file mode 100644 index b8743fe..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.c +++ /dev/null @@ -1,479 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-photon256.h" -#include "internal-util.h" - -/** - * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. - */ -#define PHOTON256_ROUNDS 12 - -/* Round constants for PHOTON-256 */ -static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { - 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, - 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, - 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a -}; - -/** - * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. - * - * \param x0 Slice with bit 0 of all nibbles. - * \param x1 Slice with bit 1 of all nibbles. - * \param x2 Slice with bit 2 of all nibbles. - * \param x3 Slice with bit 3 of all nibbles. - * - * This bit-sliced S-box implementation is based on the AVR version - * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. - */ -#define photon256_sbox(x0, x1, x2, x3) \ - do { \ - x1 ^= x2; \ - x3 ^= (x2 & x1); \ - t1 = x3; \ - x3 = (x3 & x1) ^ x2; \ - t2 = x3; \ - x3 ^= x0; \ - x3 = ~(x3); \ - x2 = x3; \ - t2 |= x0; \ - x0 ^= t1; \ - x1 ^= x0; \ - x2 |= x1; \ - x2 ^= t1; \ - x1 ^= t2; \ - x3 ^= x1; \ - } while (0) - -/** - * \brief Performs a field multiplication on the 8 nibbles in a row. - * - * \param a Field constant to multiply by. - * \param x Bit-sliced form of the row, with bits 0..3 of each nibble - * in bytes 0..3 of the word. - * - * \return a * x packed into the bytes of a word. - */ -static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) -{ - /* For each 4-bit nibble we need to do this: - * - * result = 0; - * for (bit = 0; bit < 4; ++ bit) { - * if ((a & (1 << bit)) != 0) - * result ^= x; - * if ((x & 0x08) != 0) { - * x = (x << 1) ^ 3; - * } else { - * x = (x << 1); - * } - * } - * - * We don't need to worry about constant time for "a" because it is a - * known constant that isn't data-dependent. But we do need to worry - * about constant time for "x" as it is data. - */ - uint32_t result = 0; - uint32_t t; - #define PARALLEL_CONDITIONAL_ADD(bit) \ - do { \ - if ((a) & (1 << (bit))) \ - result ^= x; \ - } while (0) - #define PARALELL_ROTATE() \ - do { \ - t = x >> 24; \ - x = (x << 8) ^ t ^ (t << 8); \ - } while (0) - PARALLEL_CONDITIONAL_ADD(0); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(1); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(2); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(3); - return result; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts a PHOTON-256 state into bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_to_sliced - (uint32_t out[PHOTON256_STATE_SIZE / 4], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. - * Then we rearrange the bytes to group all bits N into word N. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 - * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] - */ - uint32_t t0, t1, t2, t3; - #define TO_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - #define FROM_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - t0 = le_load_word32(in); - t1 = le_load_word32(in + 4); - t2 = le_load_word32(in + 8); - t3 = le_load_word32(in + 12); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); - t0 = le_load_word32(in + 16); - t1 = le_load_word32(in + 20); - t2 = le_load_word32(in + 24); - t3 = le_load_word32(in + 28); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); -} - -/** - * \brief Converts a PHOTON-256 state from bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_from_sliced - (unsigned char out[PHOTON256_STATE_SIZE], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* Do the reverse of photon256_to_sliced() */ - uint32_t x0, x1, x2, x3; - x0 = ((uint32_t)(in[0])) | - (((uint32_t)(in[4])) << 8) | - (((uint32_t)(in[8])) << 16) | - (((uint32_t)(in[12])) << 24); - x1 = ((uint32_t)(in[1])) | - (((uint32_t)(in[5])) << 8) | - (((uint32_t)(in[9])) << 16) | - (((uint32_t)(in[13])) << 24); - x2 = ((uint32_t)(in[2])) | - (((uint32_t)(in[6])) << 8) | - (((uint32_t)(in[10])) << 16) | - (((uint32_t)(in[14])) << 24); - x3 = ((uint32_t)(in[3])) | - (((uint32_t)(in[7])) << 8) | - (((uint32_t)(in[11])) << 16) | - (((uint32_t)(in[15])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out, x0); - le_store_word32(out + 4, x1); - le_store_word32(out + 8, x2); - le_store_word32(out + 12, x3); - x0 = ((uint32_t)(in[16])) | - (((uint32_t)(in[20])) << 8) | - (((uint32_t)(in[24])) << 16) | - (((uint32_t)(in[28])) << 24); - x1 = ((uint32_t)(in[17])) | - (((uint32_t)(in[21])) << 8) | - (((uint32_t)(in[25])) << 16) | - (((uint32_t)(in[29])) << 24); - x2 = ((uint32_t)(in[18])) | - (((uint32_t)(in[22])) << 8) | - (((uint32_t)(in[26])) << 16) | - (((uint32_t)(in[30])) << 24); - x3 = ((uint32_t)(in[19])) | - (((uint32_t)(in[23])) << 8) | - (((uint32_t)(in[27])) << 16) | - (((uint32_t)(in[31])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out + 16, x0); - le_store_word32(out + 20, x1); - le_store_word32(out + 24, x2); - le_store_word32(out + 28, x3); -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -/* Index the bit-sliced state bytes in little-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[(row)] = (uint8_t)(value); \ - S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[(row) + 12] = (uint8_t)(value); \ - S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#else -/* Index the bit-sliced state bytes in big-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[3 - (row)] = (uint8_t)(value); \ - S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[20 - (row)] = (uint8_t)(value); \ - S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#endif - -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) -{ - union { - uint32_t words[PHOTON256_STATE_SIZE / 4]; - uint8_t bytes[PHOTON256_STATE_SIZE]; - } S; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - uint8_t round; - - /* Convert the state into bit-sliced form */ - photon256_to_sliced(S.words, state); - - /* Perform all 12 permutation rounds */ - for (round = 0; round < PHOTON256_ROUNDS; ++round) { - /* Add the constants for this round */ - t0 = photon256_rc[round]; - S.words[0] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[1] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[2] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[3] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[4] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[5] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[6] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[7] ^= t0 & 0x01010101U; - - /* Apply the sbox to all nibbles in the state */ - photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); - photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); - - /* Rotate all rows left by the row number. - * - * We do this by applying permutations to the top and bottom words - * to rearrange the bits into the rotated form. Permutations - * generated with "http://programming.sirrida.de/calcperm.php". - * - * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 - * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] - * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 - * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 - */ - #define TOP_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x07030100, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - #define BOTTOM_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x080c0e0f, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - TOP_ROTATE_PERM(S.words[0]); - TOP_ROTATE_PERM(S.words[1]); - TOP_ROTATE_PERM(S.words[2]); - TOP_ROTATE_PERM(S.words[3]); - BOTTOM_ROTATE_PERM(S.words[4]); - BOTTOM_ROTATE_PERM(S.words[5]); - BOTTOM_ROTATE_PERM(S.words[6]); - BOTTOM_ROTATE_PERM(S.words[7]); - - /* Mix the columns */ - #define MUL(a, x) (photon256_field_multiply((a), (x))) - t0 = READ_ROW0(); - t1 = READ_ROW1(); - t2 = READ_ROW2(); - t3 = READ_ROW3(); - t4 = READ_ROW4(); - t5 = READ_ROW5(); - t6 = READ_ROW6(); - t7 = READ_ROW7(); - t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ - MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); - WRITE_ROW(0, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ - MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); - WRITE_ROW(1, t8); - t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ - MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); - WRITE_ROW(2, t8); - t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ - MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); - WRITE_ROW(3, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ - MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); - WRITE_ROW(4, t8); - t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ - MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); - WRITE_ROW(5, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ - MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); - WRITE_ROW(6, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ - MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); - WRITE_ROW(7, t8); - } - - /* Convert back from bit-sliced form to regular form */ - photon256_from_sliced(state, S.bytes); -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.h deleted file mode 100644 index ce8729a..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-photon256.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PHOTON256_H -#define LW_INTERNAL_PHOTON256_H - -/** - * \file internal-photon256.h - * \brief Internal implementation of the PHOTON-256 permutation. - * - * Warning: The current implementation of PHOTON-256 is constant-time - * but not constant-cache. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the PHOTON-256 permutation state in bytes. - */ -#define PHOTON256_STATE_SIZE 32 - -/** - * \brief Permutes the PHOTON-256 state. - * - * \param state The state to be permuted. - */ -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.c b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.c deleted file mode 100644 index f44bdad..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.c +++ /dev/null @@ -1,451 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "photon-beetle.h" -#include "internal-photon256.h" -#include "internal-util.h" -#include - -aead_cipher_t const photon_beetle_128_cipher = { - "PHOTON-Beetle-AEAD-ENC-128", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_128_aead_encrypt, - photon_beetle_128_aead_decrypt -}; - -aead_cipher_t const photon_beetle_32_cipher = { - "PHOTON-Beetle-AEAD-ENC-32", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_32_aead_encrypt, - photon_beetle_32_aead_decrypt -}; - -aead_hash_algorithm_t const photon_beetle_hash_algorithm = { - "PHOTON-Beetle-HASH", - sizeof(int), - PHOTON_BEETLE_HASH_SIZE, - AEAD_FLAG_NONE, - photon_beetle_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. - */ -#define PHOTON_BEETLE_128_RATE 16 - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. - */ -#define PHOTON_BEETLE_32_RATE 4 - -/* Shifts a domain constant from the spec to the correct bit position */ -#define DOMAIN(c) ((c) << 5) - -/** - * \brief Processes the associated data for PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be non-zero. - * \param rate Rate of absorption for the data. - * \param mempty Non-zero if the message is empty. - */ -static void photon_beetle_process_ad - (unsigned char state[PHOTON256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen, - unsigned rate, int mempty) -{ - unsigned temp; - - /* Absorb as many full rate blocks as possible */ - while (adlen > rate) { - photon256_permute(state); - lw_xor_block(state, ad, rate); - ad += rate; - adlen -= rate; - } - - /* Pad and absorb the last block */ - temp = (unsigned)adlen; - photon256_permute(state); - lw_xor_block(state, ad, temp); - if (temp < rate) - state[temp] ^= 0x01; /* padding */ - - /* Add the domain constant to finalize associated data processing */ - if (mempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); - else if (mempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Rotates part of the PHOTON-256 state right by one bit. - * - * \param out Output state buffer. - * \param in Input state buffer, must not overlap with \a out. - * \param len Length of the state buffer. - */ -static void photon_beetle_rotate1 - (unsigned char *out, const unsigned char *in, unsigned len) -{ - unsigned posn; - for (posn = 0; posn < (len - 1); ++posn) - out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); - out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); -} - -/** - * \brief Encrypts a plaintext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_encrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *c, const unsigned char *m, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - } else { - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - lw_xor_block_2_src(c, m, shuffle, temp); - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Decrypts a ciphertext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_decrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *m, const unsigned char *c, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - } else { - lw_xor_block_2_src(m, c, shuffle, temp); - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - unsigned temp; - - /* Absorb the input data */ - if (inlen == 0) { - /* No input data at all */ - memset(state, 0, sizeof(state) - 1); - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else if (inlen <= PHOTON_BEETLE_128_RATE) { - /* Only one block of input data, which may require padding */ - temp = (unsigned)inlen; - memcpy(state, in, temp); - memset(state + temp, 0, sizeof(state) - temp - 1); - if (temp < PHOTON_BEETLE_128_RATE) { - state[temp] = 0x01; - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else { - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); - } - } else { - /* Initialize the state with the first block, then absorb the rest */ - memcpy(state, in, PHOTON_BEETLE_128_RATE); - memset(state + PHOTON_BEETLE_128_RATE, 0, - sizeof(state) - PHOTON_BEETLE_128_RATE); - in += PHOTON_BEETLE_128_RATE; - inlen -= PHOTON_BEETLE_128_RATE; - while (inlen > PHOTON_BEETLE_32_RATE) { - photon256_permute(state); - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - in += PHOTON_BEETLE_32_RATE; - inlen -= PHOTON_BEETLE_32_RATE; - } - photon256_permute(state); - temp = (unsigned)inlen; - if (temp == PHOTON_BEETLE_32_RATE) { - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } else { - lw_xor_block(state, in, temp); - state[temp] ^= 0x01; - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); - } - } - - /* Generate the output hash */ - photon256_permute(state); - memcpy(out, state, 16); - photon256_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.h deleted file mode 100644 index 2d94a7e..0000000 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys-avr/photon-beetle.h +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_PHOTON_BEETLE_H -#define LWCRYPTO_PHOTON_BEETLE_H - -#include "aead-common.h" - -/** - * \file photon-beetle.h - * \brief PHOTON-Beetle authenticated encryption algorithm. - * - * PHOTON-Beetle is a family of authenticated encryption algorithms based - * on the PHOTON-256 permutation and using the Beetle sponge mode. - * There are three algorithms in the family: - * - * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 16 byte blocks. This is the primary - * member of the family for encryption. - * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 4 byte blocks. - * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is - * handled as a 16 byte block, and then the remaining bytes are processed - * in 4 byte blocks. - * - * References: https://www.isical.ac.in/~lightweight/beetle/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for PHOTON-Beetle-HASH. - */ -#define PHOTON_BEETLE_HASH_SIZE 32 - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. - */ -extern aead_cipher_t const photon_beetle_128_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. - */ -extern aead_cipher_t const photon_beetle_32_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. - */ -extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_128_aead_decrypt() - */ -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_128_aead_encrypt() - */ -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_32_aead_decrypt() - */ -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_32_aead_encrypt() - */ -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with PHOTON-Beetle-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * PHOTON_BEETLE_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h +++ b/photon-beetle/Implementations/crypto_aead/photonbeetleaead128rate32v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/api.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.c deleted file mode 100644 index b8743fe..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.c +++ /dev/null @@ -1,479 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-photon256.h" -#include "internal-util.h" - -/** - * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. - */ -#define PHOTON256_ROUNDS 12 - -/* Round constants for PHOTON-256 */ -static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { - 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, - 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, - 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a -}; - -/** - * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. - * - * \param x0 Slice with bit 0 of all nibbles. - * \param x1 Slice with bit 1 of all nibbles. - * \param x2 Slice with bit 2 of all nibbles. - * \param x3 Slice with bit 3 of all nibbles. - * - * This bit-sliced S-box implementation is based on the AVR version - * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. - */ -#define photon256_sbox(x0, x1, x2, x3) \ - do { \ - x1 ^= x2; \ - x3 ^= (x2 & x1); \ - t1 = x3; \ - x3 = (x3 & x1) ^ x2; \ - t2 = x3; \ - x3 ^= x0; \ - x3 = ~(x3); \ - x2 = x3; \ - t2 |= x0; \ - x0 ^= t1; \ - x1 ^= x0; \ - x2 |= x1; \ - x2 ^= t1; \ - x1 ^= t2; \ - x3 ^= x1; \ - } while (0) - -/** - * \brief Performs a field multiplication on the 8 nibbles in a row. - * - * \param a Field constant to multiply by. - * \param x Bit-sliced form of the row, with bits 0..3 of each nibble - * in bytes 0..3 of the word. - * - * \return a * x packed into the bytes of a word. - */ -static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) -{ - /* For each 4-bit nibble we need to do this: - * - * result = 0; - * for (bit = 0; bit < 4; ++ bit) { - * if ((a & (1 << bit)) != 0) - * result ^= x; - * if ((x & 0x08) != 0) { - * x = (x << 1) ^ 3; - * } else { - * x = (x << 1); - * } - * } - * - * We don't need to worry about constant time for "a" because it is a - * known constant that isn't data-dependent. But we do need to worry - * about constant time for "x" as it is data. - */ - uint32_t result = 0; - uint32_t t; - #define PARALLEL_CONDITIONAL_ADD(bit) \ - do { \ - if ((a) & (1 << (bit))) \ - result ^= x; \ - } while (0) - #define PARALELL_ROTATE() \ - do { \ - t = x >> 24; \ - x = (x << 8) ^ t ^ (t << 8); \ - } while (0) - PARALLEL_CONDITIONAL_ADD(0); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(1); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(2); - PARALELL_ROTATE(); - PARALLEL_CONDITIONAL_ADD(3); - return result; -} - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/** - * \brief Converts a PHOTON-256 state into bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_to_sliced - (uint32_t out[PHOTON256_STATE_SIZE / 4], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. - * Then we rearrange the bytes to group all bits N into word N. - * - * Permutation generated with "http://programming.sirrida.de/calcperm.php". - * - * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 - * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] - */ - uint32_t t0, t1, t2, t3; - #define TO_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - #define FROM_BITSLICED_PERM(x) \ - do { \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - } while (0) - t0 = le_load_word32(in); - t1 = le_load_word32(in + 4); - t2 = le_load_word32(in + 8); - t3 = le_load_word32(in + 12); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); - t0 = le_load_word32(in + 16); - t1 = le_load_word32(in + 20); - t2 = le_load_word32(in + 24); - t3 = le_load_word32(in + 28); - TO_BITSLICED_PERM(t0); - TO_BITSLICED_PERM(t1); - TO_BITSLICED_PERM(t2); - TO_BITSLICED_PERM(t3); - out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | - ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); - out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | - ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); - out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | - (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); - out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | - ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); -} - -/** - * \brief Converts a PHOTON-256 state from bit-sliced form. - * - * \param out Points to the converted output. - * \param in Points to the PHOTON-256 state to convert. - */ -static void photon256_from_sliced - (unsigned char out[PHOTON256_STATE_SIZE], - const unsigned char in[PHOTON256_STATE_SIZE]) -{ - /* Do the reverse of photon256_to_sliced() */ - uint32_t x0, x1, x2, x3; - x0 = ((uint32_t)(in[0])) | - (((uint32_t)(in[4])) << 8) | - (((uint32_t)(in[8])) << 16) | - (((uint32_t)(in[12])) << 24); - x1 = ((uint32_t)(in[1])) | - (((uint32_t)(in[5])) << 8) | - (((uint32_t)(in[9])) << 16) | - (((uint32_t)(in[13])) << 24); - x2 = ((uint32_t)(in[2])) | - (((uint32_t)(in[6])) << 8) | - (((uint32_t)(in[10])) << 16) | - (((uint32_t)(in[14])) << 24); - x3 = ((uint32_t)(in[3])) | - (((uint32_t)(in[7])) << 8) | - (((uint32_t)(in[11])) << 16) | - (((uint32_t)(in[15])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out, x0); - le_store_word32(out + 4, x1); - le_store_word32(out + 8, x2); - le_store_word32(out + 12, x3); - x0 = ((uint32_t)(in[16])) | - (((uint32_t)(in[20])) << 8) | - (((uint32_t)(in[24])) << 16) | - (((uint32_t)(in[28])) << 24); - x1 = ((uint32_t)(in[17])) | - (((uint32_t)(in[21])) << 8) | - (((uint32_t)(in[25])) << 16) | - (((uint32_t)(in[29])) << 24); - x2 = ((uint32_t)(in[18])) | - (((uint32_t)(in[22])) << 8) | - (((uint32_t)(in[26])) << 16) | - (((uint32_t)(in[30])) << 24); - x3 = ((uint32_t)(in[19])) | - (((uint32_t)(in[23])) << 8) | - (((uint32_t)(in[27])) << 16) | - (((uint32_t)(in[31])) << 24); - FROM_BITSLICED_PERM(x0); - FROM_BITSLICED_PERM(x1); - FROM_BITSLICED_PERM(x2); - FROM_BITSLICED_PERM(x3); - le_store_word32(out + 16, x0); - le_store_word32(out + 20, x1); - le_store_word32(out + 24, x2); - le_store_word32(out + 28, x3); -} - -#if defined(LW_UTIL_LITTLE_ENDIAN) -/* Index the bit-sliced state bytes in little-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[(row)] = (uint8_t)(value); \ - S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[(row) + 12] = (uint8_t)(value); \ - S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ - S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ - S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#else -/* Index the bit-sliced state bytes in big-endian byte order */ -#define READ_ROW0() \ - (((uint32_t)(S.bytes[3])) | \ - (((uint32_t)(S.bytes[7])) << 8) | \ - (((uint32_t)(S.bytes[11])) << 16) | \ - (((uint32_t)(S.bytes[15])) << 24)) -#define READ_ROW1() \ - (((uint32_t)(S.bytes[2])) | \ - (((uint32_t)(S.bytes[6])) << 8) | \ - (((uint32_t)(S.bytes[10])) << 16) | \ - (((uint32_t)(S.bytes[14])) << 24)) -#define READ_ROW2() \ - (((uint32_t)(S.bytes[1])) | \ - (((uint32_t)(S.bytes[5])) << 8) | \ - (((uint32_t)(S.bytes[9])) << 16) | \ - (((uint32_t)(S.bytes[13])) << 24)) -#define READ_ROW3() \ - (((uint32_t)(S.bytes[0])) | \ - (((uint32_t)(S.bytes[4])) << 8) | \ - (((uint32_t)(S.bytes[8])) << 16) | \ - (((uint32_t)(S.bytes[12])) << 24)) -#define READ_ROW4() \ - (((uint32_t)(S.bytes[19])) | \ - (((uint32_t)(S.bytes[23])) << 8) | \ - (((uint32_t)(S.bytes[27])) << 16) | \ - (((uint32_t)(S.bytes[31])) << 24)) -#define READ_ROW5() \ - (((uint32_t)(S.bytes[18])) | \ - (((uint32_t)(S.bytes[22])) << 8) | \ - (((uint32_t)(S.bytes[26])) << 16) | \ - (((uint32_t)(S.bytes[30])) << 24)) -#define READ_ROW6() \ - (((uint32_t)(S.bytes[17])) | \ - (((uint32_t)(S.bytes[21])) << 8) | \ - (((uint32_t)(S.bytes[25])) << 16) | \ - (((uint32_t)(S.bytes[29])) << 24)) -#define READ_ROW7() \ - (((uint32_t)(S.bytes[16])) | \ - (((uint32_t)(S.bytes[20])) << 8) | \ - (((uint32_t)(S.bytes[24])) << 16) | \ - (((uint32_t)(S.bytes[28])) << 24)) -#define WRITE_ROW(row, value) \ - do { \ - if ((row) < 4) { \ - S.bytes[3 - (row)] = (uint8_t)(value); \ - S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ - } else { \ - S.bytes[20 - (row)] = (uint8_t)(value); \ - S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ - S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ - S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ - } \ - } while (0) -#endif - -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) -{ - union { - uint32_t words[PHOTON256_STATE_SIZE / 4]; - uint8_t bytes[PHOTON256_STATE_SIZE]; - } S; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; - uint8_t round; - - /* Convert the state into bit-sliced form */ - photon256_to_sliced(S.words, state); - - /* Perform all 12 permutation rounds */ - for (round = 0; round < PHOTON256_ROUNDS; ++round) { - /* Add the constants for this round */ - t0 = photon256_rc[round]; - S.words[0] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[1] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[2] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[3] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[4] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[5] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[6] ^= t0 & 0x01010101U; - t0 >>= 1; - S.words[7] ^= t0 & 0x01010101U; - - /* Apply the sbox to all nibbles in the state */ - photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); - photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); - - /* Rotate all rows left by the row number. - * - * We do this by applying permutations to the top and bottom words - * to rearrange the bits into the rotated form. Permutations - * generated with "http://programming.sirrida.de/calcperm.php". - * - * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 - * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] - * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 - * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 - */ - #define TOP_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x07030100, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - #define BOTTOM_ROTATE_PERM(x) \ - do { \ - t1 = (x); \ - bit_permute_step(t1, 0x080c0e0f, 4); \ - bit_permute_step(t1, 0x22331100, 2); \ - bit_permute_step(t1, 0x55005500, 1); \ - (x) = t1; \ - } while (0) - TOP_ROTATE_PERM(S.words[0]); - TOP_ROTATE_PERM(S.words[1]); - TOP_ROTATE_PERM(S.words[2]); - TOP_ROTATE_PERM(S.words[3]); - BOTTOM_ROTATE_PERM(S.words[4]); - BOTTOM_ROTATE_PERM(S.words[5]); - BOTTOM_ROTATE_PERM(S.words[6]); - BOTTOM_ROTATE_PERM(S.words[7]); - - /* Mix the columns */ - #define MUL(a, x) (photon256_field_multiply((a), (x))) - t0 = READ_ROW0(); - t1 = READ_ROW1(); - t2 = READ_ROW2(); - t3 = READ_ROW3(); - t4 = READ_ROW4(); - t5 = READ_ROW5(); - t6 = READ_ROW6(); - t7 = READ_ROW7(); - t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ - MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); - WRITE_ROW(0, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ - MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); - WRITE_ROW(1, t8); - t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ - MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); - WRITE_ROW(2, t8); - t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ - MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); - WRITE_ROW(3, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ - MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); - WRITE_ROW(4, t8); - t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ - MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); - WRITE_ROW(5, t8); - t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ - MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); - WRITE_ROW(6, t8); - t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ - MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); - WRITE_ROW(7, t8); - } - - /* Convert back from bit-sliced form to regular form */ - photon256_from_sliced(state, S.bytes); -} diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.h deleted file mode 100644 index ce8729a..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-photon256.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PHOTON256_H -#define LW_INTERNAL_PHOTON256_H - -/** - * \file internal-photon256.h - * \brief Internal implementation of the PHOTON-256 permutation. - * - * Warning: The current implementation of PHOTON-256 is constant-time - * but not constant-cache. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the PHOTON-256 permutation state in bytes. - */ -#define PHOTON256_STATE_SIZE 32 - -/** - * \brief Permutes the PHOTON-256 state. - * - * \param state The state to be permuted. - */ -void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-util.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.c deleted file mode 100644 index f44bdad..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.c +++ /dev/null @@ -1,451 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "photon-beetle.h" -#include "internal-photon256.h" -#include "internal-util.h" -#include - -aead_cipher_t const photon_beetle_128_cipher = { - "PHOTON-Beetle-AEAD-ENC-128", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_128_aead_encrypt, - photon_beetle_128_aead_decrypt -}; - -aead_cipher_t const photon_beetle_32_cipher = { - "PHOTON-Beetle-AEAD-ENC-32", - PHOTON_BEETLE_KEY_SIZE, - PHOTON_BEETLE_NONCE_SIZE, - PHOTON_BEETLE_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - photon_beetle_32_aead_encrypt, - photon_beetle_32_aead_decrypt -}; - -aead_hash_algorithm_t const photon_beetle_hash_algorithm = { - "PHOTON-Beetle-HASH", - sizeof(int), - PHOTON_BEETLE_HASH_SIZE, - AEAD_FLAG_NONE, - photon_beetle_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. - */ -#define PHOTON_BEETLE_128_RATE 16 - -/** - * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. - */ -#define PHOTON_BEETLE_32_RATE 4 - -/* Shifts a domain constant from the spec to the correct bit position */ -#define DOMAIN(c) ((c) << 5) - -/** - * \brief Processes the associated data for PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data, must be non-zero. - * \param rate Rate of absorption for the data. - * \param mempty Non-zero if the message is empty. - */ -static void photon_beetle_process_ad - (unsigned char state[PHOTON256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen, - unsigned rate, int mempty) -{ - unsigned temp; - - /* Absorb as many full rate blocks as possible */ - while (adlen > rate) { - photon256_permute(state); - lw_xor_block(state, ad, rate); - ad += rate; - adlen -= rate; - } - - /* Pad and absorb the last block */ - temp = (unsigned)adlen; - photon256_permute(state); - lw_xor_block(state, ad, temp); - if (temp < rate) - state[temp] ^= 0x01; /* padding */ - - /* Add the domain constant to finalize associated data processing */ - if (mempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); - else if (mempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Rotates part of the PHOTON-256 state right by one bit. - * - * \param out Output state buffer. - * \param in Input state buffer, must not overlap with \a out. - * \param len Length of the state buffer. - */ -static void photon_beetle_rotate1 - (unsigned char *out, const unsigned char *in, unsigned len) -{ - unsigned posn; - for (posn = 0; posn < (len - 1); ++posn) - out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); - out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); -} - -/** - * \brief Encrypts a plaintext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_encrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *c, const unsigned char *m, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block(state, m, rate); - lw_xor_block_2_src(c, m, shuffle, rate); - } else { - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - lw_xor_block_2_src(c, m, shuffle, temp); - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -/** - * \brief Decrypts a ciphertext block with PHOTON-Beetle. - * - * \param state PHOTON-256 permutation state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the message, must be non-zero. - * \param rate Rate of absorption for the data. - * \param adempty Non-zero if the associated data is empty. - */ -static void photon_beetle_decrypt - (unsigned char state[PHOTON256_STATE_SIZE], - unsigned char *m, const unsigned char *c, unsigned long long mlen, - unsigned rate, int adempty) -{ - unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ - unsigned temp; - - /* Process all plaintext blocks except the last */ - while (mlen > rate) { - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - c += rate; - m += rate; - mlen -= rate; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - photon256_permute(state); - memcpy(shuffle, state + rate / 2, rate / 2); - photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); - if (temp == rate) { - lw_xor_block_2_src(m, c, shuffle, rate); - lw_xor_block(state, m, rate); - } else { - lw_xor_block_2_src(m, c, shuffle, temp); - lw_xor_block(state, m, temp); - state[temp] ^= 0x01; /* padding */ - } - - /* Add the domain constant to finalize message processing */ - if (adempty && temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); - else if (adempty) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); - else if (temp == rate) - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - else - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); -} - -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); - } else if (mlen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - photon_beetle_encrypt - (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Generate the authentication tag */ - photon256_permute(state); - memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); - return 0; -} - -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < PHOTON_BEETLE_TAG_SIZE) - return -1; - *mlen = clen - PHOTON_BEETLE_TAG_SIZE; - - /* Initialize the state by concatenating the nonce and the key */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Process the associated data */ - clen -= PHOTON_BEETLE_TAG_SIZE; - if (adlen > 0) { - photon_beetle_process_ad - (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); - } else if (clen == 0) { - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } - - /* Decrypt the ciphertext to produce the plaintext */ - if (clen > 0) { - photon_beetle_decrypt - (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); - } - - /* Check the authentication tag */ - photon256_permute(state); - return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); -} - -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[PHOTON256_STATE_SIZE]; - unsigned temp; - - /* Absorb the input data */ - if (inlen == 0) { - /* No input data at all */ - memset(state, 0, sizeof(state) - 1); - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else if (inlen <= PHOTON_BEETLE_128_RATE) { - /* Only one block of input data, which may require padding */ - temp = (unsigned)inlen; - memcpy(state, in, temp); - memset(state + temp, 0, sizeof(state) - temp - 1); - if (temp < PHOTON_BEETLE_128_RATE) { - state[temp] = 0x01; - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); - } else { - state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); - } - } else { - /* Initialize the state with the first block, then absorb the rest */ - memcpy(state, in, PHOTON_BEETLE_128_RATE); - memset(state + PHOTON_BEETLE_128_RATE, 0, - sizeof(state) - PHOTON_BEETLE_128_RATE); - in += PHOTON_BEETLE_128_RATE; - inlen -= PHOTON_BEETLE_128_RATE; - while (inlen > PHOTON_BEETLE_32_RATE) { - photon256_permute(state); - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - in += PHOTON_BEETLE_32_RATE; - inlen -= PHOTON_BEETLE_32_RATE; - } - photon256_permute(state); - temp = (unsigned)inlen; - if (temp == PHOTON_BEETLE_32_RATE) { - lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); - } else { - lw_xor_block(state, in, temp); - state[temp] ^= 0x01; - state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); - } - } - - /* Generate the output hash */ - photon256_permute(state); - memcpy(out, state, 16); - photon256_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.h deleted file mode 100644 index 2d94a7e..0000000 --- a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/photon-beetle.h +++ /dev/null @@ -1,224 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_PHOTON_BEETLE_H -#define LWCRYPTO_PHOTON_BEETLE_H - -#include "aead-common.h" - -/** - * \file photon-beetle.h - * \brief PHOTON-Beetle authenticated encryption algorithm. - * - * PHOTON-Beetle is a family of authenticated encryption algorithms based - * on the PHOTON-256 permutation and using the Beetle sponge mode. - * There are three algorithms in the family: - * - * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 16 byte blocks. This is the primary - * member of the family for encryption. - * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a - * 128-bit tag. Data is handled in 4 byte blocks. - * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is - * handled as a 16 byte block, and then the remaining bytes are processed - * in 4 byte blocks. - * - * References: https://www.isical.ac.in/~lightweight/beetle/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PHOTON-Beetle. - */ -#define PHOTON_BEETLE_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for PHOTON-Beetle-HASH. - */ -#define PHOTON_BEETLE_HASH_SIZE 32 - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. - */ -extern aead_cipher_t const photon_beetle_128_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. - */ -extern aead_cipher_t const photon_beetle_32_cipher; - -/** - * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. - */ -extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_128_aead_decrypt() - */ -int photon_beetle_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_128_aead_encrypt() - */ -int photon_beetle_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa photon_beetle_32_aead_decrypt() - */ -int photon_beetle_32_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa photon_beetle_32_aead_encrypt() - */ -int photon_beetle_32_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with PHOTON-Beetle-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * PHOTON_BEETLE_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int photon_beetle_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/aead-common.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/aead-common.c similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/aead-common.c rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/aead-common.c diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/aead-common.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/aead-common.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/aead-common.h rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/aead-common.h diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/api.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/hash.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/hash.c similarity index 100% rename from photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys-avr/hash.c rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/hash.c diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.c new file mode 100644 index 0000000..b8743fe --- /dev/null +++ b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.c @@ -0,0 +1,479 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-photon256.h" +#include "internal-util.h" + +/** + * \brief Number of rounds in the PHOTON-256 permutation in bit-sliced form. + */ +#define PHOTON256_ROUNDS 12 + +/* Round constants for PHOTON-256 */ +static uint32_t const photon256_rc[PHOTON256_ROUNDS] = { + 0x96d2f0e1, 0xb4f0d2c3, 0xf0b49687, 0x692d0f1e, + 0x5a1e3c2d, 0x3c785a4b, 0xe1a58796, 0x4b0f2d3c, + 0x1e5a7869, 0xa5e1c3d2, 0xd296b4a5, 0x2d694b5a +}; + +/** + * \brief Evaluates the PHOTON-256 S-box in bit-sliced form. + * + * \param x0 Slice with bit 0 of all nibbles. + * \param x1 Slice with bit 1 of all nibbles. + * \param x2 Slice with bit 2 of all nibbles. + * \param x3 Slice with bit 3 of all nibbles. + * + * This bit-sliced S-box implementation is based on the AVR version + * "add_avr8_bitslice_asm" from the PHOTON-Beetle reference code. + */ +#define photon256_sbox(x0, x1, x2, x3) \ + do { \ + x1 ^= x2; \ + x3 ^= (x2 & x1); \ + t1 = x3; \ + x3 = (x3 & x1) ^ x2; \ + t2 = x3; \ + x3 ^= x0; \ + x3 = ~(x3); \ + x2 = x3; \ + t2 |= x0; \ + x0 ^= t1; \ + x1 ^= x0; \ + x2 |= x1; \ + x2 ^= t1; \ + x1 ^= t2; \ + x3 ^= x1; \ + } while (0) + +/** + * \brief Performs a field multiplication on the 8 nibbles in a row. + * + * \param a Field constant to multiply by. + * \param x Bit-sliced form of the row, with bits 0..3 of each nibble + * in bytes 0..3 of the word. + * + * \return a * x packed into the bytes of a word. + */ +static uint32_t photon256_field_multiply(uint8_t a, uint32_t x) +{ + /* For each 4-bit nibble we need to do this: + * + * result = 0; + * for (bit = 0; bit < 4; ++ bit) { + * if ((a & (1 << bit)) != 0) + * result ^= x; + * if ((x & 0x08) != 0) { + * x = (x << 1) ^ 3; + * } else { + * x = (x << 1); + * } + * } + * + * We don't need to worry about constant time for "a" because it is a + * known constant that isn't data-dependent. But we do need to worry + * about constant time for "x" as it is data. + */ + uint32_t result = 0; + uint32_t t; + #define PARALLEL_CONDITIONAL_ADD(bit) \ + do { \ + if ((a) & (1 << (bit))) \ + result ^= x; \ + } while (0) + #define PARALELL_ROTATE() \ + do { \ + t = x >> 24; \ + x = (x << 8) ^ t ^ (t << 8); \ + } while (0) + PARALLEL_CONDITIONAL_ADD(0); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(1); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(2); + PARALELL_ROTATE(); + PARALLEL_CONDITIONAL_ADD(3); + return result; +} + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/** + * \brief Converts a PHOTON-256 state into bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_to_sliced + (uint32_t out[PHOTON256_STATE_SIZE / 4], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* We first scatter bits 0..3 of the nibbles to bytes 0..3 of the words. + * Then we rearrange the bytes to group all bits N into word N. + * + * Permutation generated with "http://programming.sirrida.de/calcperm.php". + * + * P = [0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 + * 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31] + */ + uint32_t t0, t1, t2, t3; + #define TO_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + #define FROM_BITSLICED_PERM(x) \ + do { \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + } while (0) + t0 = le_load_word32(in); + t1 = le_load_word32(in + 4); + t2 = le_load_word32(in + 8); + t3 = le_load_word32(in + 12); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[0] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[1] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[2] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[3] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); + t0 = le_load_word32(in + 16); + t1 = le_load_word32(in + 20); + t2 = le_load_word32(in + 24); + t3 = le_load_word32(in + 28); + TO_BITSLICED_PERM(t0); + TO_BITSLICED_PERM(t1); + TO_BITSLICED_PERM(t2); + TO_BITSLICED_PERM(t3); + out[4] = (t0 & 0x000000FFU) | ((t1 << 8) & 0x0000FF00U) | + ((t2 << 16) & 0x00FF0000U) | ((t3 << 24) & 0xFF000000U); + out[5] = ((t0 >> 8) & 0x000000FFU) | (t1 & 0x0000FF00U) | + ((t2 << 8) & 0x00FF0000U) | ((t3 << 16) & 0xFF000000U); + out[6] = ((t0 >> 16) & 0x000000FFU) | ((t1 >> 8) & 0x0000FF00U) | + (t2 & 0x00FF0000U) | ((t3 << 8) & 0xFF000000U); + out[7] = ((t0 >> 24) & 0x000000FFU) | ((t1 >> 16) & 0x0000FF00U) | + ((t2 >> 8) & 0x00FF0000U) | (t3 & 0xFF000000U); +} + +/** + * \brief Converts a PHOTON-256 state from bit-sliced form. + * + * \param out Points to the converted output. + * \param in Points to the PHOTON-256 state to convert. + */ +static void photon256_from_sliced + (unsigned char out[PHOTON256_STATE_SIZE], + const unsigned char in[PHOTON256_STATE_SIZE]) +{ + /* Do the reverse of photon256_to_sliced() */ + uint32_t x0, x1, x2, x3; + x0 = ((uint32_t)(in[0])) | + (((uint32_t)(in[4])) << 8) | + (((uint32_t)(in[8])) << 16) | + (((uint32_t)(in[12])) << 24); + x1 = ((uint32_t)(in[1])) | + (((uint32_t)(in[5])) << 8) | + (((uint32_t)(in[9])) << 16) | + (((uint32_t)(in[13])) << 24); + x2 = ((uint32_t)(in[2])) | + (((uint32_t)(in[6])) << 8) | + (((uint32_t)(in[10])) << 16) | + (((uint32_t)(in[14])) << 24); + x3 = ((uint32_t)(in[3])) | + (((uint32_t)(in[7])) << 8) | + (((uint32_t)(in[11])) << 16) | + (((uint32_t)(in[15])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out, x0); + le_store_word32(out + 4, x1); + le_store_word32(out + 8, x2); + le_store_word32(out + 12, x3); + x0 = ((uint32_t)(in[16])) | + (((uint32_t)(in[20])) << 8) | + (((uint32_t)(in[24])) << 16) | + (((uint32_t)(in[28])) << 24); + x1 = ((uint32_t)(in[17])) | + (((uint32_t)(in[21])) << 8) | + (((uint32_t)(in[25])) << 16) | + (((uint32_t)(in[29])) << 24); + x2 = ((uint32_t)(in[18])) | + (((uint32_t)(in[22])) << 8) | + (((uint32_t)(in[26])) << 16) | + (((uint32_t)(in[30])) << 24); + x3 = ((uint32_t)(in[19])) | + (((uint32_t)(in[23])) << 8) | + (((uint32_t)(in[27])) << 16) | + (((uint32_t)(in[31])) << 24); + FROM_BITSLICED_PERM(x0); + FROM_BITSLICED_PERM(x1); + FROM_BITSLICED_PERM(x2); + FROM_BITSLICED_PERM(x3); + le_store_word32(out + 16, x0); + le_store_word32(out + 20, x1); + le_store_word32(out + 24, x2); + le_store_word32(out + 28, x3); +} + +#if defined(LW_UTIL_LITTLE_ENDIAN) +/* Index the bit-sliced state bytes in little-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[(row)] = (uint8_t)(value); \ + S.bytes[(row) + 4] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 8] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 12] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[(row) + 12] = (uint8_t)(value); \ + S.bytes[(row) + 16] = (uint8_t)((value) >> 8); \ + S.bytes[(row) + 20] = (uint8_t)((value) >> 16); \ + S.bytes[(row) + 24] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#else +/* Index the bit-sliced state bytes in big-endian byte order */ +#define READ_ROW0() \ + (((uint32_t)(S.bytes[3])) | \ + (((uint32_t)(S.bytes[7])) << 8) | \ + (((uint32_t)(S.bytes[11])) << 16) | \ + (((uint32_t)(S.bytes[15])) << 24)) +#define READ_ROW1() \ + (((uint32_t)(S.bytes[2])) | \ + (((uint32_t)(S.bytes[6])) << 8) | \ + (((uint32_t)(S.bytes[10])) << 16) | \ + (((uint32_t)(S.bytes[14])) << 24)) +#define READ_ROW2() \ + (((uint32_t)(S.bytes[1])) | \ + (((uint32_t)(S.bytes[5])) << 8) | \ + (((uint32_t)(S.bytes[9])) << 16) | \ + (((uint32_t)(S.bytes[13])) << 24)) +#define READ_ROW3() \ + (((uint32_t)(S.bytes[0])) | \ + (((uint32_t)(S.bytes[4])) << 8) | \ + (((uint32_t)(S.bytes[8])) << 16) | \ + (((uint32_t)(S.bytes[12])) << 24)) +#define READ_ROW4() \ + (((uint32_t)(S.bytes[19])) | \ + (((uint32_t)(S.bytes[23])) << 8) | \ + (((uint32_t)(S.bytes[27])) << 16) | \ + (((uint32_t)(S.bytes[31])) << 24)) +#define READ_ROW5() \ + (((uint32_t)(S.bytes[18])) | \ + (((uint32_t)(S.bytes[22])) << 8) | \ + (((uint32_t)(S.bytes[26])) << 16) | \ + (((uint32_t)(S.bytes[30])) << 24)) +#define READ_ROW6() \ + (((uint32_t)(S.bytes[17])) | \ + (((uint32_t)(S.bytes[21])) << 8) | \ + (((uint32_t)(S.bytes[25])) << 16) | \ + (((uint32_t)(S.bytes[29])) << 24)) +#define READ_ROW7() \ + (((uint32_t)(S.bytes[16])) | \ + (((uint32_t)(S.bytes[20])) << 8) | \ + (((uint32_t)(S.bytes[24])) << 16) | \ + (((uint32_t)(S.bytes[28])) << 24)) +#define WRITE_ROW(row, value) \ + do { \ + if ((row) < 4) { \ + S.bytes[3 - (row)] = (uint8_t)(value); \ + S.bytes[7 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[11 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[15 - (row)] = (uint8_t)((value) >> 24); \ + } else { \ + S.bytes[20 - (row)] = (uint8_t)(value); \ + S.bytes[24 - (row)] = (uint8_t)((value) >> 8); \ + S.bytes[28 - (row)] = (uint8_t)((value) >> 16); \ + S.bytes[32 - (row)] = (uint8_t)((value) >> 24); \ + } \ + } while (0) +#endif + +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]) +{ + union { + uint32_t words[PHOTON256_STATE_SIZE / 4]; + uint8_t bytes[PHOTON256_STATE_SIZE]; + } S; + uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8; + uint8_t round; + + /* Convert the state into bit-sliced form */ + photon256_to_sliced(S.words, state); + + /* Perform all 12 permutation rounds */ + for (round = 0; round < PHOTON256_ROUNDS; ++round) { + /* Add the constants for this round */ + t0 = photon256_rc[round]; + S.words[0] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[1] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[2] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[3] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[4] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[5] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[6] ^= t0 & 0x01010101U; + t0 >>= 1; + S.words[7] ^= t0 & 0x01010101U; + + /* Apply the sbox to all nibbles in the state */ + photon256_sbox(S.words[0], S.words[1], S.words[2], S.words[3]); + photon256_sbox(S.words[4], S.words[5], S.words[6], S.words[7]); + + /* Rotate all rows left by the row number. + * + * We do this by applying permutations to the top and bottom words + * to rearrange the bits into the rotated form. Permutations + * generated with "http://programming.sirrida.de/calcperm.php". + * + * P_top = [0 1 2 3 4 5 6 7 15 8 9 10 11 12 13 14 22 23 + * 16 17 18 19 20 21 29 30 31 24 25 26 27 28] + * P_bot = [4 5 6 7 0 1 2 3 11 12 13 14 15 8 9 10 18 19 + * 20 21 22 23 16 17 25 26 27 28 29 30 31 24 + */ + #define TOP_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x07030100, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + #define BOTTOM_ROTATE_PERM(x) \ + do { \ + t1 = (x); \ + bit_permute_step(t1, 0x080c0e0f, 4); \ + bit_permute_step(t1, 0x22331100, 2); \ + bit_permute_step(t1, 0x55005500, 1); \ + (x) = t1; \ + } while (0) + TOP_ROTATE_PERM(S.words[0]); + TOP_ROTATE_PERM(S.words[1]); + TOP_ROTATE_PERM(S.words[2]); + TOP_ROTATE_PERM(S.words[3]); + BOTTOM_ROTATE_PERM(S.words[4]); + BOTTOM_ROTATE_PERM(S.words[5]); + BOTTOM_ROTATE_PERM(S.words[6]); + BOTTOM_ROTATE_PERM(S.words[7]); + + /* Mix the columns */ + #define MUL(a, x) (photon256_field_multiply((a), (x))) + t0 = READ_ROW0(); + t1 = READ_ROW1(); + t2 = READ_ROW2(); + t3 = READ_ROW3(); + t4 = READ_ROW4(); + t5 = READ_ROW5(); + t6 = READ_ROW6(); + t7 = READ_ROW7(); + t8 = MUL(0x02, t0) ^ MUL(0x04, t1) ^ MUL(0x02, t2) ^ MUL(0x0b, t3) ^ + MUL(0x02, t4) ^ MUL(0x08, t5) ^ MUL(0x05, t6) ^ MUL(0x06, t7); + WRITE_ROW(0, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x09, t1) ^ MUL(0x08, t2) ^ MUL(0x0d, t3) ^ + MUL(0x07, t4) ^ MUL(0x07, t5) ^ MUL(0x05, t6) ^ MUL(0x02, t7); + WRITE_ROW(1, t8); + t8 = MUL(0x04, t0) ^ MUL(0x04, t1) ^ MUL(0x0d, t2) ^ MUL(0x0d, t3) ^ + MUL(0x09, t4) ^ MUL(0x04, t5) ^ MUL(0x0d, t6) ^ MUL(0x09, t7); + WRITE_ROW(2, t8); + t8 = MUL(0x01, t0) ^ MUL(0x06, t1) ^ MUL(0x05, t2) ^ MUL(0x01, t3) ^ + MUL(0x0c, t4) ^ MUL(0x0d, t5) ^ MUL(0x0f, t6) ^ MUL(0x0e, t7); + WRITE_ROW(3, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x0c, t1) ^ MUL(0x09, t2) ^ MUL(0x0d, t3) ^ + MUL(0x0e, t4) ^ MUL(0x05, t5) ^ MUL(0x0e, t6) ^ MUL(0x0d, t7); + WRITE_ROW(4, t8); + t8 = MUL(0x09, t0) ^ MUL(0x0e, t1) ^ MUL(0x05, t2) ^ MUL(0x0f, t3) ^ + MUL(0x04, t4) ^ MUL(0x0c, t5) ^ MUL(0x09, t6) ^ MUL(0x06, t7); + WRITE_ROW(5, t8); + t8 = MUL(0x0c, t0) ^ MUL(0x02, t1) ^ MUL(0x02, t2) ^ MUL(0x0a, t3) ^ + MUL(0x03, t4) ^ MUL(0x01, t5) ^ MUL(0x01, t6) ^ MUL(0x0e, t7); + WRITE_ROW(6, t8); + t8 = MUL(0x0f, t0) ^ MUL(0x01, t1) ^ MUL(0x0d, t2) ^ MUL(0x0a, t3) ^ + MUL(0x05, t4) ^ MUL(0x0a, t5) ^ MUL(0x02, t6) ^ MUL(0x03, t7); + WRITE_ROW(7, t8); + } + + /* Convert back from bit-sliced form to regular form */ + photon256_from_sliced(state, S.bytes); +} diff --git a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.h similarity index 70% rename from ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.h rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.h index d3fa3ca..ce8729a 100644 --- a/ascon/Implementations/crypto_aead/ascon80pqv12/rhys-avr/internal-ascon.h +++ b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-photon256.h @@ -20,17 +20,15 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H - -#include "internal-util.h" +#ifndef LW_INTERNAL_PHOTON256_H +#define LW_INTERNAL_PHOTON256_H /** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. + * \file internal-photon256.h + * \brief Internal implementation of the PHOTON-256 permutation. * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ + * Warning: The current implementation of PHOTON-256 is constant-time + * but not constant-cache. */ #ifdef __cplusplus @@ -38,24 +36,16 @@ extern "C" { #endif /** - * \brief Structure of the internal state of the ASCON permutation. + * \brief Size of the PHOTON-256 permutation state in bytes. */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; +#define PHOTON256_STATE_SIZE 32 /** - * \brief Permutes the ASCON state. - * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * \brief Permutes the PHOTON-256 state. * - * The input and output \a state will be in big-endian byte order. + * \param state The state to be permuted. */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); +void photon256_permute(unsigned char state[PHOTON256_STATE_SIZE]); #ifdef __cplusplus } diff --git a/drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-util.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-util.h similarity index 100% rename from drygascon/Implementations/crypto_aead/drygascon256/rhys-avr/internal-util.h rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/internal-util.h diff --git a/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.c b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.c new file mode 100644 index 0000000..f44bdad --- /dev/null +++ b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.c @@ -0,0 +1,451 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "photon-beetle.h" +#include "internal-photon256.h" +#include "internal-util.h" +#include + +aead_cipher_t const photon_beetle_128_cipher = { + "PHOTON-Beetle-AEAD-ENC-128", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_128_aead_encrypt, + photon_beetle_128_aead_decrypt +}; + +aead_cipher_t const photon_beetle_32_cipher = { + "PHOTON-Beetle-AEAD-ENC-32", + PHOTON_BEETLE_KEY_SIZE, + PHOTON_BEETLE_NONCE_SIZE, + PHOTON_BEETLE_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + photon_beetle_32_aead_encrypt, + photon_beetle_32_aead_decrypt +}; + +aead_hash_algorithm_t const photon_beetle_hash_algorithm = { + "PHOTON-Beetle-HASH", + sizeof(int), + PHOTON_BEETLE_HASH_SIZE, + AEAD_FLAG_NONE, + photon_beetle_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-128. + */ +#define PHOTON_BEETLE_128_RATE 16 + +/** + * \brief Rate of operation for PHOTON-Beetle-AEAD-ENC-32. + */ +#define PHOTON_BEETLE_32_RATE 4 + +/* Shifts a domain constant from the spec to the correct bit position */ +#define DOMAIN(c) ((c) << 5) + +/** + * \brief Processes the associated data for PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data, must be non-zero. + * \param rate Rate of absorption for the data. + * \param mempty Non-zero if the message is empty. + */ +static void photon_beetle_process_ad + (unsigned char state[PHOTON256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen, + unsigned rate, int mempty) +{ + unsigned temp; + + /* Absorb as many full rate blocks as possible */ + while (adlen > rate) { + photon256_permute(state); + lw_xor_block(state, ad, rate); + ad += rate; + adlen -= rate; + } + + /* Pad and absorb the last block */ + temp = (unsigned)adlen; + photon256_permute(state); + lw_xor_block(state, ad, temp); + if (temp < rate) + state[temp] ^= 0x01; /* padding */ + + /* Add the domain constant to finalize associated data processing */ + if (mempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(3); + else if (mempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(4); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Rotates part of the PHOTON-256 state right by one bit. + * + * \param out Output state buffer. + * \param in Input state buffer, must not overlap with \a out. + * \param len Length of the state buffer. + */ +static void photon_beetle_rotate1 + (unsigned char *out, const unsigned char *in, unsigned len) +{ + unsigned posn; + for (posn = 0; posn < (len - 1); ++posn) + out[posn] = (in[posn] >> 1) | (in[posn + 1] << 7); + out[len - 1] = (in[len - 1] >> 1) | (in[0] << 7); +} + +/** + * \brief Encrypts a plaintext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param c Points to the ciphertext output buffer. + * \param m Points to the plaintext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_encrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *c, const unsigned char *m, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block(state, m, rate); + lw_xor_block_2_src(c, m, shuffle, rate); + } else { + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + lw_xor_block_2_src(c, m, shuffle, temp); + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +/** + * \brief Decrypts a ciphertext block with PHOTON-Beetle. + * + * \param state PHOTON-256 permutation state. + * \param m Points to the plaintext output buffer. + * \param c Points to the ciphertext input buffer. + * \param mlen Length of the message, must be non-zero. + * \param rate Rate of absorption for the data. + * \param adempty Non-zero if the associated data is empty. + */ +static void photon_beetle_decrypt + (unsigned char state[PHOTON256_STATE_SIZE], + unsigned char *m, const unsigned char *c, unsigned long long mlen, + unsigned rate, int adempty) +{ + unsigned char shuffle[PHOTON_BEETLE_128_RATE]; /* Block of max rate size */ + unsigned temp; + + /* Process all plaintext blocks except the last */ + while (mlen > rate) { + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + c += rate; + m += rate; + mlen -= rate; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + photon256_permute(state); + memcpy(shuffle, state + rate / 2, rate / 2); + photon_beetle_rotate1(shuffle + rate / 2, state, rate / 2); + if (temp == rate) { + lw_xor_block_2_src(m, c, shuffle, rate); + lw_xor_block(state, m, rate); + } else { + lw_xor_block_2_src(m, c, shuffle, temp); + lw_xor_block(state, m, temp); + state[temp] ^= 0x01; /* padding */ + } + + /* Add the domain constant to finalize message processing */ + if (adempty && temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(5); + else if (adempty) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(6); + else if (temp == rate) + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + else + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); +} + +int photon_beetle_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_128_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_128_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_32_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, mlen == 0); + } else if (mlen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + photon_beetle_encrypt + (state, c, m, mlen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Generate the authentication tag */ + photon256_permute(state); + memcpy(c + mlen, state, PHOTON_BEETLE_TAG_SIZE); + return 0; +} + +int photon_beetle_32_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < PHOTON_BEETLE_TAG_SIZE) + return -1; + *mlen = clen - PHOTON_BEETLE_TAG_SIZE; + + /* Initialize the state by concatenating the nonce and the key */ + memcpy(state, npub, 16); + memcpy(state + 16, k, 16); + + /* Process the associated data */ + clen -= PHOTON_BEETLE_TAG_SIZE; + if (adlen > 0) { + photon_beetle_process_ad + (state, ad, adlen, PHOTON_BEETLE_32_RATE, clen == 0); + } else if (clen == 0) { + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } + + /* Decrypt the ciphertext to produce the plaintext */ + if (clen > 0) { + photon_beetle_decrypt + (state, m, c, clen, PHOTON_BEETLE_32_RATE, adlen == 0); + } + + /* Check the authentication tag */ + photon256_permute(state); + return aead_check_tag(m, clen, state, c + clen, PHOTON_BEETLE_TAG_SIZE); +} + +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[PHOTON256_STATE_SIZE]; + unsigned temp; + + /* Absorb the input data */ + if (inlen == 0) { + /* No input data at all */ + memset(state, 0, sizeof(state) - 1); + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else if (inlen <= PHOTON_BEETLE_128_RATE) { + /* Only one block of input data, which may require padding */ + temp = (unsigned)inlen; + memcpy(state, in, temp); + memset(state + temp, 0, sizeof(state) - temp - 1); + if (temp < PHOTON_BEETLE_128_RATE) { + state[temp] = 0x01; + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(1); + } else { + state[PHOTON256_STATE_SIZE - 1] = DOMAIN(2); + } + } else { + /* Initialize the state with the first block, then absorb the rest */ + memcpy(state, in, PHOTON_BEETLE_128_RATE); + memset(state + PHOTON_BEETLE_128_RATE, 0, + sizeof(state) - PHOTON_BEETLE_128_RATE); + in += PHOTON_BEETLE_128_RATE; + inlen -= PHOTON_BEETLE_128_RATE; + while (inlen > PHOTON_BEETLE_32_RATE) { + photon256_permute(state); + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + in += PHOTON_BEETLE_32_RATE; + inlen -= PHOTON_BEETLE_32_RATE; + } + photon256_permute(state); + temp = (unsigned)inlen; + if (temp == PHOTON_BEETLE_32_RATE) { + lw_xor_block(state, in, PHOTON_BEETLE_32_RATE); + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(1); + } else { + lw_xor_block(state, in, temp); + state[temp] ^= 0x01; + state[PHOTON256_STATE_SIZE - 1] ^= DOMAIN(2); + } + } + + /* Generate the output hash */ + photon256_permute(state); + memcpy(out, state, 16); + photon256_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.h b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.h similarity index 58% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.h rename to photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.h index d1b24a6..2d94a7e 100644 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/comet.h +++ b/photon-beetle/Implementations/crypto_hash/photonbeetlehash256rate32v1/rhys/photon-beetle.h @@ -20,30 +20,29 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_COMET_H -#define LWCRYPTO_COMET_H +#ifndef LWCRYPTO_PHOTON_BEETLE_H +#define LWCRYPTO_PHOTON_BEETLE_H #include "aead-common.h" /** - * \file comet.h - * \brief COMET authenticated encryption algorithm. + * \file photon-beetle.h + * \brief PHOTON-Beetle authenticated encryption algorithm. * - * COMET is a family of authenticated encryption algorithms that are - * built around an underlying block cipher. This library implements - * three members of the family: + * PHOTON-Beetle is a family of authenticated encryption algorithms based + * on the PHOTON-256 permutation and using the Beetle sponge mode. + * There are three algorithms in the family: * - * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, - * and a 128-bit tag, built around the CHAM-128/128 block cipher. - * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the CHAM-64/128 block cipher. - * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the SPECK-64/128 block cipher. + * \li PHOTON-Beetle-AEAD-ENC-128 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 16 byte blocks. This is the primary + * member of the family for encryption. + * \li PHOTON-Beetle-AEAD-ENC-32 with a 128-bit key, a 128-bit nonce, and a + * 128-bit tag. Data is handled in 4 byte blocks. + * \li PHOTON-Beetle-Hash with a 256-bit hash output. The initial data is + * handled as a 16 byte block, and then the remaining bytes are processed + * in 4 byte blocks. * - * There is also another family member that is built around AES but - * this library does not implement that version. - * - * References: https://www.isical.ac.in/~lightweight/comet/ + * References: https://www.isical.ac.in/~lightweight/beetle/ */ #ifdef __cplusplus @@ -51,47 +50,42 @@ extern "C" { #endif /** - * \brief Size of the key for all COMET family members. - */ -#define COMET_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for the 128-bit versions of COMET. + * \brief Size of the key for PHOTON-Beetle. */ -#define COMET_128_TAG_SIZE 16 +#define PHOTON_BEETLE_KEY_SIZE 16 /** - * \brief Size of the authentication tag for the 64-bit versions of COMET. + * \brief Size of the authentication tag for PHOTON-Beetle. */ -#define COMET_64_TAG_SIZE 8 +#define PHOTON_BEETLE_TAG_SIZE 16 /** - * \brief Size of the nonce for the 128-bit versions of COMET. + * \brief Size of the nonce for PHOTON-Beetle. */ -#define COMET_128_NONCE_SIZE 16 +#define PHOTON_BEETLE_NONCE_SIZE 16 /** - * \brief Size of the nonce for the 64-bit versions of COMET. + * \brief Size of the hash output for PHOTON-Beetle-HASH. */ -#define COMET_64_NONCE_SIZE 15 +#define PHOTON_BEETLE_HASH_SIZE 32 /** - * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-128 cipher. */ -extern aead_cipher_t const comet_128_cham_cipher; +extern aead_cipher_t const photon_beetle_128_cipher; /** - * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. + * \brief Meta-information block for the PHOTON-Beetle-AEAD-ENC-32 cipher. */ -extern aead_cipher_t const comet_64_cham_cipher; +extern aead_cipher_t const photon_beetle_32_cipher; /** - * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. + * \brief Meta-information block for the PHOTON-Beetle-HASH algorithm. */ -extern aead_cipher_t const comet_64_speck_cipher; +extern aead_hash_algorithm_t const photon_beetle_hash_algorithm; /** - * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -109,9 +103,9 @@ extern aead_cipher_t const comet_64_speck_cipher; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa comet_128_cham_aead_decrypt() + * \sa photon_beetle_128_aead_decrypt() */ -int comet_128_cham_aead_encrypt +int photon_beetle_128_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -120,7 +114,7 @@ int comet_128_cham_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-128. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -139,9 +133,9 @@ int comet_128_cham_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa comet_128_cham_aead_encrypt() + * \sa photon_beetle_128_aead_encrypt() */ -int comet_128_cham_aead_decrypt +int photon_beetle_128_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -150,11 +144,11 @@ int comet_128_cham_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. + * \brief Encrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -162,15 +156,15 @@ int comet_128_cham_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa comet_64_cham_aead_decrypt() + * \sa photon_beetle_32_aead_decrypt() */ -int comet_64_cham_aead_encrypt +int photon_beetle_32_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -179,7 +173,7 @@ int comet_64_cham_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. + * \brief Decrypts and authenticates a packet with PHOTON-Beetle-AEAD-ENC-32. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -187,20 +181,20 @@ int comet_64_cham_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa comet_64_cham_aead_encrypt() + * \sa photon_beetle_32_aead_encrypt() */ -int comet_64_cham_aead_decrypt +int photon_beetle_32_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -209,63 +203,19 @@ int comet_64_cham_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa comet_64_speck_aead_decrypt() - */ -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \brief Hashes a block of input data with PHOTON-Beetle-HASH to + * generate a hash value. * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \param out Buffer to receive the hash output which must be at least + * PHOTON_BEETLE_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa comet_64_speck_aead_encrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +int photon_beetle_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/api.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/encrypt.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/encrypt.c deleted file mode 100644 index a63877d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "pyjamask.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return pyjamask_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return pyjamask_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-ocb.h deleted file mode 100644 index 98f2a31..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-ocb.h +++ /dev/null @@ -1,355 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_OCB_H -#define LW_INTERNAL_OCB_H - -#include "internal-util.h" -#include - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying block cipher: - * - * OCB_ALG_NAME Name of the algorithm that is using OCB mode. - * OCB_BLOCK_SIZE Size of the block for the underlying cipher in bytes. - * OCB_NONCE_SIZE Size of the nonce which must be < OCB_BLOCK_SIZE. - * OCB_TAG_SIZE Size of the authentication tag. - * OCB_KEY_SCHEDULE Type for the key schedule. - * OCB_SETUP_KEY Name of the key schedule setup function. - * OCB_ENCRYPT_BLOCK Name of the block cipher ECB encrypt function. - * OCB_DECRYPT_BLOCK Name of the block cipher ECB decrypt function. - * OCB_DOUBLE_L Name of the function to double L (optional). - */ -#if defined(OCB_ENCRYPT_BLOCK) - -/** - * \file internal-ocb.h - * \brief Internal implementation of the OCB block cipher mode. - * - * Note that OCB is covered by patents so it may not be usable in all - * applications. Open source applications should be covered, but for - * others you will need to contact the patent authors to find out - * if you can use it or if a paid license is required. - * - * License information: https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm - * - * References: https://tools.ietf.org/html/rfc7253 - */ - -#define OCB_CONCAT_INNER(name,suffix) name##suffix -#define OCB_CONCAT(name,suffix) OCB_CONCAT_INNER(name,suffix) - -#if !defined(OCB_DOUBLE_L) - -#define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) - -#if OCB_BLOCK_SIZE == 16 - -/* Double a value in GF(128) */ -static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); - for (index = 0; index < 15; ++index) - out[index] = (in[index] << 1) | (in[index + 1] >> 7); - out[15] = (in[15] << 1) ^ (mask & 0x87); -} - -#elif OCB_BLOCK_SIZE == 12 - -/* Double a value in GF(96) */ -static void OCB_DOUBLE_L - (unsigned char out[12], const unsigned char in[12]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); - for (index = 0; index < 11; ++index) - out[index] = (in[index] << 1) | (in[index + 1] >> 7); - out[11] = (in[11] << 1) ^ (mask & 0x41); - out[10] ^= (mask & 0x06); -} - -#else -#error "Unknown block size for OCB" -#endif - -#endif - -/* State information for OCB functions */ -#define OCB_STATE OCB_CONCAT(OCB_ALG_NAME,_state_t) -typedef struct -{ - OCB_KEY_SCHEDULE ks; - unsigned char Lstar[OCB_BLOCK_SIZE]; - unsigned char Ldollar[OCB_BLOCK_SIZE]; - unsigned char L0[OCB_BLOCK_SIZE]; - unsigned char L1[OCB_BLOCK_SIZE]; - -} OCB_STATE; - -/* Initializes the OCB state from the key and nonce */ -static void OCB_CONCAT(OCB_ALG_NAME,_init) - (OCB_STATE *state, const unsigned char *k, const unsigned char *nonce, - unsigned char offset[OCB_BLOCK_SIZE]) -{ - unsigned bottom; - - /* Set up the key schedule */ - OCB_SETUP_KEY(&(state->ks), k); - - /* Derive the values of L*, L$, L0, and L1 */ - memset(state->Lstar, 0, sizeof(state->Lstar)); - OCB_ENCRYPT_BLOCK(&(state->ks), state->Lstar, state->Lstar); - OCB_DOUBLE_L(state->Ldollar, state->Lstar); - OCB_DOUBLE_L(state->L0, state->Ldollar); - OCB_DOUBLE_L(state->L1, state->L0); - - /* Derive the initial offset from the nonce */ - memset(offset, 0, OCB_BLOCK_SIZE); - memcpy(offset + OCB_BLOCK_SIZE - OCB_NONCE_SIZE, nonce, OCB_NONCE_SIZE); - offset[0] = ((OCB_TAG_SIZE * 8) & 0x7F) << 1; - offset[OCB_BLOCK_SIZE - OCB_NONCE_SIZE - 1] |= 0x01; - bottom = offset[OCB_BLOCK_SIZE - 1] & 0x3F; - offset[OCB_BLOCK_SIZE - 1] &= 0xC0; - { - unsigned index; - unsigned byte_posn = bottom / 8; -#if OCB_BLOCK_SIZE == 16 - /* Standard OCB with a 128-bit block */ - unsigned char stretch[24]; - OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); - memcpy(stretch + 16, stretch + 1, 8); - lw_xor_block(stretch + 16, stretch, 8); -#elif OCB_BLOCK_SIZE == 12 - /* 96-bit block handling from the Pyjamask specification */ - unsigned char stretch[20]; - OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); - for (index = 0; index < 8; ++index) { - stretch[index + 12] = - (stretch[index + 1] << 1) | (stretch[index + 2] >> 7); - } - lw_xor_block(stretch + 12, stretch, 8); -#else - unsigned char stretch[OCB_BLOCK_SIZE + 8] = {0}; - #error "unsupported block size for OCB mode" -#endif - bottom %= 8; - if (bottom != 0) { - for (index = 0; index < OCB_BLOCK_SIZE; ++index) { - offset[index] = - (stretch[index + byte_posn] << bottom) | - (stretch[index + byte_posn + 1] >> (8 - bottom)); - } - } else { - memcpy(offset, stretch + byte_posn, OCB_BLOCK_SIZE); - } - } -} - -/* Calculate L_{ntz(i)} when the last two bits of i are zero */ -static void OCB_CONCAT(OCB_ALG_NAME,_calculate_L) - (OCB_STATE *state, unsigned char L[OCB_BLOCK_SIZE], unsigned long long i) -{ - OCB_DOUBLE_L(L, state->L1); - i >>= 2; - while ((i & 1) == 0) { - OCB_DOUBLE_L(L, L); - i >>= 1; - } -} - -/* Process associated data with OCB */ -static void OCB_CONCAT(OCB_ALG_NAME,_process_ad) - (OCB_STATE *state, unsigned char tag[OCB_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - - /* Process all full blocks */ - memset(offset, 0, sizeof(offset)); - block_number = 1; - while (adlen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state->L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state->L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block_2_src(block, offset, ad, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state->ks), block, block); - lw_xor_block(tag, block, OCB_BLOCK_SIZE); - ad += OCB_BLOCK_SIZE; - adlen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last partial block */ - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(offset, state->Lstar, OCB_BLOCK_SIZE); - lw_xor_block(offset, ad, temp); - offset[temp] ^= 0x80; - OCB_ENCRYPT_BLOCK(&(state->ks), block, offset); - lw_xor_block(tag, block, OCB_BLOCK_SIZE); - } -} - -int OCB_CONCAT(OCB_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - OCB_STATE state; - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char sum[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + OCB_TAG_SIZE; - - /* Initialize the OCB state */ - OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); - - /* Process all plaintext blocks except the last */ - memset(sum, 0, sizeof(sum)); - block_number = 1; - while (mlen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block(sum, m, OCB_BLOCK_SIZE); - lw_xor_block_2_src(block, offset, m, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, block); - lw_xor_block_2_src(c, block, offset, OCB_BLOCK_SIZE); - c += OCB_BLOCK_SIZE; - m += OCB_BLOCK_SIZE; - mlen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last plaintext block */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); - lw_xor_block_2_src(c, block, m, temp); - c += temp; - } - - /* Finalize the encryption phase */ - lw_xor_block(sum, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); - - /* Process the associated data and compute the final authentication tag */ - OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); - memcpy(c, sum, OCB_TAG_SIZE); - return 0; -} - -int OCB_CONCAT(OCB_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - OCB_STATE state; - unsigned char *mtemp = m; - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char sum[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < OCB_TAG_SIZE) - return -1; - *mlen = clen - OCB_TAG_SIZE; - - /* Initialize the OCB state */ - OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); - - /* Process all ciphertext blocks except the last */ - memset(sum, 0, sizeof(sum)); - block_number = 1; - clen -= OCB_TAG_SIZE; - while (clen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block_2_src(block, offset, c, OCB_BLOCK_SIZE); - OCB_DECRYPT_BLOCK(&(state.ks), block, block); - lw_xor_block_2_src(m, block, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, m, OCB_BLOCK_SIZE); - c += OCB_BLOCK_SIZE; - m += OCB_BLOCK_SIZE; - clen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last ciphertext block */ - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - c += temp; - } - - /* Finalize the decryption phase */ - lw_xor_block(sum, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); - - /* Process the associated data and check the final authentication tag */ - OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); - return aead_check_tag(mtemp, *mlen, sum, c, OCB_TAG_SIZE); -} - -#endif /* OCB_ENCRYPT_BLOCK */ - -#endif /* LW_INTERNAL_OCB_H */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.c deleted file mode 100644 index 3c40d2d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-pyjamask.h" -#include "internal-util.h" - -#if !defined(__AVR__) - -/** - * \brief Performs a circulant binary matrix multiplication. - * - * \param x The matrix. - * \param y The vector to multiply with the matrix. - * - * \return The vector result of multiplying x by y. - */ -STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) -{ - uint32_t result = 0; - int bit; - for (bit = 31; bit >= 0; --bit) { -#if defined(ESP32) - /* This version has slightly better performance on ESP32 */ - y = leftRotate1(y); - result ^= x & -(y & 1); - x = rightRotate1(x); -#else - result ^= x & -((y >> bit) & 1); - x = rightRotate1(x); -#endif - } - return result; -} - -void pyjamask_128_setup_key - (pyjamask_128_key_schedule_t *ks, const unsigned char *key) -{ - uint32_t *rk = ks->k; - uint32_t k0, k1, k2, k3; - uint32_t temp; - uint8_t round; - - /* Load the words of the key */ - k0 = be_load_word32(key); - k1 = be_load_word32(key + 4); - k2 = be_load_word32(key + 8); - k3 = be_load_word32(key + 12); - - /* The first round key is the same as the key itself */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk[3] = k3; - rk += 4; - - /* Derive the round keys for all of the other rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { - /* Mix the columns */ - temp = k0 ^ k1 ^ k2 ^ k3; - k0 ^= temp; - k1 ^= temp; - k2 ^= temp; - k3 ^= temp; - - /* Mix the rows and add the round constants. Note that the Pyjamask - * specification says that k1/k2/k3 should be rotated left by 8, 15, - * and 18 bits. But the reference code actually rotates the words - * right. And the test vectors in the specification match up with - * right rotations, not left. We match the reference code here */ - k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; - k1 = rightRotate8(k1) ^ 0x00006a00U; - k2 = rightRotate15(k2) ^ 0x003f0000U; - k3 = rightRotate18(k3) ^ 0x24000000U; - - /* Write the round key to the schedule */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk[3] = k3; - } -} - -void pyjamask_96_setup_key - (pyjamask_96_key_schedule_t *ks, const unsigned char *key) -{ - uint32_t *rk = ks->k; - uint32_t k0, k1, k2, k3; - uint32_t temp; - uint8_t round; - - /* Load the words of the key */ - k0 = be_load_word32(key); - k1 = be_load_word32(key + 4); - k2 = be_load_word32(key + 8); - k3 = be_load_word32(key + 12); - - /* The first round key is the same as the key itself */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk += 3; - - /* Derive the round keys for all of the other rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { - /* Mix the columns */ - temp = k0 ^ k1 ^ k2 ^ k3; - k0 ^= temp; - k1 ^= temp; - k2 ^= temp; - k3 ^= temp; - - /* Mix the rows and add the round constants. Note that the Pyjamask - * specification says that k1/k2/k3 should be rotated left by 8, 15, - * and 18 bits. But the reference code actually rotates the words - * right. And the test vectors in the specification match up with - * right rotations, not left. We match the reference code here */ - k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; - k1 = rightRotate8(k1) ^ 0x00006a00U; - k2 = rightRotate15(k2) ^ 0x003f0000U; - k3 = rightRotate18(k3) ^ 0x24000000U; - - /* Write the round key to the schedule */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - } -} - -void pyjamask_128_encrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k; - uint32_t s0, s1, s2, s3; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - - /* Apply the 128-bit Pyjamask sbox */ - s0 ^= s3; - s3 ^= s0 & s1; - s0 ^= s1 & s2; - s1 ^= s2 & s3; - s2 ^= s0 & s3; - s2 ^= s1; - s1 ^= s0; - s3 = ~s3; - s2 ^= s3; - s3 ^= s2; - s2 ^= s3; - - /* Mix the rows of the state */ - s0 = pyjamask_matrix_multiply(0xa3861085U, s0); - s1 = pyjamask_matrix_multiply(0x63417021U, s1); - s2 = pyjamask_matrix_multiply(0x692cf280U, s2); - s3 = pyjamask_matrix_multiply(0x48a54813U, s3); - } - - /* Mix in the key one last time */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void pyjamask_128_decrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; - uint32_t s0, s1, s2, s3; - uint8_t round; - - /* Load the ciphertext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Mix in the last round key */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - rk -= 4; - - /* Perform all decryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { - /* Inverse mix of the rows in the state */ - s0 = pyjamask_matrix_multiply(0x2037a121U, s0); - s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); - s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); - s3 = pyjamask_matrix_multiply(0x3354b117U, s3); - - /* Apply the inverse of the 128-bit Pyjamask sbox */ - s2 ^= s3; - s3 ^= s2; - s2 ^= s3; - s3 = ~s3; - s1 ^= s0; - s2 ^= s1; - s2 ^= s0 & s3; - s1 ^= s2 & s3; - s0 ^= s1 & s2; - s3 ^= s0 & s1; - s0 ^= s3; - - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - } - - /* Write the plaintext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void pyjamask_96_encrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k; - uint32_t s0, s1, s2; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - - /* Apply the 96-bit Pyjamask sbox */ - s0 ^= s1; - s1 ^= s2; - s2 ^= s0 & s1; - s0 ^= s1 & s2; - s1 ^= s0 & s2; - s2 ^= s0; - s2 = ~s2; - s1 ^= s0; - s0 ^= s1; - - /* Mix the rows of the state */ - s0 = pyjamask_matrix_multiply(0xa3861085U, s0); - s1 = pyjamask_matrix_multiply(0x63417021U, s1); - s2 = pyjamask_matrix_multiply(0x692cf280U, s2); - } - - /* Mix in the key one last time */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); -} - -void pyjamask_96_decrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k + 3 * PYJAMASK_ROUNDS; - uint32_t s0, s1, s2; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - - /* Mix in the last round key */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - rk -= 3; - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 3) { - /* Inverse mix of the rows in the state */ - s0 = pyjamask_matrix_multiply(0x2037a121U, s0); - s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); - s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); - - /* Apply the inverse of the 96-bit Pyjamask sbox */ - s0 ^= s1; - s1 ^= s0; - s2 = ~s2; - s2 ^= s0; - s1 ^= s0 & s2; - s0 ^= s1 & s2; - s2 ^= s0 & s1; - s1 ^= s2; - s0 ^= s1; - - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - } - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); -} - -#endif /* !__AVR__ */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.h deleted file mode 100644 index 3ead7fb..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask.h +++ /dev/null @@ -1,253 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PYJAMASK_H -#define LW_INTERNAL_PYJAMASK_H - -#include "internal-util.h" - -/** - * \file internal-pyjamask.h - * \brief Pyjamask block cipher. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Number of rounds in the Pyjamask block cipher. - */ -#define PYJAMASK_ROUNDS 14 - -/** - * \brief Number of parallel states for masked operation. - */ -#define PYJAMASK_MASKING_ORDER 4 - -/** - * \brief Structure of the key schedule for the Pyjamask-128 block cipher. - */ -typedef struct -{ - uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ - -} pyjamask_128_key_schedule_t; - -/** - * \brief Structure of the key schedule for the Pyjamask-96 block cipher. - */ -typedef struct -{ - uint32_t k[(PYJAMASK_ROUNDS + 1) * 3]; /**< Words of the key schedule */ - -} pyjamask_96_key_schedule_t; - -/** - * \brief Structure of the key schedule for masked Pyjamask-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; - -} pyjamask_masked_128_key_schedule_t; - -/** - * \brief Structure of the key schedule for masked Pyjamask-96. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 3]; - -} pyjamask_masked_96_key_schedule_t; - -/** - * \brief Sets up the key schedule for the Pyjamask-128 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_128_setup_key - (pyjamask_128_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Sets up the key schedule for the Pyjamask-96 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_96_setup_key - (pyjamask_96_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with Pyjamask-128. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_128_decrypt() - */ -void pyjamask_128_encrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with Pyjamask-128. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_128_encrypt() - */ -void pyjamask_128_decrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 96-bit block with Pyjamask-96. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_96_decrypt() - */ -void pyjamask_96_encrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 96-bit block with Pyjamask-96. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_96_encrypt() - */ -void pyjamask_96_decrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Sets up the key schedule for the masked Pyjamask-128 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_masked_128_setup_key - (pyjamask_masked_128_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Sets up the key schedule for the masked Pyjamask-96 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_masked_96_setup_key - (pyjamask_masked_96_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_masked_128_decrypt() - */ -void pyjamask_masked_128_encrypt - (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with Pyjamask-128 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_masked_128_encrypt() - */ -void pyjamask_masked_128_decrypt - (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 96-bit block with Pyjamask-96 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_masked_96_decrypt() - */ -void pyjamask_masked_96_encrypt - (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 96-bit block with Pyjamask-96 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_masked_96_encrypt() - */ -void pyjamask_masked_96_decrypt - (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask-128.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask-128.c deleted file mode 100644 index da0fac6..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask-128.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "pyjamask.h" -#include "internal-pyjamask.h" - -aead_cipher_t const pyjamask_128_cipher = { - "Pyjamask-128-AEAD", - PYJAMASK_128_KEY_SIZE, - PYJAMASK_128_NONCE_SIZE, - PYJAMASK_128_TAG_SIZE, - AEAD_FLAG_NONE, - pyjamask_128_aead_encrypt, - pyjamask_128_aead_decrypt -}; - -#define OCB_ALG_NAME pyjamask_128 -#define OCB_BLOCK_SIZE 16 -#define OCB_NONCE_SIZE PYJAMASK_128_NONCE_SIZE -#define OCB_TAG_SIZE PYJAMASK_128_TAG_SIZE -#define OCB_KEY_SCHEDULE pyjamask_128_key_schedule_t -#define OCB_SETUP_KEY pyjamask_128_setup_key -#define OCB_ENCRYPT_BLOCK pyjamask_128_encrypt -#define OCB_DECRYPT_BLOCK pyjamask_128_decrypt -#include "internal-ocb.h" diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask.h deleted file mode 100644 index 23ec744..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/pyjamask.h +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_PYJAMASK_H -#define LWCRYPTO_PYJAMASK_H - -#include "aead-common.h" - -/** - * \file pyjamask.h - * \brief Pyjamask authenticated encryption algorithm. - * - * Pyjamask AEAD is a family of authenticated encryption algorithms that are - * built around the Pyjamask-128 and Pyjamask-96 block ciphers in OCB mode. - * Pyjamask-128-AEAD has a 128-bit key, a 96-bit nonce, and a 128-bit - * authentication tag. Pyjamask-96-AEAD has a 128-bit key, a 64-bit nonce, - * and a 96-bit authentication tag. - * - * References: https://pyjamask-cipher.github.io/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_NONCE_SIZE 12 - -/** - * \brief Size of the key for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_TAG_SIZE 12 - -/** - * \brief Size of the nonce for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_NONCE_SIZE 8 - -/** - * \brief Meta-information block for the Pyjamask-128-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_128_cipher; - -/** - * \brief Meta-information block for the Pyjamask-96-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_96_cipher; - -/** - * \brief Meta-information block for the masked Pyjamask-128-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_masked_128_cipher; - -/** - * \brief Meta-information block for the masked Pyjamask-96-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_masked_96_cipher; - -/** - * \brief Encrypts and authenticates a packet with Pyjamask-128-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_128_aead_decrypt() - */ -int pyjamask_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Pyjamask-128-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_128_aead_encrypt() - */ -int pyjamask_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Pyjamask-96-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_96_aead_decrypt() - */ -int pyjamask_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Pyjamask-96-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_96_aead_encrypt() - */ -int pyjamask_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with masked Pyjamask-128-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_masked_128_aead_decrypt() - */ -int pyjamask_masked_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with masked Pyjamask-128-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_masked_128_aead_encrypt() - */ -int pyjamask_masked_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with masked Pyjamask-96-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_masked_96_aead_decrypt() - */ -int pyjamask_masked_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with masked Pyjamask-96-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_masked_96_aead_encrypt() - */ -int pyjamask_masked_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h index de544ba..98f2a31 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-ocb.h @@ -62,7 +62,9 @@ #define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) -/* Double a value in GF(128) - default implementation */ +#if OCB_BLOCK_SIZE == 16 + +/* Double a value in GF(128) */ static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) { unsigned index; @@ -72,6 +74,24 @@ static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) out[15] = (in[15] << 1) ^ (mask & 0x87); } +#elif OCB_BLOCK_SIZE == 12 + +/* Double a value in GF(96) */ +static void OCB_DOUBLE_L + (unsigned char out[12], const unsigned char in[12]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); + for (index = 0; index < 11; ++index) + out[index] = (in[index] << 1) | (in[index + 1] >> 7); + out[11] = (in[11] << 1) ^ (mask & 0x41); + out[10] ^= (mask & 0x06); +} + +#else +#error "Unknown block size for OCB" +#endif + #endif /* State information for OCB functions */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask-avr.S b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask-avr.S similarity index 100% rename from pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys-avr/internal-pyjamask-avr.S rename to pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask-avr.S diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c index f3a5655..3c40d2d 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.c @@ -23,6 +23,8 @@ #include "internal-pyjamask.h" #include "internal-util.h" +#if !defined(__AVR__) + /** * \brief Performs a circulant binary matrix multiplication. * @@ -49,7 +51,8 @@ STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) return result; } -void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) +void pyjamask_128_setup_key + (pyjamask_128_key_schedule_t *ks, const unsigned char *key) { uint32_t *rk = ks->k; uint32_t k0, k1, k2, k3; @@ -96,8 +99,54 @@ void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) } } +void pyjamask_96_setup_key + (pyjamask_96_key_schedule_t *ks, const unsigned char *key) +{ + uint32_t *rk = ks->k; + uint32_t k0, k1, k2, k3; + uint32_t temp; + uint8_t round; + + /* Load the words of the key */ + k0 = be_load_word32(key); + k1 = be_load_word32(key + 4); + k2 = be_load_word32(key + 8); + k3 = be_load_word32(key + 12); + + /* The first round key is the same as the key itself */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk += 3; + + /* Derive the round keys for all of the other rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { + /* Mix the columns */ + temp = k0 ^ k1 ^ k2 ^ k3; + k0 ^= temp; + k1 ^= temp; + k2 ^= temp; + k3 ^= temp; + + /* Mix the rows and add the round constants. Note that the Pyjamask + * specification says that k1/k2/k3 should be rotated left by 8, 15, + * and 18 bits. But the reference code actually rotates the words + * right. And the test vectors in the specification match up with + * right rotations, not left. We match the reference code here */ + k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; + k1 = rightRotate8(k1) ^ 0x00006a00U; + k2 = rightRotate15(k2) ^ 0x003f0000U; + k3 = rightRotate18(k3) ^ 0x24000000U; + + /* Write the round key to the schedule */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + } +} + void pyjamask_128_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k; @@ -152,7 +201,7 @@ void pyjamask_128_encrypt } void pyjamask_128_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; @@ -208,7 +257,7 @@ void pyjamask_128_decrypt } void pyjamask_96_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k; @@ -221,7 +270,7 @@ void pyjamask_96_encrypt s2 = be_load_word32(input + 8); /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { /* Add the round key to the state */ s0 ^= rk[0]; s1 ^= rk[1]; @@ -256,10 +305,10 @@ void pyjamask_96_encrypt } void pyjamask_96_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + const uint32_t *rk = ks->k + 3 * PYJAMASK_ROUNDS; uint32_t s0, s1, s2; uint8_t round; @@ -272,10 +321,10 @@ void pyjamask_96_decrypt s0 ^= rk[0]; s1 ^= rk[1]; s2 ^= rk[2]; - rk -= 4; + rk -= 3; /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 3) { /* Inverse mix of the rows in the state */ s0 = pyjamask_matrix_multiply(0x2037a121U, s0); s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); @@ -303,3 +352,5 @@ void pyjamask_96_decrypt be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); } + +#endif /* !__AVR__ */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h index 3fd93a7..3ead7fb 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-pyjamask.h @@ -45,31 +45,60 @@ extern "C" { #define PYJAMASK_MASKING_ORDER 4 /** - * \brief Structure of the key schedule for Pyjamask block ciphers. + * \brief Structure of the key schedule for the Pyjamask-128 block cipher. */ typedef struct { uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ -} pyjamask_key_schedule_t; +} pyjamask_128_key_schedule_t; /** - * \brief Structure of the key schedule for masked Pyjamask block ciphers. + * \brief Structure of the key schedule for the Pyjamask-96 block cipher. + */ +typedef struct +{ + uint32_t k[(PYJAMASK_ROUNDS + 1) * 3]; /**< Words of the key schedule */ + +} pyjamask_96_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask-128. */ typedef struct { /** Words of the key schedule */ uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; -} pyjamask_masked_key_schedule_t; +} pyjamask_masked_128_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask-96. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 3]; + +} pyjamask_masked_96_key_schedule_t; /** - * \brief Sets up the key schedule for the Pyjamask block cipher. + * \brief Sets up the key schedule for the Pyjamask-128 block cipher. * * \param ks The key schedule on output. * \param key The 16 bytes of the key on input. */ -void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); +void pyjamask_128_setup_key + (pyjamask_128_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Sets up the key schedule for the Pyjamask-96 block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_96_setup_key + (pyjamask_96_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with Pyjamask-128. @@ -84,7 +113,7 @@ void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); * \sa pyjamask_128_decrypt() */ void pyjamask_128_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -100,7 +129,7 @@ void pyjamask_128_encrypt * \sa pyjamask_128_encrypt() */ void pyjamask_128_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -116,7 +145,7 @@ void pyjamask_128_decrypt * \sa pyjamask_96_decrypt() */ void pyjamask_96_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -132,17 +161,26 @@ void pyjamask_96_encrypt * \sa pyjamask_96_encrypt() */ void pyjamask_96_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** - * \brief Sets up the key schedule for the masked Pyjamask block cipher. + * \brief Sets up the key schedule for the masked Pyjamask-128 block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_masked_128_setup_key + (pyjamask_masked_128_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Sets up the key schedule for the masked Pyjamask-96 block cipher. * * \param ks The key schedule on output. * \param key The 16 bytes of the key on input. */ -void pyjamask_masked_setup_key - (pyjamask_masked_key_schedule_t *ks, const unsigned char *key); +void pyjamask_masked_96_setup_key + (pyjamask_masked_96_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. @@ -157,7 +195,7 @@ void pyjamask_masked_setup_key * \sa pyjamask_masked_128_decrypt() */ void pyjamask_masked_128_encrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -173,7 +211,7 @@ void pyjamask_masked_128_encrypt * \sa pyjamask_masked_128_encrypt() */ void pyjamask_masked_128_decrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -189,7 +227,7 @@ void pyjamask_masked_128_decrypt * \sa pyjamask_masked_96_decrypt() */ void pyjamask_masked_96_encrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -205,7 +243,7 @@ void pyjamask_masked_96_encrypt * \sa pyjamask_masked_96_encrypt() */ void pyjamask_masked_96_decrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); #ifdef __cplusplus diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c index a70a32f..da0fac6 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c +++ b/pyjamask/Implementations/crypto_aead/pyjamask128aeadv1/rhys/pyjamask-128.c @@ -37,8 +37,8 @@ aead_cipher_t const pyjamask_128_cipher = { #define OCB_BLOCK_SIZE 16 #define OCB_NONCE_SIZE PYJAMASK_128_NONCE_SIZE #define OCB_TAG_SIZE PYJAMASK_128_TAG_SIZE -#define OCB_KEY_SCHEDULE pyjamask_key_schedule_t -#define OCB_SETUP_KEY pyjamask_setup_key +#define OCB_KEY_SCHEDULE pyjamask_128_key_schedule_t +#define OCB_SETUP_KEY pyjamask_128_setup_key #define OCB_ENCRYPT_BLOCK pyjamask_128_encrypt #define OCB_DECRYPT_BLOCK pyjamask_128_decrypt #include "internal-ocb.h" diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/api.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/api.h deleted file mode 100644 index bd8cdcb..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 8 -#define CRYPTO_ABYTES 12 -#define CRYPTO_NOOVERLAP 1 diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/encrypt.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/encrypt.c deleted file mode 100644 index f09b0ed..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "pyjamask.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return pyjamask_96_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return pyjamask_96_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-ocb.h deleted file mode 100644 index 98f2a31..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-ocb.h +++ /dev/null @@ -1,355 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_OCB_H -#define LW_INTERNAL_OCB_H - -#include "internal-util.h" -#include - -/* We expect a number of macros to be defined before this file - * is included to configure the underlying block cipher: - * - * OCB_ALG_NAME Name of the algorithm that is using OCB mode. - * OCB_BLOCK_SIZE Size of the block for the underlying cipher in bytes. - * OCB_NONCE_SIZE Size of the nonce which must be < OCB_BLOCK_SIZE. - * OCB_TAG_SIZE Size of the authentication tag. - * OCB_KEY_SCHEDULE Type for the key schedule. - * OCB_SETUP_KEY Name of the key schedule setup function. - * OCB_ENCRYPT_BLOCK Name of the block cipher ECB encrypt function. - * OCB_DECRYPT_BLOCK Name of the block cipher ECB decrypt function. - * OCB_DOUBLE_L Name of the function to double L (optional). - */ -#if defined(OCB_ENCRYPT_BLOCK) - -/** - * \file internal-ocb.h - * \brief Internal implementation of the OCB block cipher mode. - * - * Note that OCB is covered by patents so it may not be usable in all - * applications. Open source applications should be covered, but for - * others you will need to contact the patent authors to find out - * if you can use it or if a paid license is required. - * - * License information: https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm - * - * References: https://tools.ietf.org/html/rfc7253 - */ - -#define OCB_CONCAT_INNER(name,suffix) name##suffix -#define OCB_CONCAT(name,suffix) OCB_CONCAT_INNER(name,suffix) - -#if !defined(OCB_DOUBLE_L) - -#define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) - -#if OCB_BLOCK_SIZE == 16 - -/* Double a value in GF(128) */ -static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); - for (index = 0; index < 15; ++index) - out[index] = (in[index] << 1) | (in[index + 1] >> 7); - out[15] = (in[15] << 1) ^ (mask & 0x87); -} - -#elif OCB_BLOCK_SIZE == 12 - -/* Double a value in GF(96) */ -static void OCB_DOUBLE_L - (unsigned char out[12], const unsigned char in[12]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); - for (index = 0; index < 11; ++index) - out[index] = (in[index] << 1) | (in[index + 1] >> 7); - out[11] = (in[11] << 1) ^ (mask & 0x41); - out[10] ^= (mask & 0x06); -} - -#else -#error "Unknown block size for OCB" -#endif - -#endif - -/* State information for OCB functions */ -#define OCB_STATE OCB_CONCAT(OCB_ALG_NAME,_state_t) -typedef struct -{ - OCB_KEY_SCHEDULE ks; - unsigned char Lstar[OCB_BLOCK_SIZE]; - unsigned char Ldollar[OCB_BLOCK_SIZE]; - unsigned char L0[OCB_BLOCK_SIZE]; - unsigned char L1[OCB_BLOCK_SIZE]; - -} OCB_STATE; - -/* Initializes the OCB state from the key and nonce */ -static void OCB_CONCAT(OCB_ALG_NAME,_init) - (OCB_STATE *state, const unsigned char *k, const unsigned char *nonce, - unsigned char offset[OCB_BLOCK_SIZE]) -{ - unsigned bottom; - - /* Set up the key schedule */ - OCB_SETUP_KEY(&(state->ks), k); - - /* Derive the values of L*, L$, L0, and L1 */ - memset(state->Lstar, 0, sizeof(state->Lstar)); - OCB_ENCRYPT_BLOCK(&(state->ks), state->Lstar, state->Lstar); - OCB_DOUBLE_L(state->Ldollar, state->Lstar); - OCB_DOUBLE_L(state->L0, state->Ldollar); - OCB_DOUBLE_L(state->L1, state->L0); - - /* Derive the initial offset from the nonce */ - memset(offset, 0, OCB_BLOCK_SIZE); - memcpy(offset + OCB_BLOCK_SIZE - OCB_NONCE_SIZE, nonce, OCB_NONCE_SIZE); - offset[0] = ((OCB_TAG_SIZE * 8) & 0x7F) << 1; - offset[OCB_BLOCK_SIZE - OCB_NONCE_SIZE - 1] |= 0x01; - bottom = offset[OCB_BLOCK_SIZE - 1] & 0x3F; - offset[OCB_BLOCK_SIZE - 1] &= 0xC0; - { - unsigned index; - unsigned byte_posn = bottom / 8; -#if OCB_BLOCK_SIZE == 16 - /* Standard OCB with a 128-bit block */ - unsigned char stretch[24]; - OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); - memcpy(stretch + 16, stretch + 1, 8); - lw_xor_block(stretch + 16, stretch, 8); -#elif OCB_BLOCK_SIZE == 12 - /* 96-bit block handling from the Pyjamask specification */ - unsigned char stretch[20]; - OCB_ENCRYPT_BLOCK(&(state->ks), stretch, offset); - for (index = 0; index < 8; ++index) { - stretch[index + 12] = - (stretch[index + 1] << 1) | (stretch[index + 2] >> 7); - } - lw_xor_block(stretch + 12, stretch, 8); -#else - unsigned char stretch[OCB_BLOCK_SIZE + 8] = {0}; - #error "unsupported block size for OCB mode" -#endif - bottom %= 8; - if (bottom != 0) { - for (index = 0; index < OCB_BLOCK_SIZE; ++index) { - offset[index] = - (stretch[index + byte_posn] << bottom) | - (stretch[index + byte_posn + 1] >> (8 - bottom)); - } - } else { - memcpy(offset, stretch + byte_posn, OCB_BLOCK_SIZE); - } - } -} - -/* Calculate L_{ntz(i)} when the last two bits of i are zero */ -static void OCB_CONCAT(OCB_ALG_NAME,_calculate_L) - (OCB_STATE *state, unsigned char L[OCB_BLOCK_SIZE], unsigned long long i) -{ - OCB_DOUBLE_L(L, state->L1); - i >>= 2; - while ((i & 1) == 0) { - OCB_DOUBLE_L(L, L); - i >>= 1; - } -} - -/* Process associated data with OCB */ -static void OCB_CONCAT(OCB_ALG_NAME,_process_ad) - (OCB_STATE *state, unsigned char tag[OCB_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - - /* Process all full blocks */ - memset(offset, 0, sizeof(offset)); - block_number = 1; - while (adlen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state->L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state->L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block_2_src(block, offset, ad, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state->ks), block, block); - lw_xor_block(tag, block, OCB_BLOCK_SIZE); - ad += OCB_BLOCK_SIZE; - adlen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last partial block */ - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(offset, state->Lstar, OCB_BLOCK_SIZE); - lw_xor_block(offset, ad, temp); - offset[temp] ^= 0x80; - OCB_ENCRYPT_BLOCK(&(state->ks), block, offset); - lw_xor_block(tag, block, OCB_BLOCK_SIZE); - } -} - -int OCB_CONCAT(OCB_ALG_NAME,_aead_encrypt) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - OCB_STATE state; - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char sum[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + OCB_TAG_SIZE; - - /* Initialize the OCB state */ - OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); - - /* Process all plaintext blocks except the last */ - memset(sum, 0, sizeof(sum)); - block_number = 1; - while (mlen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block(sum, m, OCB_BLOCK_SIZE); - lw_xor_block_2_src(block, offset, m, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, block); - lw_xor_block_2_src(c, block, offset, OCB_BLOCK_SIZE); - c += OCB_BLOCK_SIZE; - m += OCB_BLOCK_SIZE; - mlen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last plaintext block */ - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); - lw_xor_block_2_src(c, block, m, temp); - c += temp; - } - - /* Finalize the encryption phase */ - lw_xor_block(sum, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); - - /* Process the associated data and compute the final authentication tag */ - OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); - memcpy(c, sum, OCB_TAG_SIZE); - return 0; -} - -int OCB_CONCAT(OCB_ALG_NAME,_aead_decrypt) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - OCB_STATE state; - unsigned char *mtemp = m; - unsigned char offset[OCB_BLOCK_SIZE]; - unsigned char sum[OCB_BLOCK_SIZE]; - unsigned char block[OCB_BLOCK_SIZE]; - unsigned long long block_number; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < OCB_TAG_SIZE) - return -1; - *mlen = clen - OCB_TAG_SIZE; - - /* Initialize the OCB state */ - OCB_CONCAT(OCB_ALG_NAME,_init)(&state, k, npub, offset); - - /* Process all ciphertext blocks except the last */ - memset(sum, 0, sizeof(sum)); - block_number = 1; - clen -= OCB_TAG_SIZE; - while (clen >= OCB_BLOCK_SIZE) { - if (block_number & 1) { - lw_xor_block(offset, state.L0, OCB_BLOCK_SIZE); - } else if ((block_number & 3) == 2) { - lw_xor_block(offset, state.L1, OCB_BLOCK_SIZE); - } else { - OCB_CONCAT(OCB_ALG_NAME,_calculate_L)(&state, block, block_number); - lw_xor_block(offset, block, OCB_BLOCK_SIZE); - } - lw_xor_block_2_src(block, offset, c, OCB_BLOCK_SIZE); - OCB_DECRYPT_BLOCK(&(state.ks), block, block); - lw_xor_block_2_src(m, block, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, m, OCB_BLOCK_SIZE); - c += OCB_BLOCK_SIZE; - m += OCB_BLOCK_SIZE; - clen -= OCB_BLOCK_SIZE; - ++block_number; - } - - /* Pad and process the last ciphertext block */ - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block(offset, state.Lstar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), block, offset); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - c += temp; - } - - /* Finalize the decryption phase */ - lw_xor_block(sum, offset, OCB_BLOCK_SIZE); - lw_xor_block(sum, state.Ldollar, OCB_BLOCK_SIZE); - OCB_ENCRYPT_BLOCK(&(state.ks), sum, sum); - - /* Process the associated data and check the final authentication tag */ - OCB_CONCAT(OCB_ALG_NAME,_process_ad)(&state, sum, ad, adlen); - return aead_check_tag(mtemp, *mlen, sum, c, OCB_TAG_SIZE); -} - -#endif /* OCB_ENCRYPT_BLOCK */ - -#endif /* LW_INTERNAL_OCB_H */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.c deleted file mode 100644 index 3c40d2d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-pyjamask.h" -#include "internal-util.h" - -#if !defined(__AVR__) - -/** - * \brief Performs a circulant binary matrix multiplication. - * - * \param x The matrix. - * \param y The vector to multiply with the matrix. - * - * \return The vector result of multiplying x by y. - */ -STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) -{ - uint32_t result = 0; - int bit; - for (bit = 31; bit >= 0; --bit) { -#if defined(ESP32) - /* This version has slightly better performance on ESP32 */ - y = leftRotate1(y); - result ^= x & -(y & 1); - x = rightRotate1(x); -#else - result ^= x & -((y >> bit) & 1); - x = rightRotate1(x); -#endif - } - return result; -} - -void pyjamask_128_setup_key - (pyjamask_128_key_schedule_t *ks, const unsigned char *key) -{ - uint32_t *rk = ks->k; - uint32_t k0, k1, k2, k3; - uint32_t temp; - uint8_t round; - - /* Load the words of the key */ - k0 = be_load_word32(key); - k1 = be_load_word32(key + 4); - k2 = be_load_word32(key + 8); - k3 = be_load_word32(key + 12); - - /* The first round key is the same as the key itself */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk[3] = k3; - rk += 4; - - /* Derive the round keys for all of the other rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { - /* Mix the columns */ - temp = k0 ^ k1 ^ k2 ^ k3; - k0 ^= temp; - k1 ^= temp; - k2 ^= temp; - k3 ^= temp; - - /* Mix the rows and add the round constants. Note that the Pyjamask - * specification says that k1/k2/k3 should be rotated left by 8, 15, - * and 18 bits. But the reference code actually rotates the words - * right. And the test vectors in the specification match up with - * right rotations, not left. We match the reference code here */ - k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; - k1 = rightRotate8(k1) ^ 0x00006a00U; - k2 = rightRotate15(k2) ^ 0x003f0000U; - k3 = rightRotate18(k3) ^ 0x24000000U; - - /* Write the round key to the schedule */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk[3] = k3; - } -} - -void pyjamask_96_setup_key - (pyjamask_96_key_schedule_t *ks, const unsigned char *key) -{ - uint32_t *rk = ks->k; - uint32_t k0, k1, k2, k3; - uint32_t temp; - uint8_t round; - - /* Load the words of the key */ - k0 = be_load_word32(key); - k1 = be_load_word32(key + 4); - k2 = be_load_word32(key + 8); - k3 = be_load_word32(key + 12); - - /* The first round key is the same as the key itself */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - rk += 3; - - /* Derive the round keys for all of the other rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { - /* Mix the columns */ - temp = k0 ^ k1 ^ k2 ^ k3; - k0 ^= temp; - k1 ^= temp; - k2 ^= temp; - k3 ^= temp; - - /* Mix the rows and add the round constants. Note that the Pyjamask - * specification says that k1/k2/k3 should be rotated left by 8, 15, - * and 18 bits. But the reference code actually rotates the words - * right. And the test vectors in the specification match up with - * right rotations, not left. We match the reference code here */ - k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; - k1 = rightRotate8(k1) ^ 0x00006a00U; - k2 = rightRotate15(k2) ^ 0x003f0000U; - k3 = rightRotate18(k3) ^ 0x24000000U; - - /* Write the round key to the schedule */ - rk[0] = k0; - rk[1] = k1; - rk[2] = k2; - } -} - -void pyjamask_128_encrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k; - uint32_t s0, s1, s2, s3; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - - /* Apply the 128-bit Pyjamask sbox */ - s0 ^= s3; - s3 ^= s0 & s1; - s0 ^= s1 & s2; - s1 ^= s2 & s3; - s2 ^= s0 & s3; - s2 ^= s1; - s1 ^= s0; - s3 = ~s3; - s2 ^= s3; - s3 ^= s2; - s2 ^= s3; - - /* Mix the rows of the state */ - s0 = pyjamask_matrix_multiply(0xa3861085U, s0); - s1 = pyjamask_matrix_multiply(0x63417021U, s1); - s2 = pyjamask_matrix_multiply(0x692cf280U, s2); - s3 = pyjamask_matrix_multiply(0x48a54813U, s3); - } - - /* Mix in the key one last time */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void pyjamask_128_decrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; - uint32_t s0, s1, s2, s3; - uint8_t round; - - /* Load the ciphertext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Mix in the last round key */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - rk -= 4; - - /* Perform all decryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { - /* Inverse mix of the rows in the state */ - s0 = pyjamask_matrix_multiply(0x2037a121U, s0); - s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); - s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); - s3 = pyjamask_matrix_multiply(0x3354b117U, s3); - - /* Apply the inverse of the 128-bit Pyjamask sbox */ - s2 ^= s3; - s3 ^= s2; - s2 ^= s3; - s3 = ~s3; - s1 ^= s0; - s2 ^= s1; - s2 ^= s0 & s3; - s1 ^= s2 & s3; - s0 ^= s1 & s2; - s3 ^= s0 & s1; - s0 ^= s3; - - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - s3 ^= rk[3]; - } - - /* Write the plaintext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void pyjamask_96_encrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k; - uint32_t s0, s1, s2; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - - /* Apply the 96-bit Pyjamask sbox */ - s0 ^= s1; - s1 ^= s2; - s2 ^= s0 & s1; - s0 ^= s1 & s2; - s1 ^= s0 & s2; - s2 ^= s0; - s2 = ~s2; - s1 ^= s0; - s0 ^= s1; - - /* Mix the rows of the state */ - s0 = pyjamask_matrix_multiply(0xa3861085U, s0); - s1 = pyjamask_matrix_multiply(0x63417021U, s1); - s2 = pyjamask_matrix_multiply(0x692cf280U, s2); - } - - /* Mix in the key one last time */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); -} - -void pyjamask_96_decrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - const uint32_t *rk = ks->k + 3 * PYJAMASK_ROUNDS; - uint32_t s0, s1, s2; - uint8_t round; - - /* Load the plaintext from the input buffer */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - - /* Mix in the last round key */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - rk -= 3; - - /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 3) { - /* Inverse mix of the rows in the state */ - s0 = pyjamask_matrix_multiply(0x2037a121U, s0); - s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); - s2 = pyjamask_matrix_multiply(0x9054d8c0U, s2); - - /* Apply the inverse of the 96-bit Pyjamask sbox */ - s0 ^= s1; - s1 ^= s0; - s2 = ~s2; - s2 ^= s0; - s1 ^= s0 & s2; - s0 ^= s1 & s2; - s2 ^= s0 & s1; - s1 ^= s2; - s0 ^= s1; - - /* Add the round key to the state */ - s0 ^= rk[0]; - s1 ^= rk[1]; - s2 ^= rk[2]; - } - - /* Write the ciphertext to the output buffer */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); -} - -#endif /* !__AVR__ */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.h deleted file mode 100644 index 3ead7fb..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask.h +++ /dev/null @@ -1,253 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_PYJAMASK_H -#define LW_INTERNAL_PYJAMASK_H - -#include "internal-util.h" - -/** - * \file internal-pyjamask.h - * \brief Pyjamask block cipher. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Number of rounds in the Pyjamask block cipher. - */ -#define PYJAMASK_ROUNDS 14 - -/** - * \brief Number of parallel states for masked operation. - */ -#define PYJAMASK_MASKING_ORDER 4 - -/** - * \brief Structure of the key schedule for the Pyjamask-128 block cipher. - */ -typedef struct -{ - uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ - -} pyjamask_128_key_schedule_t; - -/** - * \brief Structure of the key schedule for the Pyjamask-96 block cipher. - */ -typedef struct -{ - uint32_t k[(PYJAMASK_ROUNDS + 1) * 3]; /**< Words of the key schedule */ - -} pyjamask_96_key_schedule_t; - -/** - * \brief Structure of the key schedule for masked Pyjamask-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; - -} pyjamask_masked_128_key_schedule_t; - -/** - * \brief Structure of the key schedule for masked Pyjamask-96. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 3]; - -} pyjamask_masked_96_key_schedule_t; - -/** - * \brief Sets up the key schedule for the Pyjamask-128 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_128_setup_key - (pyjamask_128_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Sets up the key schedule for the Pyjamask-96 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_96_setup_key - (pyjamask_96_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with Pyjamask-128. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_128_decrypt() - */ -void pyjamask_128_encrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with Pyjamask-128. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_128_encrypt() - */ -void pyjamask_128_decrypt - (const pyjamask_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 96-bit block with Pyjamask-96. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_96_decrypt() - */ -void pyjamask_96_encrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 96-bit block with Pyjamask-96. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_96_encrypt() - */ -void pyjamask_96_decrypt - (const pyjamask_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Sets up the key schedule for the masked Pyjamask-128 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_masked_128_setup_key - (pyjamask_masked_128_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Sets up the key schedule for the masked Pyjamask-96 block cipher. - * - * \param ks The key schedule on output. - * \param key The 16 bytes of the key on input. - */ -void pyjamask_masked_96_setup_key - (pyjamask_masked_96_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_masked_128_decrypt() - */ -void pyjamask_masked_128_encrypt - (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with Pyjamask-128 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_masked_128_encrypt() - */ -void pyjamask_masked_128_decrypt - (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 96-bit block with Pyjamask-96 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * \sa pyjamask_masked_96_decrypt() - */ -void pyjamask_masked_96_encrypt - (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 96-bit block with Pyjamask-96 in masked mode. - * - * \param ks Points to the key schedule. - * \param output Output buffer which must be at least 12 bytes in length. - * \param input Input buffer which must be at least 12 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - * - * \sa pyjamask_masked_96_encrypt() - */ -void pyjamask_masked_96_decrypt - (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask-96.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask-96.c deleted file mode 100644 index 37f508d..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask-96.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "pyjamask.h" -#include "internal-pyjamask.h" - -aead_cipher_t const pyjamask_96_cipher = { - "Pyjamask-96-AEAD", - PYJAMASK_96_KEY_SIZE, - PYJAMASK_96_NONCE_SIZE, - PYJAMASK_96_TAG_SIZE, - AEAD_FLAG_NONE, - pyjamask_96_aead_encrypt, - pyjamask_96_aead_decrypt -}; - -#define OCB_ALG_NAME pyjamask_96 -#define OCB_BLOCK_SIZE 12 -#define OCB_NONCE_SIZE PYJAMASK_96_NONCE_SIZE -#define OCB_TAG_SIZE PYJAMASK_96_TAG_SIZE -#define OCB_KEY_SCHEDULE pyjamask_96_key_schedule_t -#define OCB_SETUP_KEY pyjamask_96_setup_key -#define OCB_ENCRYPT_BLOCK pyjamask_96_encrypt -#define OCB_DECRYPT_BLOCK pyjamask_96_decrypt -#include "internal-ocb.h" diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask.h deleted file mode 100644 index 23ec744..0000000 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/pyjamask.h +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_PYJAMASK_H -#define LWCRYPTO_PYJAMASK_H - -#include "aead-common.h" - -/** - * \file pyjamask.h - * \brief Pyjamask authenticated encryption algorithm. - * - * Pyjamask AEAD is a family of authenticated encryption algorithms that are - * built around the Pyjamask-128 and Pyjamask-96 block ciphers in OCB mode. - * Pyjamask-128-AEAD has a 128-bit key, a 96-bit nonce, and a 128-bit - * authentication tag. Pyjamask-96-AEAD has a 128-bit key, a 64-bit nonce, - * and a 96-bit authentication tag. - * - * References: https://pyjamask-cipher.github.io/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Pyjamask-128-AEAD. - */ -#define PYJAMASK_128_NONCE_SIZE 12 - -/** - * \brief Size of the key for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_TAG_SIZE 12 - -/** - * \brief Size of the nonce for Pyjamask-96-AEAD. - */ -#define PYJAMASK_96_NONCE_SIZE 8 - -/** - * \brief Meta-information block for the Pyjamask-128-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_128_cipher; - -/** - * \brief Meta-information block for the Pyjamask-96-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_96_cipher; - -/** - * \brief Meta-information block for the masked Pyjamask-128-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_masked_128_cipher; - -/** - * \brief Meta-information block for the masked Pyjamask-96-AEAD cipher. - */ -extern aead_cipher_t const pyjamask_masked_96_cipher; - -/** - * \brief Encrypts and authenticates a packet with Pyjamask-128-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_128_aead_decrypt() - */ -int pyjamask_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Pyjamask-128-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_128_aead_encrypt() - */ -int pyjamask_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Pyjamask-96-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_96_aead_decrypt() - */ -int pyjamask_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Pyjamask-96-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_96_aead_encrypt() - */ -int pyjamask_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with masked Pyjamask-128-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_masked_128_aead_decrypt() - */ -int pyjamask_masked_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with masked Pyjamask-128-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_masked_128_aead_encrypt() - */ -int pyjamask_masked_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with masked Pyjamask-96-AEAD. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 12 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa pyjamask_masked_96_aead_decrypt() - */ -int pyjamask_masked_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with masked Pyjamask-96-AEAD. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 12 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa pyjamask_masked_96_aead_encrypt() - */ -int pyjamask_masked_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h index de544ba..98f2a31 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-ocb.h @@ -62,7 +62,9 @@ #define OCB_DOUBLE_L OCB_CONCAT(OCB_ALG_NAME,_double_l) -/* Double a value in GF(128) - default implementation */ +#if OCB_BLOCK_SIZE == 16 + +/* Double a value in GF(128) */ static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) { unsigned index; @@ -72,6 +74,24 @@ static void OCB_DOUBLE_L(unsigned char out[16], const unsigned char in[16]) out[15] = (in[15] << 1) ^ (mask & 0x87); } +#elif OCB_BLOCK_SIZE == 12 + +/* Double a value in GF(96) */ +static void OCB_DOUBLE_L + (unsigned char out[12], const unsigned char in[12]) +{ + unsigned index; + unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); + for (index = 0; index < 11; ++index) + out[index] = (in[index] << 1) | (in[index + 1] >> 7); + out[11] = (in[11] << 1) ^ (mask & 0x41); + out[10] ^= (mask & 0x06); +} + +#else +#error "Unknown block size for OCB" +#endif + #endif /* State information for OCB functions */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask-avr.S b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask-avr.S similarity index 100% rename from pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys-avr/internal-pyjamask-avr.S rename to pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask-avr.S diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c index f3a5655..3c40d2d 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.c @@ -23,6 +23,8 @@ #include "internal-pyjamask.h" #include "internal-util.h" +#if !defined(__AVR__) + /** * \brief Performs a circulant binary matrix multiplication. * @@ -49,7 +51,8 @@ STATIC_INLINE uint32_t pyjamask_matrix_multiply(uint32_t x, uint32_t y) return result; } -void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) +void pyjamask_128_setup_key + (pyjamask_128_key_schedule_t *ks, const unsigned char *key) { uint32_t *rk = ks->k; uint32_t k0, k1, k2, k3; @@ -96,8 +99,54 @@ void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key) } } +void pyjamask_96_setup_key + (pyjamask_96_key_schedule_t *ks, const unsigned char *key) +{ + uint32_t *rk = ks->k; + uint32_t k0, k1, k2, k3; + uint32_t temp; + uint8_t round; + + /* Load the words of the key */ + k0 = be_load_word32(key); + k1 = be_load_word32(key + 4); + k2 = be_load_word32(key + 8); + k3 = be_load_word32(key + 12); + + /* The first round key is the same as the key itself */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + rk += 3; + + /* Derive the round keys for all of the other rounds */ + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { + /* Mix the columns */ + temp = k0 ^ k1 ^ k2 ^ k3; + k0 ^= temp; + k1 ^= temp; + k2 ^= temp; + k3 ^= temp; + + /* Mix the rows and add the round constants. Note that the Pyjamask + * specification says that k1/k2/k3 should be rotated left by 8, 15, + * and 18 bits. But the reference code actually rotates the words + * right. And the test vectors in the specification match up with + * right rotations, not left. We match the reference code here */ + k0 = pyjamask_matrix_multiply(0xb881b9caU, k0) ^ 0x00000080U ^ round; + k1 = rightRotate8(k1) ^ 0x00006a00U; + k2 = rightRotate15(k2) ^ 0x003f0000U; + k3 = rightRotate18(k3) ^ 0x24000000U; + + /* Write the round key to the schedule */ + rk[0] = k0; + rk[1] = k1; + rk[2] = k2; + } +} + void pyjamask_128_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k; @@ -152,7 +201,7 @@ void pyjamask_128_encrypt } void pyjamask_128_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; @@ -208,7 +257,7 @@ void pyjamask_128_decrypt } void pyjamask_96_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { const uint32_t *rk = ks->k; @@ -221,7 +270,7 @@ void pyjamask_96_encrypt s2 = be_load_word32(input + 8); /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 4) { + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk += 3) { /* Add the round key to the state */ s0 ^= rk[0]; s1 ^= rk[1]; @@ -256,10 +305,10 @@ void pyjamask_96_encrypt } void pyjamask_96_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - const uint32_t *rk = ks->k + 4 * PYJAMASK_ROUNDS; + const uint32_t *rk = ks->k + 3 * PYJAMASK_ROUNDS; uint32_t s0, s1, s2; uint8_t round; @@ -272,10 +321,10 @@ void pyjamask_96_decrypt s0 ^= rk[0]; s1 ^= rk[1]; s2 ^= rk[2]; - rk -= 4; + rk -= 3; /* Perform all encryption rounds */ - for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 4) { + for (round = 0; round < PYJAMASK_ROUNDS; ++round, rk -= 3) { /* Inverse mix of the rows in the state */ s0 = pyjamask_matrix_multiply(0x2037a121U, s0); s1 = pyjamask_matrix_multiply(0x108ff2a0U, s1); @@ -303,3 +352,5 @@ void pyjamask_96_decrypt be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); } + +#endif /* !__AVR__ */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h index 3fd93a7..3ead7fb 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-pyjamask.h @@ -45,31 +45,60 @@ extern "C" { #define PYJAMASK_MASKING_ORDER 4 /** - * \brief Structure of the key schedule for Pyjamask block ciphers. + * \brief Structure of the key schedule for the Pyjamask-128 block cipher. */ typedef struct { uint32_t k[(PYJAMASK_ROUNDS + 1) * 4]; /**< Words of the key schedule */ -} pyjamask_key_schedule_t; +} pyjamask_128_key_schedule_t; /** - * \brief Structure of the key schedule for masked Pyjamask block ciphers. + * \brief Structure of the key schedule for the Pyjamask-96 block cipher. + */ +typedef struct +{ + uint32_t k[(PYJAMASK_ROUNDS + 1) * 3]; /**< Words of the key schedule */ + +} pyjamask_96_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask-128. */ typedef struct { /** Words of the key schedule */ uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 4]; -} pyjamask_masked_key_schedule_t; +} pyjamask_masked_128_key_schedule_t; + +/** + * \brief Structure of the key schedule for masked Pyjamask-96. + */ +typedef struct +{ + /** Words of the key schedule */ + uint32_t k[PYJAMASK_MASKING_ORDER * (PYJAMASK_ROUNDS + 1) * 3]; + +} pyjamask_masked_96_key_schedule_t; /** - * \brief Sets up the key schedule for the Pyjamask block cipher. + * \brief Sets up the key schedule for the Pyjamask-128 block cipher. * * \param ks The key schedule on output. * \param key The 16 bytes of the key on input. */ -void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); +void pyjamask_128_setup_key + (pyjamask_128_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Sets up the key schedule for the Pyjamask-96 block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_96_setup_key + (pyjamask_96_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with Pyjamask-128. @@ -84,7 +113,7 @@ void pyjamask_setup_key(pyjamask_key_schedule_t *ks, const unsigned char *key); * \sa pyjamask_128_decrypt() */ void pyjamask_128_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -100,7 +129,7 @@ void pyjamask_128_encrypt * \sa pyjamask_128_encrypt() */ void pyjamask_128_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -116,7 +145,7 @@ void pyjamask_128_decrypt * \sa pyjamask_96_decrypt() */ void pyjamask_96_encrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -132,17 +161,26 @@ void pyjamask_96_encrypt * \sa pyjamask_96_encrypt() */ void pyjamask_96_decrypt - (const pyjamask_key_schedule_t *ks, unsigned char *output, + (const pyjamask_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** - * \brief Sets up the key schedule for the masked Pyjamask block cipher. + * \brief Sets up the key schedule for the masked Pyjamask-128 block cipher. + * + * \param ks The key schedule on output. + * \param key The 16 bytes of the key on input. + */ +void pyjamask_masked_128_setup_key + (pyjamask_masked_128_key_schedule_t *ks, const unsigned char *key); + +/** + * \brief Sets up the key schedule for the masked Pyjamask-96 block cipher. * * \param ks The key schedule on output. * \param key The 16 bytes of the key on input. */ -void pyjamask_masked_setup_key - (pyjamask_masked_key_schedule_t *ks, const unsigned char *key); +void pyjamask_masked_96_setup_key + (pyjamask_masked_96_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with Pyjamask-128 in masked mode. @@ -157,7 +195,7 @@ void pyjamask_masked_setup_key * \sa pyjamask_masked_128_decrypt() */ void pyjamask_masked_128_encrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -173,7 +211,7 @@ void pyjamask_masked_128_encrypt * \sa pyjamask_masked_128_encrypt() */ void pyjamask_masked_128_decrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_128_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -189,7 +227,7 @@ void pyjamask_masked_128_decrypt * \sa pyjamask_masked_96_decrypt() */ void pyjamask_masked_96_encrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** @@ -205,7 +243,7 @@ void pyjamask_masked_96_encrypt * \sa pyjamask_masked_96_encrypt() */ void pyjamask_masked_96_decrypt - (const pyjamask_masked_key_schedule_t *ks, unsigned char *output, + (const pyjamask_masked_96_key_schedule_t *ks, unsigned char *output, const unsigned char *input); #ifdef __cplusplus diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c index 3361699..37f508d 100644 --- a/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c +++ b/pyjamask/Implementations/crypto_aead/pyjamask96aeadv1/rhys/pyjamask-96.c @@ -33,25 +33,12 @@ aead_cipher_t const pyjamask_96_cipher = { pyjamask_96_aead_decrypt }; -/* Double a value in GF(96) */ -static void pyjamask_96_double_l - (unsigned char out[12], const unsigned char in[12]) -{ - unsigned index; - unsigned char mask = (unsigned char)(((signed char)in[0]) >> 7); - for (index = 0; index < 11; ++index) - out[index] = (in[index] << 1) | (in[index + 1] >> 7); - out[11] = (in[11] << 1) ^ (mask & 0x41); - out[10] ^= (mask & 0x06); -} - #define OCB_ALG_NAME pyjamask_96 #define OCB_BLOCK_SIZE 12 #define OCB_NONCE_SIZE PYJAMASK_96_NONCE_SIZE #define OCB_TAG_SIZE PYJAMASK_96_TAG_SIZE -#define OCB_KEY_SCHEDULE pyjamask_key_schedule_t -#define OCB_SETUP_KEY pyjamask_setup_key +#define OCB_KEY_SCHEDULE pyjamask_96_key_schedule_t +#define OCB_SETUP_KEY pyjamask_96_setup_key #define OCB_ENCRYPT_BLOCK pyjamask_96_encrypt #define OCB_DECRYPT_BLOCK pyjamask_96_decrypt -#define OCB_DOUBLE_L pyjamask_96_double_l #include "internal-ocb.h" diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/api.h b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/api.h new file mode 100644 index 0000000..a4aa567 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/encrypt.c b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/encrypt.c new file mode 100644 index 0000000..4bc24fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/encrypt.c @@ -0,0 +1,1245 @@ +/* + * Date: 29 November 2018 + * Contact: Thomas Peyrin - thomas.peyrin@gmail.com + * Mustafa Khairallah - mustafam001@e.ntu.edu.sg + */ + +#include "crypto_aead.h" +#include "api.h" +#include "skinny.h" +#include +#include + +void pad (const unsigned char* m, unsigned char* mp, int len8) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&mp[0]) = 0; + *(uint32_t*)(&mp[4]) = 0; + *(uint32_t*)(&mp[8]) = 0; + *(uint32_t*)(&mp[12]) = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#else + + mp[0] = 0; + mp[1] = 0; + mp[2] = 0; + mp[3] = 0; + mp[4] = 0; + mp[5] = 0; + mp[6] = 0; + mp[7] = 0; + mp[8] = 0; + mp[9] = 0; + mp[10] = 0; + mp[11] = 0; + mp[12] = 0; + mp[13] = 0; + mp[14] = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#endif + +} + +void g8A (unsigned char* s, unsigned char* c) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t s0, s1, s2, s3; + uint32_t c0, c1, c2, c3; + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#ifdef ___ENABLE_WORD_CAST + +void g8A_for_Tag_Generation (unsigned char* s, unsigned char* c) { + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + // use byte access because of memory alignment. + // c is not always in word(4 byte) alignment. + c[0] = c0 &0xFF; + c[1] = (c0>>8) &0xFF; + c[2] = (c0>>16)&0xFF; + c[3] = c0>>24; + c[4] = c1 &0xFF; + c[5] = (c1>>8) &0xFF; + c[6] = (c1>>16)&0xFF; + c[7] = c1>>24; + c[8] = c2 &0xFF; + c[9] = (c2>>8) &0xFF; + c[10] = (c2>>16)&0xFF; + c[11] = c2>>24; + c[12] = c3 &0xFF; + c[13] = (c3>>8) &0xFF; + c[14] = (c3>>16)&0xFF; + c[15] = c3>>24; + +} + +#endif + +#define rho_ad_eqov16_macro(i) \ + s[i] = s[i] ^ m[i]; + +void rho_ad_eqov16 ( + const unsigned char* m, + unsigned char* s) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&m[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&m[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&m[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&m[12]); + +#else + + rho_ad_eqov16_macro(0); + rho_ad_eqov16_macro(1); + rho_ad_eqov16_macro(2); + rho_ad_eqov16_macro(3); + rho_ad_eqov16_macro(4); + rho_ad_eqov16_macro(5); + rho_ad_eqov16_macro(6); + rho_ad_eqov16_macro(7); + rho_ad_eqov16_macro(8); + rho_ad_eqov16_macro(9); + rho_ad_eqov16_macro(10); + rho_ad_eqov16_macro(11); + rho_ad_eqov16_macro(12); + rho_ad_eqov16_macro(13); + rho_ad_eqov16_macro(14); + rho_ad_eqov16_macro(15); + +#endif + +} + +#define rho_ad_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ad_ud16 ( + const unsigned char* m, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + pad(m,mp,len8); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + +#else + + rho_ad_ud16_macro(0); + rho_ad_ud16_macro(1); + rho_ad_ud16_macro(2); + rho_ad_ud16_macro(3); + rho_ad_ud16_macro(4); + rho_ad_ud16_macro(5); + rho_ad_ud16_macro(6); + rho_ad_ud16_macro(7); + rho_ad_ud16_macro(8); + rho_ad_ud16_macro(9); + rho_ad_ud16_macro(10); + rho_ad_ud16_macro(11); + rho_ad_ud16_macro(12); + rho_ad_ud16_macro(13); + rho_ad_ud16_macro(14); + rho_ad_ud16_macro(15); + +#endif + +} + +void rho_eqov16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s) { + + g8A(s,c); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#define rho_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ud16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + + pad(m,mp,len8); + + g8A(s,c); +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#else + + rho_ud16_macro(0); + rho_ud16_macro(1); + rho_ud16_macro(2); + rho_ud16_macro(3); + rho_ud16_macro(4); + rho_ud16_macro(5); + rho_ud16_macro(6); + rho_ud16_macro(7); + rho_ud16_macro(8); + rho_ud16_macro(9); + rho_ud16_macro(10); + rho_ud16_macro(11); + rho_ud16_macro(12); + rho_ud16_macro(13); + rho_ud16_macro(14); + rho_ud16_macro(15); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#endif + +} + +void irho_eqov16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s) { + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&m[0]) = m0; + *(uint32_t*)(&m[4]) = m1; + *(uint32_t*)(&m[8]) = m2; + *(uint32_t*)(&m[12]) = m3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(m[0], m[1], m[2], m[3], m0); + unpack_word(m[4], m[5], m[6], m[7], m1); + unpack_word(m[8], m[9], m[10], m[11], m2); + unpack_word(m[12], m[13], m[14], m[15], m3); + +#endif + +} + +#define irho_ud16_macro(i) \ + s[i] = s[i] ^ cp[i]; + +void irho_ud16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char cp [16]; + + pad(c,cp,len8); + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&cp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&cp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&cp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&cp[12]); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#else + + irho_ud16_macro(0); + irho_ud16_macro(1); + irho_ud16_macro(2); + irho_ud16_macro(3); + irho_ud16_macro(4); + irho_ud16_macro(5); + irho_ud16_macro(6); + irho_ud16_macro(7); + irho_ud16_macro(8); + irho_ud16_macro(9); + irho_ud16_macro(10); + irho_ud16_macro(11); + irho_ud16_macro(12); + irho_ud16_macro(13); + irho_ud16_macro(14); + irho_ud16_macro(15); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#endif + +} + +void reset_lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&CNT[0]) = 0x00000001; // CNT3 CNT2 CNT1 CNT0 + *(uint32_t*)(&CNT[4]) = 0x00000000; // CNT7 CNT6 CNT5 CNT4 + +#else + + CNT[0] = 0x01; + CNT[1] = 0x00; + CNT[2] = 0x00; + CNT[3] = 0x00; + CNT[4] = 0x00; + CNT[5] = 0x00; + CNT[6] = 0x00; + +#endif + +} + +void lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t C0; + uint32_t C1; + uint32_t fb0; + + C0 = *(uint32_t*)(&CNT[0]); // CNT3 CNT2 CNT1 CNT0 + C1 = *(uint32_t*)(&CNT[4]); // CNT7 CNT6 CNT5 CNT4 + + fb0 = 0; + if (CNT[6] & 0x80) { + fb0 = 0x95; + } + + C1 = C1 << 1 | C0 >> 31; + C0 = C0 << 1 ^ fb0; + + *(uint32_t*)(&CNT[0]) = C0; + *(uint32_t*)(&CNT[4]) = C1; + +#else + + uint32_t fb0 = CNT[6] >> 7; + + CNT[6] = (CNT[6] << 1) | (CNT[5] >> 7); + CNT[5] = (CNT[5] << 1) | (CNT[4] >> 7); + CNT[4] = (CNT[4] << 1) | (CNT[3] >> 7); + CNT[3] = (CNT[3] << 1) | (CNT[2] >> 7); + CNT[2] = (CNT[2] << 1) | (CNT[1] >> 7); + CNT[1] = (CNT[1] << 1) | (CNT[0] >> 7); + if (fb0 == 1) { + CNT[0] = (CNT[0] << 1) ^ 0x95; + } + else { + CNT[0] = (CNT[0] << 1); + } + +#endif + +} + +void block_cipher( + unsigned char* s, + const unsigned char* k, unsigned char* T, + unsigned char* CNT, unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + CNT[7] = D; + p_skinny_ctrl->func_skinny_128_384_enc(s, p_skinny_ctrl, CNT, T, k); + +} + +void nonce_encryption ( + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + block_cipher(s,k,(unsigned char*)N,CNT,D,p_skinny_ctrl); + +} + +void generate_tag ( + unsigned char** c, unsigned char* s, + unsigned long long* clen) { + +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, *c); + +#else + + g8A(s, *c); + +#endif + *c = *c + 16; + *c = *c - *clen; + +} + +unsigned long long msg_encryption ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* l_skinny_ctrl) { + + int len8; + + if (mlen >= 16) { + len8 = 16; + mlen = mlen - 16; + rho_eqov16(*M, *c, s); + } + else { + len8 = mlen; + mlen = 0; + rho_ud16(*M, *c, s, len8); + } + *c = *c + len8; + *M = *M + len8; + lfsr_gf56(CNT); + if (mlen != 0) { + nonce_encryption(N,CNT,s,k,D,l_skinny_ctrl); + } + return mlen; + +} + +unsigned long long msg_decryption ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* l_skinny_ctrl) { + + int len8; + + if (clen >= 16) { + len8 = 16; + clen = clen - 16; + irho_eqov16(*M, *c, s); + } + else { + len8 = clen; + clen = 0; + irho_ud16(*M, *c, s, len8); + } + *c = *c + len8; + *M = *M + len8; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,l_skinny_ctrl); + return clen; + +} + +unsigned long long ad2msg_encryption ( + const unsigned char** M, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* l_skinny_ctrl) { + + unsigned char T [16]; + int len8; + + if (mlen <= 16) { + len8 = mlen; + mlen = 0; + } + else { + len8 = 16; + mlen = mlen - 16; + } + + pad (*M,T,len8); + block_cipher(s,k,T,CNT,D,l_skinny_ctrl); + lfsr_gf56(CNT); + *M = *M + len8; + + return mlen; + +} + +unsigned long long ad_encryption ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* l_skinny_ctrl) { + + unsigned char T [16]; + int len8; + + if (adlen >= 16) { + len8 = 16; + adlen = adlen - 16; + + rho_ad_eqov16(*A, s); + } + else { + len8 = adlen; + adlen = 0; + rho_ad_ud16(*A, s, len8); + } + *A = *A + len8; + lfsr_gf56(CNT); + if (adlen != 0) { + if (adlen >= 16) { + len8 = 16; + adlen = adlen - 16; + } + else { + len8 = adlen; + adlen = 0; + } + pad(*A, T, len8); + *A = *A + len8; + block_cipher(s,k,T,CNT,D,l_skinny_ctrl); + lfsr_gf56(CNT); + } + + return adlen; + +} + +int crypto_aead_encrypt ( + unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, + const unsigned char* npub, + const unsigned char* k) { + + unsigned char s[16]; + unsigned char CNT[8]; + unsigned char T[16]; + const unsigned char* N; + unsigned char w; + unsigned long long xlen; + + skinny_ctrl l_skinny_ctrl; + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void)nsec; + N = npub; + + xlen = mlen; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + w = 48; + + if (adlen == 0) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 0) { + w = w ^ 8; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) < 16) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 16) { + w = w ^ 0; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else { + w = w ^ 10; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + } + else while (adlen > 0) { + adlen = ad_encryption(&ad,s,k,adlen,CNT,40,&l_skinny_ctrl); + } + + if ((w & 8) == 0) { + xlen = ad2msg_encryption (&m,CNT,s,k,44,xlen,&l_skinny_ctrl); + } + else if (mlen == 0) { + lfsr_gf56(CNT); + } + while (xlen > 0) { + xlen = ad_encryption(&m,s,k,xlen,CNT,44,&l_skinny_ctrl); + } + nonce_encryption(N,CNT,s,k,w,&l_skinny_ctrl); + + // Tag generation + g8A(s, T); + + m = m - mlen; + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = *(uint32_t*)(&T[0]); + *(uint32_t*)(&s[4]) = *(uint32_t*)(&T[4]); + *(uint32_t*)(&s[8]) = *(uint32_t*)(&T[8]); + *(uint32_t*)(&s[12]) = *(uint32_t*)(&T[12]); + +#else + + s[0] = T[0]; + s[1] = T[1]; + s[2] = T[2]; + s[3] = T[3]; + s[4] = T[4]; + s[5] = T[5]; + s[6] = T[6]; + s[7] = T[7]; + s[8] = T[8]; + s[9] = T[9]; + s[10] = T[10]; + s[11] = T[11]; + s[12] = T[12]; + s[13] = T[13]; + s[14] = T[14]; + s[15] = T[15]; + +#endif + + *clen = mlen + 16; + + if (mlen > 0) { + nonce_encryption(N,CNT,s,k,36,&l_skinny_ctrl); + while (mlen > 16) { + mlen = msg_encryption(&m,&c,N,CNT,s,k,36,mlen,&l_skinny_ctrl); + } + rho_ud16(m, c, s, mlen); + c = c + mlen; + m = m + mlen; + } + + // Tag Concatenation + c[0] = T[0]; + c[1] = T[1]; + c[2] = T[2]; + c[3] = T[3]; + c[4] = T[4]; + c[5] = T[5]; + c[6] = T[6]; + c[7] = T[7]; + c[8] = T[8]; + c[9] = T[9]; + c[10] = T[10]; + c[11] = T[11]; + c[12] = T[12]; + c[13] = T[13]; + c[14] = T[14]; + c[15] = T[15]; + + c = c - *clen; + + return 0; + +} + +int crypto_aead_decrypt( + unsigned char *m,unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c,unsigned long long clen, + const unsigned char *ad,unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { + + unsigned char s[16]; + unsigned char CNT[8]; + unsigned char T[16]; + const unsigned char* N; + unsigned char w; + unsigned long long xlen; + const unsigned char* mauth; + unsigned char* p1; + unsigned char* p2; + + skinny_ctrl l_skinny_ctrl; + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void)nsec; + mauth = m; + + N = npub; + + xlen = clen-16; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + w = 48; + + if (adlen == 0) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 0) { + w = w ^ 8; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) < 16) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 16) { + w = w ^ 0; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else { + w = w ^ 10; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + } + else while (adlen > 0) { + adlen = ad_encryption(&ad,s,k,adlen,CNT,40,&l_skinny_ctrl); + } + + if ((w & 8) == 0) { + xlen = ad2msg_encryption (&mauth,CNT,s,k,44,xlen,&l_skinny_ctrl); + } + else if (clen == 0) { + lfsr_gf56(CNT); + } + while (xlen > 0) { + xlen = ad_encryption(&mauth,s,k,xlen,CNT,44,&l_skinny_ctrl); + } + nonce_encryption(N,CNT,s,k,w,&l_skinny_ctrl); + + // Tag generation + g8A(s, T); + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + p1 = T; + p2 = (unsigned char*)&c[clen - 16]; + + p1[0] = p2[0]; + p1[1] = p2[1]; + p1[2] = p2[2]; + p1[3] = p2[3]; + p1[4] = p2[4]; + p1[5] = p2[5]; + p1[6] = p2[6]; + p1[7] = p2[7]; + p1[8] = p2[8]; + p1[9] = p2[9]; + p1[10] = p2[10]; + p1[11] = p2[11]; + p1[12] = p2[12]; + p1[13] = p2[13]; + p1[14] = p2[14]; + p1[15] = p2[15]; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = *(uint32_t*)(&T[0]); + *(uint32_t*)(&s[4]) = *(uint32_t*)(&T[4]); + *(uint32_t*)(&s[8]) = *(uint32_t*)(&T[8]); + *(uint32_t*)(&s[12]) = *(uint32_t*)(&T[12]); + +#else + + s[0] = T[0]; + s[1] = T[1]; + s[2] = T[2]; + s[3] = T[3]; + s[4] = T[4]; + s[5] = T[5]; + s[6] = T[6]; + s[7] = T[7]; + s[8] = T[8]; + s[9] = T[9]; + s[10] = T[10]; + s[11] = T[11]; + s[12] = T[12]; + s[13] = T[13]; + s[14] = T[14]; + s[15] = T[15]; + +#endif + + clen = clen - 16; + *mlen = clen; + + if (clen > 0) { + nonce_encryption(N,CNT,s,k,36,&l_skinny_ctrl); + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + while (clen > 16) { + clen = msg_decryption(&m,&c,N,CNT,s,k,36,clen,&l_skinny_ctrl); + } + irho_ud16(m, c, s, clen); + c = c + clen; + m = m + clen; + } + + for (int i = 0; i < 16; i++) { + if (T[i] != (*(c+i))) { + return -1; + } + } + + return 0; + +} diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny.h b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny.h new file mode 100644 index 0000000..d9f4a34 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny.h @@ -0,0 +1,69 @@ +#define ___SKINNY_LOOP +//#define ___NUM_OF_ROUNDS_56 +#define ___ENABLE_WORD_CAST + +#include + +typedef struct ___skinny_ctrl { +#ifdef ___NUM_OF_ROUNDS_56 + uint32_t roundKeys[240]; // number of rounds : 56 +#else + uint32_t roundKeys[176]; // number of rounds : 40 +#endif + void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); +} skinny_ctrl; + +extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); + +#define pack_word(x0, x1, x2, x3, w) \ + w = ((x3) << 24) ^ \ + ((x2) << 16) ^ \ + ((x1) << 8) ^ \ + (x0); + +#define unpack_word(x0, x1, x2, x3, w) \ + x0 = ((w) & 0xff); \ + x1 = (((w) >> 8) & 0xff); \ + x2 = (((w) >> 16) & 0xff); \ + x3 = ((w) >> 24); + +#define PERMUTATION() \ +/* permutation */ \ + \ + /* 7 6 5 4 3 2 1 0 */ \ + /* 5 7 2 3 6 0 4 1 */ \ + \ + /* w0 (3 2 1 0) */ \ + /* w1 (7 6 5 4) */ \ + \ + /* w0 (6 0 4 1) */ \ + /* w1 (5 7 2 3) */ \ + \ + t0 = w1 << 8; /* 6 5 4 - */ \ + t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ + \ + t1 = w1 << 16; /* 5 4 - - */ \ + t1 = t1 & 0xff000000; /* 5 - - - */ \ + \ + t2 = w1 & 0xff000000; /* 7 - - - */ \ + t2 = t2 >> 8; /* - 7 - - */ \ + t1 = t1 ^ t2; /* 5 7 - - */ \ + \ + t2 = w0 & 0xff000000; /* 3 - - - */ \ + t2 = t2 >> 24; /* - - - 3 */ \ + t1 = t1 ^ t2; /* 5 7 - 3 */ \ + \ + w1 = w0 >> 8; /* - 3 2 1 */ \ + w1 = w1 & 0x0000ff00; /* - - 2 - */ \ + w1 = w1 ^ t1; /* 5 7 2 3 */ \ + \ + t2 = w0 & 0x0000ff00; /* - - 1 - */ \ + t2 = t2 >> 8; /* - - - 1 */ \ + t0 = t0 ^ t2; /* 6 - 4 1 */ \ + \ + w0 = w0 << 16; /* 1 0 - - */ \ + w0 = w0 & 0x00ff0000; /* - 0 - - */ \ + w0 = w0 ^ t0; /* 6 0 4 1 */ + diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule2.c b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule2.c new file mode 100644 index 0000000..923d4b8 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule2.c @@ -0,0 +1,227 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * load * AC(c0 c1) ^ TK3 + * calc AC(c0 c1) ^ TK2 -> store + * ART(TK2) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK2() \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ + w0 = ((w0 << 1) & 0xfefefefe) ^ \ + (((w0 >> 7) ^ (w0 >> 5)) & 0x01010101); \ + w1 = ((w1 << 1) & 0xfefefefe) ^ \ + (((w1 >> 7) ^ (w1 >> 5)) & 0x01010101); \ + \ + /* Load TK3 */ \ + /* TK2^TK3^AC(c0 c1) */ \ + /* store */ \ + *tk2++ = w0 ^ *tk3++; \ + *tk2++ = w1 ^ *tk3++; \ + tk2 += 2; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th,43th, ... ,51th,53th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + PERMUTATION_TK2(); + } + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + PERMUTATION_TK2(); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule3.c b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule3.c new file mode 100644 index 0000000..39254a6 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_key_schedule3.c @@ -0,0 +1,228 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * AC(c0 c1) ^ TK3 -> store + * ART(TK3) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK3(c0Val, c1Val) \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ + w0 = ((w0 >> 1) & 0x7f7f7f7f) ^ \ + (((w0 << 7) ^ (w0 << 1)) & 0x80808080); \ + w1 = ((w1 >> 1) & 0x7f7f7f7f) ^ \ + (((w1 << 7) ^ (w1 << 1)) & 0x80808080); \ + \ + /* K3^AC(c0 c1) */ \ + /* store */ \ + *tk3++ = w0 ^ c0Val; \ + *tk3++ = w1 ^ c1Val; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK3(0x7, 0x000); + PERMUTATION_TK3(0xf, 0x100); + PERMUTATION_TK3(0xd, 0x300); + PERMUTATION_TK3(0x7, 0x300); + PERMUTATION_TK3(0xe, 0x100); + PERMUTATION_TK3(0x9, 0x300); + PERMUTATION_TK3(0x7, 0x200); + PERMUTATION_TK3(0xd, 0x100); + PERMUTATION_TK3(0x5, 0x300); + + PERMUTATION_TK3(0x6, 0x100); + PERMUTATION_TK3(0x8, 0x100); + PERMUTATION_TK3(0x1, 0x200); + PERMUTATION_TK3(0x5, 0x000); + PERMUTATION_TK3(0x7, 0x100); + PERMUTATION_TK3(0xc, 0x100); + PERMUTATION_TK3(0x1, 0x300); + PERMUTATION_TK3(0x6, 0x000); + PERMUTATION_TK3(0xb, 0x100); + PERMUTATION_TK3(0xd, 0x200); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41td,43th, ... ,53th,55th round + PERMUTATION_TK3(0x4, 0x300); + PERMUTATION_TK3(0x2, 0x100); + PERMUTATION_TK3(0x8, 0x000); + PERMUTATION_TK3(0x2, 0x200); + PERMUTATION_TK3(0x9, 0x000); + PERMUTATION_TK3(0x6, 0x200); + PERMUTATION_TK3(0x9, 0x100); + PERMUTATION_TK3(0x5, 0x200); + +#endif + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,38th,40th round + PERMUTATION_TK3(0x3, 0x000); + PERMUTATION_TK3(0xf, 0x000); + PERMUTATION_TK3(0xe, 0x300); + PERMUTATION_TK3(0xb, 0x300); + PERMUTATION_TK3(0xf, 0x200); + PERMUTATION_TK3(0xc, 0x300); + PERMUTATION_TK3(0x3, 0x300); + PERMUTATION_TK3(0xe, 0x000); + PERMUTATION_TK3(0xa, 0x300); + PERMUTATION_TK3(0xb, 0x200); + + PERMUTATION_TK3(0xc, 0x200); + PERMUTATION_TK3(0x0, 0x300); + PERMUTATION_TK3(0x2, 0x000); + PERMUTATION_TK3(0xb, 0x000); + PERMUTATION_TK3(0xe, 0x200); + PERMUTATION_TK3(0x8, 0x300); + PERMUTATION_TK3(0x3, 0x200); + PERMUTATION_TK3(0xd, 0x000); + PERMUTATION_TK3(0x6, 0x300); + PERMUTATION_TK3(0xa, 0x100); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK3(0x9, 0x200); + PERMUTATION_TK3(0x4, 0x200); + PERMUTATION_TK3(0x1, 0x100); + PERMUTATION_TK3(0x4, 0x000); + PERMUTATION_TK3(0x3, 0x100); + PERMUTATION_TK3(0xc, 0x000); + PERMUTATION_TK3(0x2, 0x300); + PERMUTATION_TK3(0xa, 0x000); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + uint16_t c0; + uint16_t c1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + pRC += 4; + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + +#ifndef ___NUM_OF_ROUNDS_56 + pRC -= 78; + tk3 = &roundKeys[98]; +#else + pRC -= 110; + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_main.c b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_main.c new file mode 100644 index 0000000..74222ee --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/opt32_NEC/skinny_main.c @@ -0,0 +1,537 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * ART(TK1) -> store + * load AC(c0 c1) ^ TK3 ^ TK2 + * load TK1 + * calc AC(c0 c1) ^ TK3 ^ TK2 ^ TK1 -> use at (AC->ART) + * SC->SR->(AC->ART)->MC + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +/* + * S-BOX + */ +unsigned char SBOX[] += { + // Original + 0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b, 0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b, + 0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b, 0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b, + 0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9, 0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9, + 0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9, 0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9, + 0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d, 0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d, + 0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d, 0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d, + 0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad, 0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd, + 0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed, 0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd, + 0x36, 0x8e, 0x38, 0x82, 0x8b, 0x30, 0x83, 0x39, 0x96, 0x26, 0x9a, 0x28, 0x93, 0x20, 0x9b, 0x29, + 0x66, 0x4e, 0x68, 0x41, 0x49, 0x60, 0x40, 0x69, 0x56, 0x76, 0x58, 0x78, 0x50, 0x70, 0x59, 0x79, + 0xa6, 0x1e, 0xaa, 0x11, 0x19, 0xa3, 0x10, 0xab, 0x06, 0xb6, 0x08, 0xba, 0x00, 0xb3, 0x09, 0xbb, + 0xe6, 0xce, 0xea, 0xc2, 0xcb, 0xe3, 0xc3, 0xeb, 0xd6, 0xf6, 0xda, 0xfa, 0xd3, 0xf3, 0xdb, 0xfb, + 0x31, 0x8a, 0x3e, 0x86, 0x8f, 0x37, 0x87, 0x3f, 0x92, 0x21, 0x9e, 0x2e, 0x97, 0x27, 0x9f, 0x2f, + 0x61, 0x48, 0x6e, 0x46, 0x4f, 0x67, 0x47, 0x6f, 0x51, 0x71, 0x5e, 0x7e, 0x57, 0x77, 0x5f, 0x7f, + 0xa2, 0x18, 0xae, 0x16, 0x1f, 0xa7, 0x17, 0xaf, 0x01, 0xb2, 0x0e, 0xbe, 0x07, 0xb7, 0x0f, 0xbf, + 0xe2, 0xca, 0xee, 0xc6, 0xcf, 0xe7, 0xc7, 0xef, 0xd2, 0xf2, 0xde, 0xfe, 0xd7, 0xf7, 0xdf, 0xff, +}; + + /* + * S-BOX ^ AC(c2) + */ +unsigned char SBOX2[] += { // Original ^ c2(0x02) + 0x67, 0x4e, 0x68, 0x40, 0x49, 0x61, 0x41, 0x69, 0x57, 0x77, 0x58, 0x78, 0x51, 0x71, 0x59, 0x79, + 0x37, 0x8e, 0x38, 0x83, 0x8b, 0x31, 0x82, 0x39, 0x97, 0x27, 0x9a, 0x28, 0x92, 0x21, 0x9b, 0x29, + 0xe7, 0xce, 0xea, 0xc3, 0xcb, 0xe2, 0xc2, 0xeb, 0xd7, 0xf7, 0xda, 0xfa, 0xd2, 0xf2, 0xdb, 0xfb, + 0xa7, 0x1e, 0xaa, 0x10, 0x19, 0xa2, 0x11, 0xab, 0x07, 0xb7, 0x08, 0xba, 0x01, 0xb2, 0x09, 0xbb, + 0x30, 0x8a, 0x3e, 0x87, 0x8f, 0x36, 0x86, 0x3f, 0x93, 0x20, 0x9e, 0x2e, 0x96, 0x26, 0x9f, 0x2f, + 0x60, 0x48, 0x6e, 0x47, 0x4f, 0x66, 0x46, 0x6f, 0x50, 0x70, 0x5e, 0x7e, 0x56, 0x76, 0x5f, 0x7f, + 0xa3, 0x18, 0xae, 0x17, 0x1f, 0xa6, 0x16, 0xaf, 0x00, 0xb3, 0x0e, 0xbe, 0x06, 0xb6, 0x0f, 0xbf, + 0xe3, 0xca, 0xee, 0xc7, 0xcf, 0xe6, 0xc6, 0xef, 0xd3, 0xf3, 0xde, 0xfe, 0xd6, 0xf6, 0xdf, 0xff, + 0x34, 0x8c, 0x3a, 0x80, 0x89, 0x32, 0x81, 0x3b, 0x94, 0x24, 0x98, 0x2a, 0x91, 0x22, 0x99, 0x2b, + 0x64, 0x4c, 0x6a, 0x43, 0x4b, 0x62, 0x42, 0x6b, 0x54, 0x74, 0x5a, 0x7a, 0x52, 0x72, 0x5b, 0x7b, + 0xa4, 0x1c, 0xa8, 0x13, 0x1b, 0xa1, 0x12, 0xa9, 0x04, 0xb4, 0x0a, 0xb8, 0x02, 0xb1, 0x0b, 0xb9, + 0xe4, 0xcc, 0xe8, 0xc0, 0xc9, 0xe1, 0xc1, 0xe9, 0xd4, 0xf4, 0xd8, 0xf8, 0xd1, 0xf1, 0xd9, 0xf9, + 0x33, 0x88, 0x3c, 0x84, 0x8d, 0x35, 0x85, 0x3d, 0x90, 0x23, 0x9c, 0x2c, 0x95, 0x25, 0x9d, 0x2d, + 0x63, 0x4a, 0x6c, 0x44, 0x4d, 0x65, 0x45, 0x6d, 0x53, 0x73, 0x5c, 0x7c, 0x55, 0x75, 0x5d, 0x7d, + 0xa0, 0x1a, 0xac, 0x14, 0x1d, 0xa5, 0x15, 0xad, 0x03, 0xb0, 0x0c, 0xbc, 0x05, 0xb5, 0x0d, 0xbd, + 0xe0, 0xc8, 0xec, 0xc4, 0xcd, 0xe5, 0xc5, 0xed, 0xd0, 0xf0, 0xdc, 0xfc, 0xd5, 0xf5, 0xdd, 0xfd, +}; + +#ifdef ___SKINNY_LOOP +/* + * Round Constants + */ +unsigned char RC[] += { + 0x01, 0x00, 0x03, 0x00, 0x07, 0x00, 0x0f, 0x00, 0x0f, 0x01, 0x0e, 0x03, 0x0d, 0x03, 0x0b, 0x03, + 0x07, 0x03, 0x0f, 0x02, 0x0e, 0x01, 0x0c, 0x03, 0x09, 0x03, 0x03, 0x03, 0x07, 0x02, 0x0e, 0x00, + 0x0d, 0x01, 0x0a, 0x03, 0x05, 0x03, 0x0b, 0x02, 0x06, 0x01, 0x0c, 0x02, 0x08, 0x01, 0x00, 0x03, + 0x01, 0x02, 0x02, 0x00, 0x05, 0x00, 0x0b, 0x00, 0x07, 0x01, 0x0e, 0x02, 0x0c, 0x01, 0x08, 0x03, + 0x01, 0x03, 0x03, 0x02, 0x06, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x06, 0x03, 0x0d, 0x02, 0x0a, 0x01, +#ifdef ___NUM_OF_ROUNDS_56 + 0x04, 0x03, 0x09, 0x02, 0x02, 0x01, 0x04, 0x02, 0x08, 0x00, 0x01, 0x01, 0x02, 0x02, 0x04, 0x00, + 0x09, 0x00, 0x03, 0x01, 0x06, 0x02, 0x0c, 0x00, 0x09, 0x01, 0x02, 0x03, 0x05, 0x02, 0x0a, 0x00, +#endif + }; +#endif + +extern void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2); +extern void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys); +#ifdef ___SKINNY_LOOP +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC); +#else +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys); +#endif + +void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pack_word(K[0], K[1], K[2], K[3], pt[8]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pack_word(K[8], K[9], K[10], K[11], pt[10]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pt[8] = *(uint32_t*)(&K[0]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pt[10] = *(uint32_t*)(&K[8]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#endif + +#ifdef ___SKINNY_LOOP + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys, RC); +#else + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys); +#endif + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + + pskinny_ctrl->func_skinny_128_384_enc = skinny_128_384_enc12_12; + +} + +void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#endif + + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)T; + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#endif + + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +#define PERMUTATION_TK1() \ +/* permutation */ \ + \ + PERMUTATION(); \ + \ + /* store */ \ + \ + *tk1++ = w0; \ + *tk1++ = w1; + +#define SBOX_0(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0) ^ \ + (t1 << 8) ^ \ + (t2 << 16) ^ \ + (t3 << 24); + +#define SBOX_8(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 8) ^ \ + (t1 << 16) ^ \ + (t2 << 24) ^ \ + (t3); + +#define SBOX_16(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox2[t0]; /* AC(c2) */ \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 16) ^ \ + (t1 << 24) ^ \ + (t2) ^ \ + (t3 << 8); + +#define SBOX_24(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 24) ^ \ + (t1) ^ \ + (t2 << 8) ^ \ + (t3 << 16); + +#define SKINNY_MAIN() \ + \ + /* odd */ \ + \ + /* LUT(with ShiftRows) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* Load TK1 */ \ + \ + w0 ^= *tk1++; \ + w1 ^= *tk1++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; \ + \ + /* even */ \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* Load TK2^TK3^AC(c0 c1) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; + +#ifndef ___SKINNY_LOOP + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + tk1 = &roundKeys[0]; + + // 1st, ...,16th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 17th, ...,32th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 33th, ...,40th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th, ...,48th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 49th, ... ,56th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#endif + +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#else + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + for(int i=0;i<7;i++) + { + PERMUTATION_TK1(); + } + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + + // 1st, ... ,32th or 48th round +#ifndef ___NUM_OF_ROUNDS_56 + for(int j=0;j<2;j++) +#else + for(int j=0;j<3;j++) +#endif + { + tk1 = &roundKeys[0]; + for(int i=0;i<8;i++) + { + SKINNY_MAIN(); + } + } + + // 33th , ... ,40th or 49th, .... ,56th round + { + tk1 = &roundKeys[0]; + for(int i=0;i<4;i++) + { + SKINNY_MAIN(); + } + } +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#endif diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusm1+/rhys/aead-common.c similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/aead-common.c rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/aead-common.c diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/aead-common.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/aead-common.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/aead-common.h diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/api.h similarity index 100% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/api.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/api.h diff --git a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusm1+/rhys/encrypt.c similarity index 86% rename from ace/Implementations/crypto_aead/aceae128v1/rhys-avr/encrypt.c rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/encrypt.c index 99cb7f3..192e5e9 100644 --- a/ace/Implementations/crypto_aead/aceae128v1/rhys-avr/encrypt.c +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/encrypt.c @@ -1,5 +1,4 @@ - -#include "ace.h" +#include "romulus.h" int crypto_aead_encrypt (unsigned char *c, unsigned long long *clen, @@ -9,7 +8,7 @@ int crypto_aead_encrypt const unsigned char *npub, const unsigned char *k) { - return ace_aead_encrypt + return romulus_m1_aead_encrypt (c, clen, m, mlen, ad, adlen, nsec, npub, k); } @@ -21,6 +20,6 @@ int crypto_aead_decrypt const unsigned char *npub, const unsigned char *k) { - return ace_aead_decrypt + return romulus_m1_aead_decrypt (m, mlen, nsec, c, clen, ad, adlen, npub, k); } diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128-avr.S index d342cd5..0fafa4e 100644 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128-avr.S +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128-avr.S @@ -3217,7 +3217,7 @@ skinny_128_384_encrypt: eor r19,r9 eor r20,r10 eor r21,r11 - cpi r26,112 + cpi r26,80 brne 5721f rjmp 790f 5721: @@ -3672,7 +3672,7 @@ skinny_128_384_decrypt: push r0 out _SFR_IO_ADDR(RAMPZ),r26 #endif - ldi r26,28 + ldi r26,20 ldd r12,Y+17 ldd r13,Y+18 ldd r14,Y+19 @@ -3780,7 +3780,7 @@ skinny_128_384_decrypt: std Y+22,r25 std Y+23,r16 std Y+24,r17 - ldi r26,28 + ldi r26,20 ldd r12,Y+25 ldd r13,Y+26 ldd r14,Y+27 @@ -3894,7 +3894,7 @@ skinny_128_384_decrypt: ldi r26,hh8(table_3) out _SFR_IO_ADDR(RAMPZ),r26 #endif - ldi r26,28 + ldi r26,20 ldd r12,Y+33 ldd r13,Y+34 ldd r14,Y+35 @@ -4002,7 +4002,7 @@ skinny_128_384_decrypt: std Y+38,r25 std Y+39,r16 std Y+40,r17 - ldi r26,28 + ldi r26,20 ldd r12,Y+41 ldd r13,Y+42 ldd r14,Y+43 @@ -4110,7 +4110,7 @@ skinny_128_384_decrypt: std Y+46,r25 std Y+47,r16 std Y+48,r17 - ldi r26,112 + ldi r26,80 227: ldd r12,Y+1 ldd r13,Y+2 diff --git a/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.c new file mode 100644 index 0000000..cb1fbda --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.c @@ -0,0 +1,801 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +#if !defined(__AVR__) + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else + /* Set the initial states of TK1, TK2, and TK3 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } +#endif +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else + /* Set the initial states of TK1 and TK2 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } +#endif +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +#else /* __AVR__ */ + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); +} + +#endif /* __AVR__ */ diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.h similarity index 50% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.h index f57d143..2bfda3c 100644 --- a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-gift128.h +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinny128.h @@ -20,224 +20,222 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H /** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ */ #include #include -#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { #endif /** - * \brief Size of a GIFT-128 block in bytes. + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. */ -#define GIFT128_BLOCK_SIZE 16 +#define SKINNY_128_BLOCK_SIZE 16 /** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. + * \brief Number of rounds for SKINNY-128-384. */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif +#define SKINNY_128_384_ROUNDS 56 /** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). + * \brief Structure of the key schedule for SKINNY-128-384. */ typedef struct { - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; -} gift128b_key_schedule_t; +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif + +} skinny_128_384_key_schedule_t; /** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). + * \brief Initializes the key schedule for SKINNY-128-384. * * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. + * \param key Points to the key data. + */ +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); /** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). + * \brief Decrypts a 128-bit block with SKINNY-128-384. * - * \param ks Points to the GIFT-128 key schedule. + * \param ks Points to the SKINNY-128-384 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. * - * \param ks Points to the GIFT-128 key schedule. + * \param ks Points to the SKINNY-128-384 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); /** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. * - * \param ks Points to the GIFT-128 key schedule. + * \param key Points to the 384-bit tweakey value. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. * * The \a input and \a output buffers can be the same buffer for - * in-place decryption. + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, const unsigned char *input); /** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif + +} skinny_128_256_key_schedule_t; /** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). + * \brief Initializes the key schedule for SKINNY-128-256. * * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. + * \param key Points to the key data. */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). + * \brief Encrypts a 128-bit block with SKINNY-128-256. * - * \param ks Points to the GIFT-128 key schedule. + * \param ks Points to the SKINNY-128-256 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, const unsigned char *input); /** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. + * \brief Decrypts a 128-bit block with SKINNY-128-256. * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. + * \param ks Points to the SKINNY-128-256 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); /** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. * - * \param ks Points to the GIFT-128 key schedule. + * \param key Points to the 256-bit tweakey value. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); #ifdef __cplusplus } diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinnyutil.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-skinnyutil.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-skinnyutil.h diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-util.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/internal-util.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/internal-util.h diff --git a/romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.c new file mode 100644 index 0000000..bb19cc5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.c @@ -0,0 +1,1974 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); + if (npub) + memcpy(TK + 16, npub, 16); + else + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.h b/romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.h similarity index 57% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.h rename to romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.h index 3e27b50..e6da29d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/forkae.h +++ b/romulus/Implementations/crypto_aead/romulusm1+/rhys/romulus.h @@ -20,50 +20,40 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H #include "aead-common.h" /** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ */ #ifdef __cplusplus @@ -71,131 +61,66 @@ extern "C" { #endif /** - * \brief Size of the key for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + * \brief Size of the key for all Romulus family members. */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 +#define ROMULUS_KEY_SIZE 16 /** - * \brief Size of the key for PAEF-ForkSkinny-128-192. + * \brief Size of the authentication tag for all Romulus family members. */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 +#define ROMULUS_TAG_SIZE 16 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 +#define ROMULUS1_NONCE_SIZE 16 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 +#define ROMULUS2_NONCE_SIZE 12 /** - * \brief Size of the key for PAEF-ForkSkinny-128-256. + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 +#define ROMULUS3_NONCE_SIZE 12 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + * \brief Meta-information block for the Romulus-N1 cipher. */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 +extern aead_cipher_t const romulus_n1_cipher; /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + * \brief Meta-information block for the Romulus-N2 cipher. */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 +extern aead_cipher_t const romulus_n2_cipher; /** - * \brief Size of the key for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-N3 cipher. */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 +extern aead_cipher_t const romulus_n3_cipher; /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-M1 cipher. */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 +extern aead_cipher_t const romulus_m1_cipher; /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-M2 cipher. */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 +extern aead_cipher_t const romulus_m2_cipher; /** - * \brief Size of the key for SAEF-ForkSkinny-128-192. + * \brief Meta-information block for the Romulus-M3 cipher. */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 +extern aead_cipher_t const romulus_m3_cipher; /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. - */ -extern aead_cipher_t const forkae_paef_64_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_paef_128_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_paef_128_256_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. - */ -extern aead_cipher_t const forkae_paef_128_288_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_saef_128_192_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_saef_128_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Encrypts and authenticates a packet with Romulus-N1. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -203,15 +128,15 @@ extern aead_cipher_t const forkae_saef_128_256_cipher; * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_64_192_aead_decrypt() + * \sa romulus_n1_aead_decrypt() */ -int forkae_paef_64_192_aead_encrypt +int romulus_n1_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -220,7 +145,7 @@ int forkae_paef_64_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Decrypts and authenticates a packet with Romulus-N1. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -228,20 +153,20 @@ int forkae_paef_64_192_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_64_192_aead_encrypt() + * \sa romulus_n1_aead_encrypt() */ -int forkae_paef_64_192_aead_decrypt +int romulus_n1_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -250,7 +175,7 @@ int forkae_paef_64_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with Romulus-N2. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -262,15 +187,15 @@ int forkae_paef_64_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_192_aead_decrypt() + * \sa romulus_n2_aead_decrypt() */ -int forkae_paef_128_192_aead_encrypt +int romulus_n2_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -279,7 +204,7 @@ int forkae_paef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with Romulus-N2. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -292,15 +217,15 @@ int forkae_paef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_192_aead_encrypt() + * \sa romulus_n2_aead_encrypt() */ -int forkae_paef_128_192_aead_decrypt +int romulus_n2_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -309,7 +234,7 @@ int forkae_paef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with Romulus-N3. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -321,15 +246,15 @@ int forkae_paef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_256_aead_decrypt() + * \sa romulus_n3_aead_decrypt() */ -int forkae_paef_128_256_aead_encrypt +int romulus_n3_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -338,7 +263,7 @@ int forkae_paef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with Romulus-N3. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -351,15 +276,15 @@ int forkae_paef_128_256_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_256_aead_encrypt() + * \sa romulus_n3_aead_encrypt() */ -int forkae_paef_128_256_aead_decrypt +int romulus_n3_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -368,7 +293,7 @@ int forkae_paef_128_256_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Encrypts and authenticates a packet with Romulus-M1. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -380,15 +305,15 @@ int forkae_paef_128_256_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_288_aead_decrypt() + * \sa romulus_m1_aead_decrypt() */ -int forkae_paef_128_288_aead_encrypt +int romulus_m1_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -397,7 +322,7 @@ int forkae_paef_128_288_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Decrypts and authenticates a packet with Romulus-M1. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -410,15 +335,15 @@ int forkae_paef_128_288_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_288_aead_encrypt() + * \sa romulus_m1_aead_encrypt() */ -int forkae_paef_128_288_aead_decrypt +int romulus_m1_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -427,7 +352,7 @@ int forkae_paef_128_288_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with Romulus-M2. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -439,15 +364,15 @@ int forkae_paef_128_288_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_192_aead_decrypt() + * \sa romulus_m2_aead_decrypt() */ -int forkae_saef_128_192_aead_encrypt +int romulus_m2_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -456,7 +381,7 @@ int forkae_saef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with Romulus-M2. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -469,15 +394,15 @@ int forkae_saef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_192_aead_encrypt() + * \sa romulus_m2_aead_encrypt() */ -int forkae_saef_128_192_aead_decrypt +int romulus_m2_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -486,7 +411,7 @@ int forkae_saef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with Romulus-M3. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -498,15 +423,15 @@ int forkae_saef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_256_aead_decrypt() + * \sa romulus_m3_aead_decrypt() */ -int forkae_saef_128_256_aead_encrypt +int romulus_m3_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -515,7 +440,7 @@ int forkae_saef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with Romulus-M3. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -528,15 +453,15 @@ int forkae_saef_128_256_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_256_aead_encrypt() + * \sa romulus_m3_aead_encrypt() */ -int forkae_saef_128_256_aead_decrypt +int romulus_m3_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/api.h b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/api.h new file mode 100644 index 0000000..a4aa567 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/encrypt.c b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/encrypt.c new file mode 100644 index 0000000..4bc24fa --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/encrypt.c @@ -0,0 +1,1245 @@ +/* + * Date: 29 November 2018 + * Contact: Thomas Peyrin - thomas.peyrin@gmail.com + * Mustafa Khairallah - mustafam001@e.ntu.edu.sg + */ + +#include "crypto_aead.h" +#include "api.h" +#include "skinny.h" +#include +#include + +void pad (const unsigned char* m, unsigned char* mp, int len8) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&mp[0]) = 0; + *(uint32_t*)(&mp[4]) = 0; + *(uint32_t*)(&mp[8]) = 0; + *(uint32_t*)(&mp[12]) = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#else + + mp[0] = 0; + mp[1] = 0; + mp[2] = 0; + mp[3] = 0; + mp[4] = 0; + mp[5] = 0; + mp[6] = 0; + mp[7] = 0; + mp[8] = 0; + mp[9] = 0; + mp[10] = 0; + mp[11] = 0; + mp[12] = 0; + mp[13] = 0; + mp[14] = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#endif + +} + +void g8A (unsigned char* s, unsigned char* c) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t s0, s1, s2, s3; + uint32_t c0, c1, c2, c3; + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#ifdef ___ENABLE_WORD_CAST + +void g8A_for_Tag_Generation (unsigned char* s, unsigned char* c) { + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + // use byte access because of memory alignment. + // c is not always in word(4 byte) alignment. + c[0] = c0 &0xFF; + c[1] = (c0>>8) &0xFF; + c[2] = (c0>>16)&0xFF; + c[3] = c0>>24; + c[4] = c1 &0xFF; + c[5] = (c1>>8) &0xFF; + c[6] = (c1>>16)&0xFF; + c[7] = c1>>24; + c[8] = c2 &0xFF; + c[9] = (c2>>8) &0xFF; + c[10] = (c2>>16)&0xFF; + c[11] = c2>>24; + c[12] = c3 &0xFF; + c[13] = (c3>>8) &0xFF; + c[14] = (c3>>16)&0xFF; + c[15] = c3>>24; + +} + +#endif + +#define rho_ad_eqov16_macro(i) \ + s[i] = s[i] ^ m[i]; + +void rho_ad_eqov16 ( + const unsigned char* m, + unsigned char* s) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&m[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&m[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&m[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&m[12]); + +#else + + rho_ad_eqov16_macro(0); + rho_ad_eqov16_macro(1); + rho_ad_eqov16_macro(2); + rho_ad_eqov16_macro(3); + rho_ad_eqov16_macro(4); + rho_ad_eqov16_macro(5); + rho_ad_eqov16_macro(6); + rho_ad_eqov16_macro(7); + rho_ad_eqov16_macro(8); + rho_ad_eqov16_macro(9); + rho_ad_eqov16_macro(10); + rho_ad_eqov16_macro(11); + rho_ad_eqov16_macro(12); + rho_ad_eqov16_macro(13); + rho_ad_eqov16_macro(14); + rho_ad_eqov16_macro(15); + +#endif + +} + +#define rho_ad_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ad_ud16 ( + const unsigned char* m, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + pad(m,mp,len8); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + +#else + + rho_ad_ud16_macro(0); + rho_ad_ud16_macro(1); + rho_ad_ud16_macro(2); + rho_ad_ud16_macro(3); + rho_ad_ud16_macro(4); + rho_ad_ud16_macro(5); + rho_ad_ud16_macro(6); + rho_ad_ud16_macro(7); + rho_ad_ud16_macro(8); + rho_ad_ud16_macro(9); + rho_ad_ud16_macro(10); + rho_ad_ud16_macro(11); + rho_ad_ud16_macro(12); + rho_ad_ud16_macro(13); + rho_ad_ud16_macro(14); + rho_ad_ud16_macro(15); + +#endif + +} + +void rho_eqov16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s) { + + g8A(s,c); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#define rho_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ud16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + + pad(m,mp,len8); + + g8A(s,c); +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#else + + rho_ud16_macro(0); + rho_ud16_macro(1); + rho_ud16_macro(2); + rho_ud16_macro(3); + rho_ud16_macro(4); + rho_ud16_macro(5); + rho_ud16_macro(6); + rho_ud16_macro(7); + rho_ud16_macro(8); + rho_ud16_macro(9); + rho_ud16_macro(10); + rho_ud16_macro(11); + rho_ud16_macro(12); + rho_ud16_macro(13); + rho_ud16_macro(14); + rho_ud16_macro(15); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#endif + +} + +void irho_eqov16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s) { + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&m[0]) = m0; + *(uint32_t*)(&m[4]) = m1; + *(uint32_t*)(&m[8]) = m2; + *(uint32_t*)(&m[12]) = m3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(m[0], m[1], m[2], m[3], m0); + unpack_word(m[4], m[5], m[6], m[7], m1); + unpack_word(m[8], m[9], m[10], m[11], m2); + unpack_word(m[12], m[13], m[14], m[15], m3); + +#endif + +} + +#define irho_ud16_macro(i) \ + s[i] = s[i] ^ cp[i]; + +void irho_ud16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char cp [16]; + + pad(c,cp,len8); + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&cp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&cp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&cp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&cp[12]); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#else + + irho_ud16_macro(0); + irho_ud16_macro(1); + irho_ud16_macro(2); + irho_ud16_macro(3); + irho_ud16_macro(4); + irho_ud16_macro(5); + irho_ud16_macro(6); + irho_ud16_macro(7); + irho_ud16_macro(8); + irho_ud16_macro(9); + irho_ud16_macro(10); + irho_ud16_macro(11); + irho_ud16_macro(12); + irho_ud16_macro(13); + irho_ud16_macro(14); + irho_ud16_macro(15); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#endif + +} + +void reset_lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&CNT[0]) = 0x00000001; // CNT3 CNT2 CNT1 CNT0 + *(uint32_t*)(&CNT[4]) = 0x00000000; // CNT7 CNT6 CNT5 CNT4 + +#else + + CNT[0] = 0x01; + CNT[1] = 0x00; + CNT[2] = 0x00; + CNT[3] = 0x00; + CNT[4] = 0x00; + CNT[5] = 0x00; + CNT[6] = 0x00; + +#endif + +} + +void lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t C0; + uint32_t C1; + uint32_t fb0; + + C0 = *(uint32_t*)(&CNT[0]); // CNT3 CNT2 CNT1 CNT0 + C1 = *(uint32_t*)(&CNT[4]); // CNT7 CNT6 CNT5 CNT4 + + fb0 = 0; + if (CNT[6] & 0x80) { + fb0 = 0x95; + } + + C1 = C1 << 1 | C0 >> 31; + C0 = C0 << 1 ^ fb0; + + *(uint32_t*)(&CNT[0]) = C0; + *(uint32_t*)(&CNT[4]) = C1; + +#else + + uint32_t fb0 = CNT[6] >> 7; + + CNT[6] = (CNT[6] << 1) | (CNT[5] >> 7); + CNT[5] = (CNT[5] << 1) | (CNT[4] >> 7); + CNT[4] = (CNT[4] << 1) | (CNT[3] >> 7); + CNT[3] = (CNT[3] << 1) | (CNT[2] >> 7); + CNT[2] = (CNT[2] << 1) | (CNT[1] >> 7); + CNT[1] = (CNT[1] << 1) | (CNT[0] >> 7); + if (fb0 == 1) { + CNT[0] = (CNT[0] << 1) ^ 0x95; + } + else { + CNT[0] = (CNT[0] << 1); + } + +#endif + +} + +void block_cipher( + unsigned char* s, + const unsigned char* k, unsigned char* T, + unsigned char* CNT, unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + CNT[7] = D; + p_skinny_ctrl->func_skinny_128_384_enc(s, p_skinny_ctrl, CNT, T, k); + +} + +void nonce_encryption ( + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + block_cipher(s,k,(unsigned char*)N,CNT,D,p_skinny_ctrl); + +} + +void generate_tag ( + unsigned char** c, unsigned char* s, + unsigned long long* clen) { + +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, *c); + +#else + + g8A(s, *c); + +#endif + *c = *c + 16; + *c = *c - *clen; + +} + +unsigned long long msg_encryption ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* l_skinny_ctrl) { + + int len8; + + if (mlen >= 16) { + len8 = 16; + mlen = mlen - 16; + rho_eqov16(*M, *c, s); + } + else { + len8 = mlen; + mlen = 0; + rho_ud16(*M, *c, s, len8); + } + *c = *c + len8; + *M = *M + len8; + lfsr_gf56(CNT); + if (mlen != 0) { + nonce_encryption(N,CNT,s,k,D,l_skinny_ctrl); + } + return mlen; + +} + +unsigned long long msg_decryption ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* l_skinny_ctrl) { + + int len8; + + if (clen >= 16) { + len8 = 16; + clen = clen - 16; + irho_eqov16(*M, *c, s); + } + else { + len8 = clen; + clen = 0; + irho_ud16(*M, *c, s, len8); + } + *c = *c + len8; + *M = *M + len8; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,l_skinny_ctrl); + return clen; + +} + +unsigned long long ad2msg_encryption ( + const unsigned char** M, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* l_skinny_ctrl) { + + unsigned char T [16]; + int len8; + + if (mlen <= 16) { + len8 = mlen; + mlen = 0; + } + else { + len8 = 16; + mlen = mlen - 16; + } + + pad (*M,T,len8); + block_cipher(s,k,T,CNT,D,l_skinny_ctrl); + lfsr_gf56(CNT); + *M = *M + len8; + + return mlen; + +} + +unsigned long long ad_encryption ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* l_skinny_ctrl) { + + unsigned char T [16]; + int len8; + + if (adlen >= 16) { + len8 = 16; + adlen = adlen - 16; + + rho_ad_eqov16(*A, s); + } + else { + len8 = adlen; + adlen = 0; + rho_ad_ud16(*A, s, len8); + } + *A = *A + len8; + lfsr_gf56(CNT); + if (adlen != 0) { + if (adlen >= 16) { + len8 = 16; + adlen = adlen - 16; + } + else { + len8 = adlen; + adlen = 0; + } + pad(*A, T, len8); + *A = *A + len8; + block_cipher(s,k,T,CNT,D,l_skinny_ctrl); + lfsr_gf56(CNT); + } + + return adlen; + +} + +int crypto_aead_encrypt ( + unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, + const unsigned char* npub, + const unsigned char* k) { + + unsigned char s[16]; + unsigned char CNT[8]; + unsigned char T[16]; + const unsigned char* N; + unsigned char w; + unsigned long long xlen; + + skinny_ctrl l_skinny_ctrl; + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void)nsec; + N = npub; + + xlen = mlen; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + w = 48; + + if (adlen == 0) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 0) { + w = w ^ 8; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) < 16) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 16) { + w = w ^ 0; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else { + w = w ^ 10; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + } + else while (adlen > 0) { + adlen = ad_encryption(&ad,s,k,adlen,CNT,40,&l_skinny_ctrl); + } + + if ((w & 8) == 0) { + xlen = ad2msg_encryption (&m,CNT,s,k,44,xlen,&l_skinny_ctrl); + } + else if (mlen == 0) { + lfsr_gf56(CNT); + } + while (xlen > 0) { + xlen = ad_encryption(&m,s,k,xlen,CNT,44,&l_skinny_ctrl); + } + nonce_encryption(N,CNT,s,k,w,&l_skinny_ctrl); + + // Tag generation + g8A(s, T); + + m = m - mlen; + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = *(uint32_t*)(&T[0]); + *(uint32_t*)(&s[4]) = *(uint32_t*)(&T[4]); + *(uint32_t*)(&s[8]) = *(uint32_t*)(&T[8]); + *(uint32_t*)(&s[12]) = *(uint32_t*)(&T[12]); + +#else + + s[0] = T[0]; + s[1] = T[1]; + s[2] = T[2]; + s[3] = T[3]; + s[4] = T[4]; + s[5] = T[5]; + s[6] = T[6]; + s[7] = T[7]; + s[8] = T[8]; + s[9] = T[9]; + s[10] = T[10]; + s[11] = T[11]; + s[12] = T[12]; + s[13] = T[13]; + s[14] = T[14]; + s[15] = T[15]; + +#endif + + *clen = mlen + 16; + + if (mlen > 0) { + nonce_encryption(N,CNT,s,k,36,&l_skinny_ctrl); + while (mlen > 16) { + mlen = msg_encryption(&m,&c,N,CNT,s,k,36,mlen,&l_skinny_ctrl); + } + rho_ud16(m, c, s, mlen); + c = c + mlen; + m = m + mlen; + } + + // Tag Concatenation + c[0] = T[0]; + c[1] = T[1]; + c[2] = T[2]; + c[3] = T[3]; + c[4] = T[4]; + c[5] = T[5]; + c[6] = T[6]; + c[7] = T[7]; + c[8] = T[8]; + c[9] = T[9]; + c[10] = T[10]; + c[11] = T[11]; + c[12] = T[12]; + c[13] = T[13]; + c[14] = T[14]; + c[15] = T[15]; + + c = c - *clen; + + return 0; + +} + +int crypto_aead_decrypt( + unsigned char *m,unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c,unsigned long long clen, + const unsigned char *ad,unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { + + unsigned char s[16]; + unsigned char CNT[8]; + unsigned char T[16]; + const unsigned char* N; + unsigned char w; + unsigned long long xlen; + const unsigned char* mauth; + unsigned char* p1; + unsigned char* p2; + + skinny_ctrl l_skinny_ctrl; + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void)nsec; + mauth = m; + + N = npub; + + xlen = clen-16; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + w = 48; + + if (adlen == 0) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 0) { + w = w ^ 8; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) < 16) { + w = w ^ 2; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else if (adlen%(32) == 16) { + w = w ^ 0; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + else { + w = w ^ 10; + if (xlen == 0) { + w =w ^ 1; + } + else if (xlen%(32) == 0) { + w = w ^ 4; + } + else if (xlen%(32) < 16) { + w = w ^ 1; + } + else if (xlen%(32) == 16) { + w = w ^ 0; + } + else { + w = w ^ 5; + } + } + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + } + else while (adlen > 0) { + adlen = ad_encryption(&ad,s,k,adlen,CNT,40,&l_skinny_ctrl); + } + + if ((w & 8) == 0) { + xlen = ad2msg_encryption (&mauth,CNT,s,k,44,xlen,&l_skinny_ctrl); + } + else if (clen == 0) { + lfsr_gf56(CNT); + } + while (xlen > 0) { + xlen = ad_encryption(&mauth,s,k,xlen,CNT,44,&l_skinny_ctrl); + } + nonce_encryption(N,CNT,s,k,w,&l_skinny_ctrl); + + // Tag generation + g8A(s, T); + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + p1 = T; + p2 = (unsigned char*)&c[clen - 16]; + + p1[0] = p2[0]; + p1[1] = p2[1]; + p1[2] = p2[2]; + p1[3] = p2[3]; + p1[4] = p2[4]; + p1[5] = p2[5]; + p1[6] = p2[6]; + p1[7] = p2[7]; + p1[8] = p2[8]; + p1[9] = p2[9]; + p1[10] = p2[10]; + p1[11] = p2[11]; + p1[12] = p2[12]; + p1[13] = p2[13]; + p1[14] = p2[14]; + p1[15] = p2[15]; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = *(uint32_t*)(&T[0]); + *(uint32_t*)(&s[4]) = *(uint32_t*)(&T[4]); + *(uint32_t*)(&s[8]) = *(uint32_t*)(&T[8]); + *(uint32_t*)(&s[12]) = *(uint32_t*)(&T[12]); + +#else + + s[0] = T[0]; + s[1] = T[1]; + s[2] = T[2]; + s[3] = T[3]; + s[4] = T[4]; + s[5] = T[5]; + s[6] = T[6]; + s[7] = T[7]; + s[8] = T[8]; + s[9] = T[9]; + s[10] = T[10]; + s[11] = T[11]; + s[12] = T[12]; + s[13] = T[13]; + s[14] = T[14]; + s[15] = T[15]; + +#endif + + clen = clen - 16; + *mlen = clen; + + if (clen > 0) { + nonce_encryption(N,CNT,s,k,36,&l_skinny_ctrl); + + l_skinny_ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + while (clen > 16) { + clen = msg_decryption(&m,&c,N,CNT,s,k,36,clen,&l_skinny_ctrl); + } + irho_ud16(m, c, s, clen); + c = c + clen; + m = m + clen; + } + + for (int i = 0; i < 16; i++) { + if (T[i] != (*(c+i))) { + return -1; + } + } + + return 0; + +} diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny.h b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny.h new file mode 100644 index 0000000..5b36459 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny.h @@ -0,0 +1,69 @@ +#define ___SKINNY_LOOP +#define ___NUM_OF_ROUNDS_56 +#define ___ENABLE_WORD_CAST + +#include + +typedef struct ___skinny_ctrl { +#ifdef ___NUM_OF_ROUNDS_56 + uint32_t roundKeys[240]; // number of rounds : 56 +#else + uint32_t roundKeys[176]; // number of rounds : 40 +#endif + void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); +} skinny_ctrl; + +extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); + +#define pack_word(x0, x1, x2, x3, w) \ + w = ((x3) << 24) ^ \ + ((x2) << 16) ^ \ + ((x1) << 8) ^ \ + (x0); + +#define unpack_word(x0, x1, x2, x3, w) \ + x0 = ((w) & 0xff); \ + x1 = (((w) >> 8) & 0xff); \ + x2 = (((w) >> 16) & 0xff); \ + x3 = ((w) >> 24); + +#define PERMUTATION() \ +/* permutation */ \ + \ + /* 7 6 5 4 3 2 1 0 */ \ + /* 5 7 2 3 6 0 4 1 */ \ + \ + /* w0 (3 2 1 0) */ \ + /* w1 (7 6 5 4) */ \ + \ + /* w0 (6 0 4 1) */ \ + /* w1 (5 7 2 3) */ \ + \ + t0 = w1 << 8; /* 6 5 4 - */ \ + t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ + \ + t1 = w1 << 16; /* 5 4 - - */ \ + t1 = t1 & 0xff000000; /* 5 - - - */ \ + \ + t2 = w1 & 0xff000000; /* 7 - - - */ \ + t2 = t2 >> 8; /* - 7 - - */ \ + t1 = t1 ^ t2; /* 5 7 - - */ \ + \ + t2 = w0 & 0xff000000; /* 3 - - - */ \ + t2 = t2 >> 24; /* - - - 3 */ \ + t1 = t1 ^ t2; /* 5 7 - 3 */ \ + \ + w1 = w0 >> 8; /* - 3 2 1 */ \ + w1 = w1 & 0x0000ff00; /* - - 2 - */ \ + w1 = w1 ^ t1; /* 5 7 2 3 */ \ + \ + t2 = w0 & 0x0000ff00; /* - - 1 - */ \ + t2 = t2 >> 8; /* - - - 1 */ \ + t0 = t0 ^ t2; /* 6 - 4 1 */ \ + \ + w0 = w0 << 16; /* 1 0 - - */ \ + w0 = w0 & 0x00ff0000; /* - 0 - - */ \ + w0 = w0 ^ t0; /* 6 0 4 1 */ + diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule2.c b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule2.c new file mode 100644 index 0000000..923d4b8 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule2.c @@ -0,0 +1,227 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * load * AC(c0 c1) ^ TK3 + * calc AC(c0 c1) ^ TK2 -> store + * ART(TK2) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK2() \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ + w0 = ((w0 << 1) & 0xfefefefe) ^ \ + (((w0 >> 7) ^ (w0 >> 5)) & 0x01010101); \ + w1 = ((w1 << 1) & 0xfefefefe) ^ \ + (((w1 >> 7) ^ (w1 >> 5)) & 0x01010101); \ + \ + /* Load TK3 */ \ + /* TK2^TK3^AC(c0 c1) */ \ + /* store */ \ + *tk2++ = w0 ^ *tk3++; \ + *tk2++ = w1 ^ *tk3++; \ + tk2 += 2; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th,43th, ... ,51th,53th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + PERMUTATION_TK2(); + } + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + PERMUTATION_TK2(); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule3.c b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule3.c new file mode 100644 index 0000000..39254a6 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_key_schedule3.c @@ -0,0 +1,228 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * AC(c0 c1) ^ TK3 -> store + * ART(TK3) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK3(c0Val, c1Val) \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ + w0 = ((w0 >> 1) & 0x7f7f7f7f) ^ \ + (((w0 << 7) ^ (w0 << 1)) & 0x80808080); \ + w1 = ((w1 >> 1) & 0x7f7f7f7f) ^ \ + (((w1 << 7) ^ (w1 << 1)) & 0x80808080); \ + \ + /* K3^AC(c0 c1) */ \ + /* store */ \ + *tk3++ = w0 ^ c0Val; \ + *tk3++ = w1 ^ c1Val; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK3(0x7, 0x000); + PERMUTATION_TK3(0xf, 0x100); + PERMUTATION_TK3(0xd, 0x300); + PERMUTATION_TK3(0x7, 0x300); + PERMUTATION_TK3(0xe, 0x100); + PERMUTATION_TK3(0x9, 0x300); + PERMUTATION_TK3(0x7, 0x200); + PERMUTATION_TK3(0xd, 0x100); + PERMUTATION_TK3(0x5, 0x300); + + PERMUTATION_TK3(0x6, 0x100); + PERMUTATION_TK3(0x8, 0x100); + PERMUTATION_TK3(0x1, 0x200); + PERMUTATION_TK3(0x5, 0x000); + PERMUTATION_TK3(0x7, 0x100); + PERMUTATION_TK3(0xc, 0x100); + PERMUTATION_TK3(0x1, 0x300); + PERMUTATION_TK3(0x6, 0x000); + PERMUTATION_TK3(0xb, 0x100); + PERMUTATION_TK3(0xd, 0x200); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41td,43th, ... ,53th,55th round + PERMUTATION_TK3(0x4, 0x300); + PERMUTATION_TK3(0x2, 0x100); + PERMUTATION_TK3(0x8, 0x000); + PERMUTATION_TK3(0x2, 0x200); + PERMUTATION_TK3(0x9, 0x000); + PERMUTATION_TK3(0x6, 0x200); + PERMUTATION_TK3(0x9, 0x100); + PERMUTATION_TK3(0x5, 0x200); + +#endif + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,38th,40th round + PERMUTATION_TK3(0x3, 0x000); + PERMUTATION_TK3(0xf, 0x000); + PERMUTATION_TK3(0xe, 0x300); + PERMUTATION_TK3(0xb, 0x300); + PERMUTATION_TK3(0xf, 0x200); + PERMUTATION_TK3(0xc, 0x300); + PERMUTATION_TK3(0x3, 0x300); + PERMUTATION_TK3(0xe, 0x000); + PERMUTATION_TK3(0xa, 0x300); + PERMUTATION_TK3(0xb, 0x200); + + PERMUTATION_TK3(0xc, 0x200); + PERMUTATION_TK3(0x0, 0x300); + PERMUTATION_TK3(0x2, 0x000); + PERMUTATION_TK3(0xb, 0x000); + PERMUTATION_TK3(0xe, 0x200); + PERMUTATION_TK3(0x8, 0x300); + PERMUTATION_TK3(0x3, 0x200); + PERMUTATION_TK3(0xd, 0x000); + PERMUTATION_TK3(0x6, 0x300); + PERMUTATION_TK3(0xa, 0x100); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK3(0x9, 0x200); + PERMUTATION_TK3(0x4, 0x200); + PERMUTATION_TK3(0x1, 0x100); + PERMUTATION_TK3(0x4, 0x000); + PERMUTATION_TK3(0x3, 0x100); + PERMUTATION_TK3(0xc, 0x000); + PERMUTATION_TK3(0x2, 0x300); + PERMUTATION_TK3(0xa, 0x000); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + uint16_t c0; + uint16_t c1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + pRC += 4; + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + +#ifndef ___NUM_OF_ROUNDS_56 + pRC -= 78; + tk3 = &roundKeys[98]; +#else + pRC -= 110; + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_main.c b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_main.c new file mode 100644 index 0000000..74222ee --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusm1/opt32_NEC/skinny_main.c @@ -0,0 +1,537 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * ART(TK1) -> store + * load AC(c0 c1) ^ TK3 ^ TK2 + * load TK1 + * calc AC(c0 c1) ^ TK3 ^ TK2 ^ TK1 -> use at (AC->ART) + * SC->SR->(AC->ART)->MC + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +/* + * S-BOX + */ +unsigned char SBOX[] += { + // Original + 0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b, 0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b, + 0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b, 0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b, + 0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9, 0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9, + 0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9, 0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9, + 0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d, 0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d, + 0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d, 0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d, + 0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad, 0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd, + 0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed, 0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd, + 0x36, 0x8e, 0x38, 0x82, 0x8b, 0x30, 0x83, 0x39, 0x96, 0x26, 0x9a, 0x28, 0x93, 0x20, 0x9b, 0x29, + 0x66, 0x4e, 0x68, 0x41, 0x49, 0x60, 0x40, 0x69, 0x56, 0x76, 0x58, 0x78, 0x50, 0x70, 0x59, 0x79, + 0xa6, 0x1e, 0xaa, 0x11, 0x19, 0xa3, 0x10, 0xab, 0x06, 0xb6, 0x08, 0xba, 0x00, 0xb3, 0x09, 0xbb, + 0xe6, 0xce, 0xea, 0xc2, 0xcb, 0xe3, 0xc3, 0xeb, 0xd6, 0xf6, 0xda, 0xfa, 0xd3, 0xf3, 0xdb, 0xfb, + 0x31, 0x8a, 0x3e, 0x86, 0x8f, 0x37, 0x87, 0x3f, 0x92, 0x21, 0x9e, 0x2e, 0x97, 0x27, 0x9f, 0x2f, + 0x61, 0x48, 0x6e, 0x46, 0x4f, 0x67, 0x47, 0x6f, 0x51, 0x71, 0x5e, 0x7e, 0x57, 0x77, 0x5f, 0x7f, + 0xa2, 0x18, 0xae, 0x16, 0x1f, 0xa7, 0x17, 0xaf, 0x01, 0xb2, 0x0e, 0xbe, 0x07, 0xb7, 0x0f, 0xbf, + 0xe2, 0xca, 0xee, 0xc6, 0xcf, 0xe7, 0xc7, 0xef, 0xd2, 0xf2, 0xde, 0xfe, 0xd7, 0xf7, 0xdf, 0xff, +}; + + /* + * S-BOX ^ AC(c2) + */ +unsigned char SBOX2[] += { // Original ^ c2(0x02) + 0x67, 0x4e, 0x68, 0x40, 0x49, 0x61, 0x41, 0x69, 0x57, 0x77, 0x58, 0x78, 0x51, 0x71, 0x59, 0x79, + 0x37, 0x8e, 0x38, 0x83, 0x8b, 0x31, 0x82, 0x39, 0x97, 0x27, 0x9a, 0x28, 0x92, 0x21, 0x9b, 0x29, + 0xe7, 0xce, 0xea, 0xc3, 0xcb, 0xe2, 0xc2, 0xeb, 0xd7, 0xf7, 0xda, 0xfa, 0xd2, 0xf2, 0xdb, 0xfb, + 0xa7, 0x1e, 0xaa, 0x10, 0x19, 0xa2, 0x11, 0xab, 0x07, 0xb7, 0x08, 0xba, 0x01, 0xb2, 0x09, 0xbb, + 0x30, 0x8a, 0x3e, 0x87, 0x8f, 0x36, 0x86, 0x3f, 0x93, 0x20, 0x9e, 0x2e, 0x96, 0x26, 0x9f, 0x2f, + 0x60, 0x48, 0x6e, 0x47, 0x4f, 0x66, 0x46, 0x6f, 0x50, 0x70, 0x5e, 0x7e, 0x56, 0x76, 0x5f, 0x7f, + 0xa3, 0x18, 0xae, 0x17, 0x1f, 0xa6, 0x16, 0xaf, 0x00, 0xb3, 0x0e, 0xbe, 0x06, 0xb6, 0x0f, 0xbf, + 0xe3, 0xca, 0xee, 0xc7, 0xcf, 0xe6, 0xc6, 0xef, 0xd3, 0xf3, 0xde, 0xfe, 0xd6, 0xf6, 0xdf, 0xff, + 0x34, 0x8c, 0x3a, 0x80, 0x89, 0x32, 0x81, 0x3b, 0x94, 0x24, 0x98, 0x2a, 0x91, 0x22, 0x99, 0x2b, + 0x64, 0x4c, 0x6a, 0x43, 0x4b, 0x62, 0x42, 0x6b, 0x54, 0x74, 0x5a, 0x7a, 0x52, 0x72, 0x5b, 0x7b, + 0xa4, 0x1c, 0xa8, 0x13, 0x1b, 0xa1, 0x12, 0xa9, 0x04, 0xb4, 0x0a, 0xb8, 0x02, 0xb1, 0x0b, 0xb9, + 0xe4, 0xcc, 0xe8, 0xc0, 0xc9, 0xe1, 0xc1, 0xe9, 0xd4, 0xf4, 0xd8, 0xf8, 0xd1, 0xf1, 0xd9, 0xf9, + 0x33, 0x88, 0x3c, 0x84, 0x8d, 0x35, 0x85, 0x3d, 0x90, 0x23, 0x9c, 0x2c, 0x95, 0x25, 0x9d, 0x2d, + 0x63, 0x4a, 0x6c, 0x44, 0x4d, 0x65, 0x45, 0x6d, 0x53, 0x73, 0x5c, 0x7c, 0x55, 0x75, 0x5d, 0x7d, + 0xa0, 0x1a, 0xac, 0x14, 0x1d, 0xa5, 0x15, 0xad, 0x03, 0xb0, 0x0c, 0xbc, 0x05, 0xb5, 0x0d, 0xbd, + 0xe0, 0xc8, 0xec, 0xc4, 0xcd, 0xe5, 0xc5, 0xed, 0xd0, 0xf0, 0xdc, 0xfc, 0xd5, 0xf5, 0xdd, 0xfd, +}; + +#ifdef ___SKINNY_LOOP +/* + * Round Constants + */ +unsigned char RC[] += { + 0x01, 0x00, 0x03, 0x00, 0x07, 0x00, 0x0f, 0x00, 0x0f, 0x01, 0x0e, 0x03, 0x0d, 0x03, 0x0b, 0x03, + 0x07, 0x03, 0x0f, 0x02, 0x0e, 0x01, 0x0c, 0x03, 0x09, 0x03, 0x03, 0x03, 0x07, 0x02, 0x0e, 0x00, + 0x0d, 0x01, 0x0a, 0x03, 0x05, 0x03, 0x0b, 0x02, 0x06, 0x01, 0x0c, 0x02, 0x08, 0x01, 0x00, 0x03, + 0x01, 0x02, 0x02, 0x00, 0x05, 0x00, 0x0b, 0x00, 0x07, 0x01, 0x0e, 0x02, 0x0c, 0x01, 0x08, 0x03, + 0x01, 0x03, 0x03, 0x02, 0x06, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x06, 0x03, 0x0d, 0x02, 0x0a, 0x01, +#ifdef ___NUM_OF_ROUNDS_56 + 0x04, 0x03, 0x09, 0x02, 0x02, 0x01, 0x04, 0x02, 0x08, 0x00, 0x01, 0x01, 0x02, 0x02, 0x04, 0x00, + 0x09, 0x00, 0x03, 0x01, 0x06, 0x02, 0x0c, 0x00, 0x09, 0x01, 0x02, 0x03, 0x05, 0x02, 0x0a, 0x00, +#endif + }; +#endif + +extern void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2); +extern void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys); +#ifdef ___SKINNY_LOOP +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC); +#else +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys); +#endif + +void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pack_word(K[0], K[1], K[2], K[3], pt[8]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pack_word(K[8], K[9], K[10], K[11], pt[10]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pt[8] = *(uint32_t*)(&K[0]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pt[10] = *(uint32_t*)(&K[8]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#endif + +#ifdef ___SKINNY_LOOP + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys, RC); +#else + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys); +#endif + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + + pskinny_ctrl->func_skinny_128_384_enc = skinny_128_384_enc12_12; + +} + +void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#endif + + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)T; + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#endif + + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +#define PERMUTATION_TK1() \ +/* permutation */ \ + \ + PERMUTATION(); \ + \ + /* store */ \ + \ + *tk1++ = w0; \ + *tk1++ = w1; + +#define SBOX_0(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0) ^ \ + (t1 << 8) ^ \ + (t2 << 16) ^ \ + (t3 << 24); + +#define SBOX_8(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 8) ^ \ + (t1 << 16) ^ \ + (t2 << 24) ^ \ + (t3); + +#define SBOX_16(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox2[t0]; /* AC(c2) */ \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 16) ^ \ + (t1 << 24) ^ \ + (t2) ^ \ + (t3 << 8); + +#define SBOX_24(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 24) ^ \ + (t1) ^ \ + (t2 << 8) ^ \ + (t3 << 16); + +#define SKINNY_MAIN() \ + \ + /* odd */ \ + \ + /* LUT(with ShiftRows) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* Load TK1 */ \ + \ + w0 ^= *tk1++; \ + w1 ^= *tk1++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; \ + \ + /* even */ \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* Load TK2^TK3^AC(c0 c1) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; + +#ifndef ___SKINNY_LOOP + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + tk1 = &roundKeys[0]; + + // 1st, ...,16th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 17th, ...,32th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 33th, ...,40th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th, ...,48th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 49th, ... ,56th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#endif + +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#else + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + for(int i=0;i<7;i++) + { + PERMUTATION_TK1(); + } + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + + // 1st, ... ,32th or 48th round +#ifndef ___NUM_OF_ROUNDS_56 + for(int j=0;j<2;j++) +#else + for(int j=0;j<3;j++) +#endif + { + tk1 = &roundKeys[0]; + for(int i=0;i<8;i++) + { + SKINNY_MAIN(); + } + } + + // 33th , ... ,40th or 49th, .... ,56th round + { + tk1 = &roundKeys[0]; + for(int i=0;i<4;i++) + { + SKINNY_MAIN(); + } + } +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusm1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusm1/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm1/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusm1/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusm1/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/LWC_AEAD_KAT_128_128.txt b/romulus/Implementations/crypto_aead/romulusm1v1/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index dc9755c..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = C96F00B90B047ABC5EB6EC0F15BC43CF - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 9A4B3E4DB525820A3E8FB2DECB430A17 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = FDE62DF05BAC7F8B8F0DF728A8362FB0 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = 616BC725C3CD253A8D13C28A803256CC - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 63D305F723F44956409BB12477FCC0F4 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = 8ABA74E3D2984495FC5E117B19368951 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = DCEE5F849E99298AF5A8B958D2958346 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = 33BE7EE65428D5EAFB583112D1D9A8B0 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = C26FA7855B1308EA58ED8D8AC7F8DD81 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = DF30EE37151E9424D054F3C3A1B2F2BE - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = 6C1EA04E5A5F5311CAF55E0382D5F943 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = D1DACB46342AA1C4324D97026EBF50E2 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = D6621ABD2D11908BB2A78216135C1310 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = 3C2E3B663B7971C46880158A01A719EF - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = 336286D2347DBA5947BD76DBB9401244 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 0FBD389ABF97B7AA8BB16EB84F51830D - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 9D239BAC04A370CA5196D94B2F9DE8F6 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A66383F2C8447D288611B24D610F796E - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = DB7882042686BBF608C625327809E1D1 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C8A2FDF9C808E609370C080726DCFBFC - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 014383A8876B66990D5406AC5E853A4C - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2541B2F43B9362D0519D5631208CFC96 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 3F46CE6449F7C2DE697215FA443620DD - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B338A31B1D5CF458B211C20375550B59 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 8F1DB8B8BCC291FA105B6BF3859F0793 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 9ADBE9A75294B1F1B93775EE089F17BB - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 94338B82DCD560E0BE516AD2FF583295 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 99ADD0B128B25C0BD2455D8B01976055 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = E43FEEE48C4121FD0FFD0FDAD5350708 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D41256AEE7EEF93AE28A062302E02F8B - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = DF1CBB784F32BFA1787F004B0D837BEE - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F4115577312B06F60A8816DE47FBEBDB - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = E95EE3E14DBF3C684433EE1ED971FF07 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = 691D79158D739AD24A74EF427B9C771D2A - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = 57DE8B2CBF781D9189A621A6C6B93390B8 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = B5D44DCEB08896613F7B3EC8F70C930C1B - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = 13A8A9E9D79FF477540A8C082D7A296CAE - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = 08B9C7A4DDF8FB7A6F1F92BDD97BA9010C - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = 4CD7237641242D0EF2885E1823101451C8 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = 6F43046732289A84C27B26B698DBC68C34 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = 9F4CB7B8624C3C847C57C3BE4799C8D1B0 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = D6DE596AFE8EE94E5FF58F8E414C208D2B - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = FC6648E76C747134CC735572787833E2A7 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = F99E65A1C010553B85CF9CAE016411F33C - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = D0E7684679FC94CA4A85C06DF89F98C179 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = AA80F62D99B9518DF0253A078322A3C823 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = 8BB3A24084641F9AE744B13EE1E35F2241 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = D195133399C40009F23FFAFAEC88638D27 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = D85935B082494416AEA7D58F81ADEFF6D9 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0AFC5AB987F6916D255ACFDE26D0BB1FBD - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5C4C6FC39FC96868FD02D364E18C38F671 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F3003ED2B425E99E59E58F89A00FC4E91B - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 6AE2FD15A20A9C7061E92B0E3E47A4705F - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4A7804CD959848297BEE90E11F7C4DDB2F - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 39F252498080336AE083BE7B81471317D7 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6B98FD77C2A7CA6B864A04DD0E73E2A1B1 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 04C00CB28C6B5595293767D9D73B9C38EE - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9E1A5C1991537E37C94271DB40A88271A4 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 737F3B8AF7C14B51A44BCF59256B6D167E - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4A35081F6241A5FEC6BF16C49C0D5711DB - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 3507CCCFF975437173D69080CF454E2012 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = CB2C35BED467C0A47B2B79F4FE86D7DDAA - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C30287FF6C70678534918DA08D4B2644C1 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D570256A610C264767D8688EDAC0E07752 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 3AAF3AE6FFEA74374942BD0C74E65E65E9 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2D69E79E1F555B393724A8C631DA257AEF - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = 6BF154A33F708E421529C751871B216B2825 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = 696DAA45B4E9953178F9C03FAEA541904137 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = F32D7ADC8DF811AE19BE70C33484A705571C - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = 22E19904FC36821F98B4189AAE751713DDD5 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = E9EA346FCC4F5A57045BBE9B342C6092DACC - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = AB2BC72DAC71B50DB35D82AEA3BC370A7EE9 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = F8966632C3872043F5A50E93616D87204EC5 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = 6084248DBFC957396591F4E4967EE6554246 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = 78582279EA098B68DBA4F435D751923F8142 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = 389BDF17160A00035A21A9018E279E4CE3A0 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = FA86439E8EC48171B5553C043B7404C202C6 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = 5362C9C38D4AFA39B1C460EC604BEDE6D6B4 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = B21FDECF6B7CBF09267B6CB251C83C60878D - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = A2C5C635681D42F0ECCB84D75807FEAA5E03 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 87BD7581A5F9C3538EA8CA974F9C71ED1CC5 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 22DCF2E0EDC38B4583CFB7CE193E50D9D82B - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = E313F5E4A257A0613B73CB30384799186914 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 168BD3424DA7C7607E21CAD3AFA5EE601A72 - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7C0ED55E620FE41431E53D5F123A63772CDE - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = EBB65F57EB175248A1A358DFACF6C72866D5 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = AE59C5FFF2804A9D771D5F3A1971C96D08CC - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75CB7390C1BEAB8E14A9E2078656763D8315 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4BA9A32074E87426C3A1E8778033FB7D98D6 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = ABD74D0B1CEC1BAC3D8F68C820B6BFD5FAC3 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 3922B7D028D127210B515BA4526A15EEF7AE - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B3229E10230ED19E3115D8AAB2C2FF26C874 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 01D5714473278DEF57D15935DFB3B3FE7876 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = A337944BA5A7CAA09FEF5E179BA3E2061E45 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 15E12F8205E6BD1CFC7A032D507DE132F889 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 0F040999CF16A02720BB75F1526A5CC419E6 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 536E270591A2B18516795B517F56EC713697 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 90E8833F25912DB60CAF3E9764715AAAE4C9 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 879FBF60C185BBFE90853C81325F21182B60 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = DDB582B57A3577A876B2766C97590136C83BAB - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = 825D560C794684C2E255A8EDF03AC13D604E6B - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = 43FC5E05814BFA2CF5F1F03DCFD170BBB6E592 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = F7D5C0A3BC05FE176F4CE055F23065822976FE - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = FC33EB148FCEE7678DBB172FD358692310EBA6 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = 88B692D8E729F302F336DC454B7C3C9D8718E0 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = CA7B86C98164E9DD0D728D8237080A36B856A9 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = 352EE404EE69AEBDBC2521BFCC9603AC064F62 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = 2CC186B34A99170CC4C1AC132481979706A542 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = 7549A468F7C000D3B99BDD89281CFAF52FE38E - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = 6C02C03116E1F0DEE0FC5640122A4E8FB2C12C - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = 7955239C25D6238FA1BB98C5D4C7E92C36896D - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = A76AB94EC0202CCD49E60750C253924A2F3B88 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 60EA7E28735A380499BF96F222E2B1CB3862A9 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = E8659015B8FD0B27A230F3A9D3E5D0845CF661 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = C41E8FEA5072744AE28BEF2DF69DA618236D24 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 7473993FF6374FDEA46455E86C7E4445BB1224 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 01807D575B1FB8F37E06164B797D403B502E3A - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7A05166EFECDB16EB9F29A29D5E94699772EAF - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 31DE9E74F6C94837674A78F99187A1C491AA8C - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 71D513C818BCB7DD05F8A4DF5A1C04EF4C8A96 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F38604BE39C4E90FDCD64A591DCDBFBCA2B0CD - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4FD79040A1DAFBDB7DC37B448E054F49DB0CE4 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 8782867EF352B07C3666A36C3E85BB76ED7F73 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = F3770FB618A261E198F1575BAFE22D708B178B - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7103019CD4CA7F098BD6A481DDF28CDDCF3B7B - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 7789A9A4A01C494EC4742B3775F4D63094C6BA - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 112D0D190317BA7B3F21F4CEE24B1DCF32E0E0 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C4A4B648393B3851217B84D3402A549C00C1ED - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 21841E79F59D58F97EE17F9241EA846EC2BF02 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 612D39456C0A8E44CE5390D17D0C8D10E0754F - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 04809FCEFE4235BE63D882F877A71AB27514A2 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = D9F98134BC3027D432B3A10BC925CEA785F3D4 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = 4052A44120FD66ED59DACF9F2D5A492FC395A5D9 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = B6B62EADA547AD8F3785EA25368FA0ECA0E6DA95 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = 65F2AD866FA9DD06EEE6A062FA4C4F65B736592D - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = E0B6AEB7D6F6CD47835F7BA0F4732045B43997D0 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = 70821BED5D7B290F081101AC8C73BADAB308F8E9 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = 1CFAB8C559556AC42C1CCA285DFAA12D2FA9B17D - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = 3B34BD0F883DE083FAFD88C92890E93E84B30F65 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = 71BB4971A148769B5AF2EB077660F906B922399E - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = 35BA3E8ABAA0952F17357E5FEDCA907C24754BC5 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = 6FE59A9742DC88E51060F0DB16FF999A5CA14F50 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = 0CB0AD34DEDAF63935EAAEDD882B0404CEC3A22C - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = 8D45DCBDD737B6038C7E5CDAF5F9F794409E892E - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = C0408E2CFE57A31B56EE940CED5D8F0EC83F4BDD - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = F301063BA24577184E70EB5AF96B2DE0CF8FF998 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = AD939252BB86009E82CD37828DDFCEF5229BAE53 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 95EE1A61B7F17432F694DEAEC784322D9EEE0A8D - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 41D85E6894F4E3D4910D717A291EF51DB70FB3A9 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 36674386D450FAE8F04172B5C03E6680754B828E - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6748AA8ECAA5D1A4115BBCB4FFA440605CC44467 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C3991E5AD6862BC947B006A17EBE7717C14B6035 - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DE24B009AE8F32BD51C841A2D648323A1FA932B1 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3C342A457E9F75B09CF99C00F41A9270E30DF9C2 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 67AE248FDEE52D38599690ABB139F1D6A64A89D5 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 8C5DF684E423EF78C81085CDEF74B33270E87179 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C989BDB9533AEE746CEA375A5C4A29E9878E745C - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 05ECAA004CF00169A52375BD37F90886EB2E52E0 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 590A4026B6F0BA2960E93DBD5DB48986185BEEB3 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9184D3983998DD7EB1B448E79714916B2962C304 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8B5A00549B71D0A479CCD28C645EA08D833E430C - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 6016BD3A67707C7649A0A51BAE93509B3C6C8CB5 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 82351297F955EBAB844C0C8D762B0BDAB5EC27D9 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 295A1EC209A99A77F9624A226E56BC205F856FFF - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = E5180447FD41C0A2144E85177427AAC04B9677A6 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = 6573E8C8F2123AA1C1043B6598AAC22119AB9EC040 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = 7D4430EB1F5EDB1F98F549B637B76A70B604F55B8F - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = 1EA7FC180F1FAC552A5C9BA72D8D4FFDBE7F264224 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = 4A4FB4EC4481B720D651C8F40C67D925FEEFCC610F - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = 073F3ABA591F3E14B35412B09A93C5E26B4945A11E - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = EB13C6B388A1E6BC9E907B2EF9F00B8EDCA4671ED9 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = E62E0D6431BD1BE57D2DD2031DF36071FF7F4C1CAE - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = AA4099E5D480BC26021E7D416AB99F59E80173A276 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = 897B8E5DF1E3DF41BD15B79935B50A2678B02FBE42 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = CB205C481C4B5AC27F3F3032C1A899136EA85FAE09 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = BEF4C88D8EF3BE19DA8AF050BA2C581E6D17DB4D47 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = 42AC22694CD242CF4B3D8775E99B66F6C138132091 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 58BDFD0D1854D54CEDF2A9651255C396E8144804A2 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = DDA81596C3E86E11ADEE7FF1159B00FD32B5605D47 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = CB1570C431E22931183E88479B807EE1C8B8EF4343 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 19DEF9EDF98381AFEA2FD50323D46A5CFF4A736EDA - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 679DF3C5E24CFA00CF895730985656E21E824A20CC - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 499F9FA020A318C4ED3E18A6A4CFBA86F1E7BEA901 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 4F9094A8E5038AC19E124949F74503880BE0997C59 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = EF5F2375F045B01E7EC8FA9DB686B798AD54864BB8 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D67CB7DDBA75A70806516179C7DF17D491624F970A - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 6D32B5A195E8E5424C22A1D0F74E97FBA8073D43FD - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = F9DB7F8C4E60C9E3CB3A3179CE934E18BFDD1B16BF - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 003BF3BAFC4D01F025E72DA0BB4AA1661C486D10F2 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 5BC5A852D62FA1B1EEE33CE436943F163B8FE23DB2 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3C7F3B77C64E8FE370F00103DF0291E9FEA7C9BBF7 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A3AB300242A0CFDD791EC02431EE9E48AF8F78BEE9 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = E0F218DFB892FDF4FBD3860EABEF9605B7B128EA67 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9997153DB72D3A0D5C9231911CE88B42C02C56B2A7 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2EBEA22D72D37388BBF16AB004AC4B9CA360A8E588 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 63B0482149FD9F159978006E2A969185BB1D9A3050 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C0F3F430764504BD9ECF217543DDFB5F6862711C76 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = E292F15870CFFC52540BC4575ECA18EF7841DA0F23 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = F8E71AB69663E6116FFEDA203C828BD2C8F2C0D5556A - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = 5C3E6EFB651FF0B563B1117E57C53BEDAF11B927D332 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = BF21452266B607E5BD5F636639809C9D263BF287600D - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = CEECF74E21F815A2C0E8451DC07F37155BC35F76E070 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = 92479B2EC749662B79B5DDFD483E2EEC7DED47B97C0A - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = B670025F3A4141F4E0C1C8DFE6AF59A87743CC9CD9F1 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = CE8B0A2DDD877BAE24BA32A65D5284DB068E63FCB5BC - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = 216FA57FD2E7A22E70598DF2FADE3E754565C16E0453 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = DB80FA1B6FF03BE008CB1C33634C3DE0C5648B9F13E6 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = 603625EFAC3A9FE3167556BE02F6A7DF7B83B217BB9C - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = 0923D8FCAC83A4A9AF737515F10ED933354BDAD7EBEE - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = BBC5F169ED2C0E30E0AAF0E74CA76DED82112ABCA88E - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 9C34095E8AEEAA2756895B63B49BE6FE80107C38F419 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 8DEF11599C96C6FFB7AC41791E47AAEA80246FE7F261 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 39A8FE9E1EAF0FEE8A518807D459510E46BC52804AA3 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 40523AE8605CDC2232042258246FF10D8A96B3980D3D - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 710E298B5FC8C213D4E500ABA83AEE9A82B332DF72E9 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 09D88FCC7F9AC46A6295928CFA20D52C30FEBD5BB734 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 411AB45F4744B53415606EA152429D6A718A9A4C2149 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2C70F6520B78DE60D936D242CC5C295332676979FCBD - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2601F00F8B8D0E4AFB6EA1D62DBE670F76D0339E6706 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DDBE54CADED50782F2B265670198A70813A75FCB33BE - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D59B1CF2A0AE142F7EF5E7760ED579E3B2FE6FC8F2F8 - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 46972C28C355E0FC7DECBCE24B85BD11688858340B64 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 829780C2999011919FDE507025D2EC9AA5E4BF314687 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 289F4823F891DD2C97E2B552281E61DFB259A991B8D0 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 7AA067BDF3AD01F4010C2ED0241B0AA5E5B6AE4345CB - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 29A25C2A80D5D74730F79886A8633D38421D0B757E21 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 422878202F778ACD92F485F5EE409EAC13F1FB4F88A8 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D32023E7EA2C043C8EE1B6F8840A400BFB1604F19F19 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 79AB38828F0AD587EDE208EF5173F7815F5DD1582351 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = AB6BF440A8B4AB3F089A965984F61336F2513ECBFE14 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 9033F4E57D48A1B7D8F810115A4EBE82316BE0E97DA9 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = 729B3B9E743BD0A795CB45DF73658FC21994161C684B1D - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = 7522FEC3873A4DF846A9DA5AC1D28461B1962EBDD4FEB5 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = 148809D7C17A90CC7D1D6B36A7795DC1DD0C83C8FA0148 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = FB2D25C02E313F60BE3C7B30F6BE52DB1918215C791B9E - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = DCB34AF67E7CDCD537502986F0C78CF5CBA999009BDA3D - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = 0ACA1BABF7C46B8225A96150B203CC9F2F8FEFA273B5C2 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = 1583434E2C3B5E8853BA85070C736CDFFDB87650D50BC1 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = 78B1DDDE9511DA763BE6DAF18570A86D726BD831FC0E45 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = 49C5999EE09D063642922754B02C3D81FA4D392A546436 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = 7E15D24B95FAF3C4F966DECD29244B1018D6DA6B6DE56C - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = 4EA954580DE70C65287795A6135A26EDF883FFA65DD419 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = 525276D22131280C79640ED5D3DD9E7ADDFBE14F5CF99F - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = CA5EE0A9049E41DC61242F099B80376F6F8C055DF87E15 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 697B3B9A775E07B2A6DB5ED9EF05F76A36B67778DA98BF - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 45A7E95D365C93AF25CD8F9611853C71D633BB86AE20D9 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = A8016C57D5593C6BEB167888789B497BCE857DAD38C2D2 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 04A2D4BAA7D8E30FC6882E535A1BBBD5BDB440795ABBC0 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = AB0C054CAAB850E30DCCC28885347588933ED42DC17877 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B6C018728EE5A37EF5D460AE7C4D029A674F013ACF121E - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 12F4AEFFD622EB161025CF18FF2E94C4232DE230A4DD82 - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 401CECF463BBF2660499F2734B263CCE54DDD299860A63 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B53FA9967E6A0B8FED9B93C597F728C6C1DFB43C03570C - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 157329404270B83E29BBA5CF6425F16CF8A8F0F68F15D4 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = EFE46E8E24604697228F992A2FF6AF6C1AB8CFC33CA911 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2CA77460B4E85E180F862B37A7048F9368EBE4486BEAC0 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C683123DC8D5B8B86567DDA538289BF6A93E4C21DF5027 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BD5DB9DB7FF6DBC2925D8B0357083AA7CE19531C1DF238 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2EA62B67060EF62B9673BFC0E52BA339485DD11F3F7313 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 51ED1E5B59790C48ADA9D4382F3BA1B043ED65233F413F - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = E2295DC6AA24FE9C2DFDBD0EB67AA8EA5C9D6F030D6868 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C9A7D87C459B17275D10AE0786C6365D4C65B1273A3348 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C6AA6F194BA28BF0A8362375B8899343767BE3425F08E9 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 4ECFBD8AA81A16C0A6394A785BE12ED48FE1E89CCAF3D3 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = 00562D725FA4B26F2F57CD7629A380DC70FC469DB2A526EC - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = 94ABC9FABECE2FF5FAEEBEEC4E59B56AEE414A15CA8049C2 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = CB9B58B024B35218503A8DAF802443DAAEB417F79E73DCAF - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = 46B2893181A56B67B6959E6AD6A20113FDECF6053BECC35E - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = C3286C49D09D6C854C9DAF13A6A0F1660C4698D92EF7AE5B - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = 3904423E1E27FDD32E1EE0AEC68C5C310240A1F2A731F830 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = D920638A65999BA0AFB4F4F85C4B3B00A888BEF0FCEEECDD - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = CF8322A1E1F163484A1C06E748494E41D23EB1CF0E8DF83F - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = 92B8C353F3189764D9049A2CE4285A23F6BE7C80AC1D2EAE - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = 95E5BAF8BAA44586DD6F9872E925486B5F4D6A62DE267ACC - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 86EC3C9EE7D47DB58BAE5080B13E096C2E27391DA5677F74 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = FD0AC22FCBD4FA7F24CCF48E722E6408AA9E747DA802DF20 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 878B2DED3A349DA4E57E71F9D46A20897B052CEA9874B05A - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 229BB1090827F3F337B92D7585CACED0D2CBE41FF9649242 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = DE7B93C97A8B5AC7BD79BC730945A9230FC79C44613D4B24 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 1B64F01EEF7D5D2F5F251B4DCA972300134D856939ECE695 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = B76A78C1675B168CEAFFF46B0EF34D795E16F4C196DFF63F - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5458054D20B787BFD56C45C0AC9390CDFC4E163ED455238B - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7A229D00F96D1A30DD858D2544C02C8E3A31AE06B123EF84 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B2ACDCFA044CA7A7503965496637C774037C00533B38CEC0 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 3FA02BEBE3A1B27D10902FF144651F61D09DB77C475B4E77 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = D2982A5492C8B8AFDDED31B310740B21EBF22D689FA2C4DC - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D694571BE4AA851E58B0419DF4058A834714B4247F5E8561 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D5A14020CA29C703A9DAF5CF89A85B517DB084F11CFCE847 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E7BA73D72A32F3485AAE1673453C9F411BDEF5A6B5323777 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 262E4331D1A386D6C9CF48C945ACE8CDC4BC6146BA5FE658 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 54F6886E9F0A72B69FAD73A605D3B2DDD1491F3D834204F6 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 662100ECB5B654F53333A9F3800F0BBC172F40AF3C04EE9C - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = BA8CCAA866577D3A768DD3C6689A8F5DAF8C3AD8E1A6A578 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 58AC6C0F2506B7835E3C82446B0E73EC7D25778EDCDE9B8C - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 71279532624206781754D09BBC0087B5DDAD3D1B7977C4E9 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 70E6C7839E425F7D9FAD061F15C91066893822D23BF29FD5 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 9DA8562B60DBC7030DBD56D56B7C3F2D1FFC6351E3A7A7F7 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = 65B2390EE71A1E3C1CE35F517811BE8B66FAC4D0BBB948C767 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = 99B39F0E4B0F5B20FE246F85CA025F2BA225CBAA04B902C808 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = 3229F7AD8A34539D7C20B2EE3CE909247E8EF79FCE2C158C6C - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = 9C9184A04EB5D8721B7D2E436C1EF0E53F5158733BCCEADABB - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = A554CCFFCE67F990294801543EC0485EA1E5C061AE86E42073 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = D214F5F59783BF8A3225D68D9121619E771858337CA2796CF2 - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = 9965C70A78FCA39B60103E4AB9FB5F5773DF2492B8B835ED2C - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = 20992403696CD109A8C5B7AAA6116893285C2BC26AF9DA9C7F - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = 0277198CD629C0F724C93B8180BD1868ACDEE8C4E3CED839B8 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = 9CB7DD376A998459F513A5F8811D9D16220E7665B4A12E2C15 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = EABFB38396B0F34D25557252430F61433E4C98ECA219457EE0 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 05FD6871E4D4BC67C42F6E30F67C142F2846CE267E1E7DE969 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = D920D14508F84DC135217F976E57D2FC1A964A23EA1855FB42 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = E85AFC8033CE90A7DFD5B0852770ABEAB76542B457516B34EC - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 0B1CFCBACE3F9ACF07E62FD23A9B3F02C3EFE5FDC421494007 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = B70CEF38E5881DE4A3205B8F8FC6638E617EA0BE0DEDA569C2 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 29FD01625B6CA9E684876007B46AA3CC24220EE553E892EDC4 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = CBF301F2FCAEEC30E8EF8E9A165D6CD621F31A95DC9E409919 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 21287B919454EED8E462BD951CCF55C5E42B621266A07333EF - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1DE5FF722853B946C80A51AF99CBE7022AC99AA2BB9BE65594 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 1B1F17D8BBB4B4F6C8BE18B6EC48B252A6AB2353844A6BEA29 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 05B8597CA52FEBA2F9FFCDB12C48BF3AA5007D6C83D5E873A5 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D3B30988A82E57FB8E31CE8438442B8895E29E9605AA471984 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2EDAD0440F6AE32D2DE683FBBA28882EF3DD7D6BA53A3A32F3 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C901B2AB60422EEEFA901FB8A3472226CC86FD50A3143B48A3 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3E20D2A2E564889E83CFCF98E45DF4781896864A758FACFB80 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 70A46CB3E723BD4929AE27AD5D328423CE03B2DE1AFF9A22C1 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = A9B8B96FD872BBC86EDB750F0D8459D323BC82FDC34A005009 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 4F55746331A469BCFB8D81D212F4FEB436D642EF333BB2A3FE - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 518075931BCD087C6A09EBDDE10767C6251BE5A4FCC533DCFE - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B3131A8F163DACCC1B42AE79CA4326D65E9A972C69C98DE2CD - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 9E2386A05B967C112668D767930D2CA4E455FA4AD87D6048F6 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A7D8A2A48210D8D4C171BC2E3B6191E9BD43072F6A60282B63 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = 55AC6D75FCF952E1A8D2E0573F2AB3E15EFE2AE59F6B5A6C93B9 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = EA0C8CB86896C8370027F55E12A0C70BD9FBA989DBA70660E1A3 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = 7BB888FE2837F6AF1D01C5A69A50B51157B493CC634A86C8EC9D - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = 035E952E827052A82BC1BAB33BC783D5D997CF141DE52F47FE00 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = 76F2245E2E17AF56F1C4E205A7DD05E11DD76B567AE256B13AE1 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = 20714EAE061E5784A1392EB38C362EA36665E84E86BB3C817984 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = D63BE61E6132D4C1DCFDA86AFCFE2B191214E5664AB341138184 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = A8571A698DC096C4901A84A7E173D48F50CEA54519D905DBB4F7 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 298209B0BD66A46DB19BA239FE23D43D17542595141DFAB34000 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = E9604647885130C019D94A78472C003E947C5FE5723F08EAB3FB - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = C18ABA4C5B647F7851BF3096B7C2AA7E050843C8CE037B4FEB32 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = FAF9245C9FCA5E2AFFB16B1C539EEF01804100F77DD02E6FCF1A - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = D47ABAFEDCFB564A85536FC18A5E17F7E3CB2EFD6C6483D9A5B7 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 72A4CE1F171851D17EADC87CCF9501B848BCD9431F47093E3510 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = C533936AD66B07229684EFA77386C412C61F33E1FF9D8878B4D1 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 3DA31AE9A01CD24EA12C51AD1A01635C34855475400756BD5D2A - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = B4CFFC51704741A1C71F87915EEFAA500603B96A735381740D6A - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 198BDFABB6EFAF1112717F5A6BA846C1E2FA2AFA806F3439D4CA - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 31D9CC1468AB2B18115D6DCC28DC31520D62A02201F79FBE1C9E - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2A961BCA6E35232479AB2748EF331FDD104ACB5CACBBF1AB0AF0 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 81488B816042DF5F9A740664E7D80EE70D0F3C1A0A5425A9850E - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 90A752DE05C4ECC5E2800F074CAA9CA2BC7F2E1F6275256CF75E - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C771C9BAD21D39C819BD872ADE03D0CA6FC9E52A2895DE90090E - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 09A64B3A859EB9F12E9F8E8B74C285027C5DC4B812E421F78A75 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 23244C67BA6AC531131A0783C987622BA81032541036BEE1930C - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = D3BC6760FDA39F93315F903D0C7ED300D45DEACCFA2380C92DC4 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ED4B1EEB5C62B4C8089F91543F311D5585585D1E09D8787B5310 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 451AC0415863ED89630AF10F0AB54CDC28D0984AA90779554843 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 750BBF97654B40272F3A8AC540606BC9AEE53E0587E28CFEEC06 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 0190D274B28FC5B1A60C3D609DA579A220FA14391B2F170200A3 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3BDB857029C19E522BEB581B13FBF2841367858CDF2E26AEF0DB - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 023C89745D7ED2583BDC8B4041990CD2A514E1794360A3E9BDEB - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A4E97023B540D18641F5282F69363E7217714DC565B1429894AA - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = 6738391299EF5C28BF8D5EB85E94DA2F9935DA680087318A42010F - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = 3482427DFDBF48333B215AC462C8F2A78FA8C8CC458A7BCC2DB420 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = 770312D13507B00AC52090649927D9BC259274199351982A8CFCC3 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = 358320132F901278740D5F16699063A0E630D4AF5CBAEE8A5D64C3 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = 1F7B714EDE73A34E33CAFC7849D795C71C471F46531EE7C3A05343 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = E1137B620ED6CA77B102C3A806883EE82A4983F9AA1B426FDAD577 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = 51FBAF29FF5E4BC869C02FBC8AD4211D73272EC69A53334D09D453 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = 1AE1D2C6F22D09FBC6C579D951E37085D6E594364970177003CC82 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 93F548775C19EC74E3C20319B523CB9D6CCD73461D04D1AF118184 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = F11EC242F9516E52E51AB3727BAD561171C405489DD6829DEB5A3C - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 0A10649BDFA0F8B6F1D8EE4CBD3BDA0AB60DB3043FEE6C1322A9DD - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = BFE2C9F86D8E90506616E2FF76F766906401D70AC165DB788D8C89 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 8B2093D96788227913947181996351AF80EAF87BB21B6F254627CD - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 8AADF340535E7F5706CB6563617844454F259B5EA34FDAF94AC03B - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = B420C802624CB775A53AAC9A7AAE681729707EDDC96D468797D048 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = C3AB27CE94E7B6F6B7C79B16304770BE4FE1DA3679A26C5036C023 - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 733FC012331A2F66DE835036FA643A32D15CDBF86D3865315D6109 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C80A72DC1374C6B25DD50FBF60571AF5ADDB266C97498BB19AE566 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 39FF0036DDAF3F9D3788E8B2DD900435207ED6BD4475C00E174A4E - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 3E4EE9C89FAD1924A34C5C4FA8D335089AA99BCF1A34B1348D0750 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 84BA4D4A46DC34B694496D5E21476E78040B25B636DC5154FF155C - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3F4DF7A9A040756F3FD21C17C525E35DDF3F55FBAABD78F4767592 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C2536EE152FFE0E9505E70EBE5B43DAF8B9EDFE8F6D7E0E1D44461 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C524C74913991975404C78B32CB30470AF4728C28E18ADB4EC5822 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E8EC62BAF466BC8C1503DD6D0F2F78C5A392B1BE78E88441B9C327 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = EC2DD0F1D2821770A65E6DD7A1FFED34442C9E318471AEA8E9393C - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 75CDC4C16C461A281899FCA31A5CB8D56CDAE406AA68F1969C7DE3 - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = ABE6F9F78316E4C21B279DE608CA82FA9F92240B355BFBEF4164CD - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2AFCCE636A3FCF885E5C847D05B143C078F7B2EFF812AA16CF38EE - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 7999C7FF89FCAA300C455635433D282E63E2AEAD3DD236C5EF5C35 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = BF54E2F790E9F84D57556B0F38C4CE5064990D57965CA09449ECBD - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B67317962F3320F49DEA0732A7BB3733BE424D87FFC8DBF2A26C17 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 510966A0639BCD7F31421CFADF2597BEF82C48C68274BFBA740A9D - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = 42AC0A598AEA03A366ACD7CBDAC5B4DE3BCAA28F55D8860B3BBFE103 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = D7AB515BC1475DE44FE9A3DC88A01971486D03B270A1B827E53777F5 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = 81E4ED5ED4E8A05F47C6108BA917D944E1F886B9D0C4BA5B18F4CE78 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = 4C33175295338F13BFE879368FF60A64DE2B5F26F7C7883F9E72194D - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = C0C7EDABE392225212F1109B0EA071A355EF5A4B790B19F6A1D8B270 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 9730D37D05C75A4621805BF6F74DDD277B44747EF66F9085B6525994 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 83DA491A3704454403D721201E7EFE0410364DC114ECFBB8DE398F89 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 91094E14652D08834A1B1704865FE1AEF1DB0884DA2EC3C3F23D893E - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 49BA3FCB0818C6749AC3DC01B7F44A7C8A1FDB0D86A1122A556A1191 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 4E8B38C2F44395E7F2CB3269EC3D6FE121ADC55E0907B47E3E9915BC - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = B7881A638A7E5FDCAE6DD3B88F6FC2160B2FD13032E5608BA2AE975B - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 379FBD8D899F3A6463C308126867B062B0D60ABD5B93E17FCA9BD811 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 79D42F39D25879F7B397E628CF30A16E552A393B220CCE18DBD86635 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = C344990B0D4DECAA95C7CF4826CACCCF470E6C7B37D01FF2A9E0349D - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 9141454D8867855A2CE7F6F1147DE65B262CF85A03F555782B3D1A29 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = A11670B033A07DB051D38C831879F446199482369B1DDD75D648044A - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 08207DD86929B508A61394BE41B7DAE1028C119A7577E50401875F4D - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 881D1F8BEDA92D530C3AAFDE462C865FAA912493C9B72CC54A43E05B - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 5435F5352EBCE41DD7751CF1A9BB9042BCFC2FF88E5555F037B44879 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 5FFEEC63452BB29AD34A85CB08F0396FC841CFF947CFE8D127C5CE27 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 37FFA1CFF6E9A678F1BC877F56852A4752A52499CF80029C125FD94D - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 20E8A729B7F9D3F99E92F4A72D349AFBEB48B436AE5C9147AD73A996 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 25178CA0D43A684EADFD7A64E4331E0F7094FE2487F97561CA82958F - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 43BD07448CFA892BD8AFD42F53F6B84901D0F13198535B82CB7F8E36 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 34D790A2F8B2E0F1A2552E16268AD7F8E4022772A7840988A0D3C422 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 65FCFD40A826EE0F6A9B85DA01B6A3CC86B41AC8AF93932E744ABDA4 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4224BF38BD80796605ACFA8B4E20FD85F4786072E815EF224BD2511D - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 3E52FA947137D432C87CC141584AC48B5BF760A3239D2CDCFFC84DB7 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = DC2A63D9DE04C2F03B88008FB953BE7A1BD65C78E2B9796CBEC35616 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 96F2579950EE97DA4A0FB9B37819A07880D6A7F3990087CE585D3B18 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = FB77C8A797F942451242C3E0B8AB125C080DB752D284558C5382A5EF - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 56F36726E38BB5C905C3652EB5C83D918330DB990CEC089A6138BA9E - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F8E214574F803E42718D8A43A2F222793DA7A8E01FA94C27CDBA13FD - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = 6E7781AF6B13C3A69CE33D655D94ACAC2FA55175EC462BB5665A785464 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = 66B2DAA3755382F97FAC5A98BD314676BC8648B6606858E80A7515B565 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 96E1941C1A631E07F55402E977AE92B6CA7BA117E084BD0E459976DF4B - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = F7201D4E43C92DE96C4184F6F0630EBB1DF6D2A555F691D5006793C802 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 754F5A55D4C83609CA22BCF3E303718AF3B55CCDFB0FD9DC1A2D5BDB73 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 11B023EFF00CF1AC783CB6E79197B911D5A40DD165CA464D3D10A924B7 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = A8FEA54286FD95E437034C475A10388417C0B241C7AB481435DD56E3DC - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 6EEDE78EE96418CE076EB945A0657BE2024BA27FF0E19E82DA0A9B8F22 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = F7BA6A081154C0E2319F4BF31B469FF4B30F953A54C8B57DF941C69109 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 836E04742B93963E00319F6D1D6FDAEDBA17B5262FA7A1511D81050FF2 - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 735EF70ED0F0FA6CA192976720BCAA8CDC96E654015C7CEEBC40B2C1A0 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 28BE3CF48EF2A16E5EA128492DEEF2753868F879DB66A70728215E9ABF - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = E64ECF630E37528F7EFEA099E5A7C4B78F6C126C969558062FFD42AA5F - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 9A3DB97DFAE3B7006568E40B420D18D6C06389BAB3550257A88355DDB9 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = A71B2523C05F7A2D68BFDFD8422C0D24CA67DA103513568C487A815396 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = C3AAAF130ABCA18B64723917760F614E2D64897F5A21C1FC99048024CD - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = FF4B615D9DE037C24E6B4F178811BBBCFE43F55D676321EA9A30D42B6C - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C33171C69354870966887C3DB16B8CF1A9B23A5621C072267BD4F929DF - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0A3EF91D95CD396CE3AD1A3D01D6A8190C9C708AEC8D8B6C8307B05356 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 89BC5450C801BBBB7F7033476A9E1CB6B880C93645F88879AF5D4416BB - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D77B58685DFC78ABBAF5AFCB46FBDE1B35A85049D4A0F56218C9DD8427 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 5B2487AF428CB7BF8382E88E68828A4E1975B2956B6E371ED96AECC0EF - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 93CF9BB715C72CD11DB60D3440C5175E6959C8CCA3B60483089ACC612E - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 16316CEBFD7B5B22185DD5B73CFF03F6DAE47417B7A4390EDFD5BB5366 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 16D9648D18CB4C0EEBCA35A8F6AFD930FA6E2459BCF3FC2241DF57065D - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 559AA4F21FC0E5D1DCEB83E8E066DFCC7D07A348F4915CAAD0B3312EE3 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = FFF7D239F32F76A07E4D8466AE5533DE16D15C90187E235BD3A0B86012 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 1E878D9B360192262FEFE57111E9B175CD08A301281BEFD387C9F92CC4 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = F6051CF672CBE89625042385A334D43D2008CCE5987FA06F5657A2B9AA - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FCC230C717A2724C0573946017DDF08DC57F29678B6C99D6046C582FE0 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 6DEA420EAF936A435C277C4282D00A417751F5DADAEBEA2D093B02724C - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 21D8226E60262DA1B690C47C966049C4A764180C9AAD8C987F631DC09B - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2E0B320C6C06252EF56E20CD5A5BCA538C13884AFE41BED4BCAA849C3A - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = D32A025F741AC81E00F890A28EB084F87F763FAD3BFC89EB556125B20926 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = CC174A631094E77EEFDCFDF113508FBEB66408FA89770BB1CF0C27C9A637 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 47CC77F7911ED4EE926CACEE736CD0A050085243F5658338D3F825092637 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 77F544737DCC2680439106C3163F9F5B0818B1E8F9A95529B794E65051E6 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = F8C259812491ED24DE0C7AE83C408CB07902146C89DC6B2A35120B80C01C - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 242DFF307446032E7CC3736652808EC6990052A51755C2DD0C770B009C7E - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 99ABB101967E054D0C7C685DD92478513B20A50108AC702F206E0FD56678 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 0FAA2D999D771133651686FDC297F094CDDC0DAB565B53EFFA23F352E52C - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = D28FCCEF2AA6BC48B9A7B37BC209ABDD11CA8E0B7E059AEE4D58AFC89691 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 2296F3F65905753A5E351B2A23B8712B9780050208DC0C46A4A2BBAB1FE0 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 09CBBCEE57E46A60DE27E2D019D8AEF806926402474BDC4738838EF8F42B - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 46CDA743178C65167DFF40995678DD66545DC91039961C0ED94E08066F85 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = EABA780D29C494216B0343F00B37565AFBF5F284ADBA1D5F22AB4D00986E - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = B5FF25F148023F14A17A203B8AB7D98726C526F88836DB57D196BFB784AC - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = D13CA054039357AD1E3625DB3D95B65437C04796AAF5D9068B387784E285 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = A577EF706793B6BBE0CFA9A9171E31128184FF1BEB5F9BBB29384A8C42ED - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = E238B189791A2EB31182CE729979CB6436C75B6F597D0F8705738331C655 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2AC8DB728E97BFC26D23EDA2E2FD50CFF171AC291D323264DAAA96C75CF2 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 19CA0366E91B6CBF367E041B6BDE770FB13827954CB9F324051E9F11255D - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 099CA88092B9401EA4B9FBE28EC25C534A122DC79F391476F8163FA5E23E - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 30FA9AA5ACA1529CA2D4CB136FB5ECA5066F69711238908DD636EAEA28A4 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = BD8750FE4B1F835CDDF43FBA887F573F791490FAF0A4E476A1EF03D6EFC1 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 3DDDA46134633EA29006205F90F8C5C38A77621D41D7231C76BB94E855BF - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = FA7FABEC9A64E61110F70831E6A6FE861FC3F10A70F28377DBCAA9DCFFFD - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = EF5A3511EDE91CBB11FA4105394A5115AD2C883753DAF2D0594F8C70EB50 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 160459779EEFCD5786E335CC1AC6F770E1F99D5401BE97D56A3EAC519C68 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 8B8020CE1FA6FDA4A3CEB6722774869433A6C3BC9D03EE77330EE71DF708 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = D4AD2F7F3713FF57186449ADD701A233293A4389131309DFDBDD302EDFED - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D089187469A89C420A79718FC1F7526D79E0C5280BCC6DAB1B8B1695512C - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3D2FC321394D14043A8AC796D53632798E4F905CB977A914314B1B57F2C7 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 75C68FA70E37BF95407FC09B8E6255AC2FA7B0C52D430627E79A6DD93AF3 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2BD934D70E842794B54E11151A0A1B914C92E9DA26CF2E160F046121CAC3 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A04010C88123EC3BAC2EC1E8EDB8D2FA203695D0FBCDBE60549C22D3C4B4 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 81753B47EF73FED880FB7E26D9B199B17762B14A2B943BC5E3EFDDC307F52F - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 173A461A7DC07DE4D9C2813F8C94190F2115E3CE592E68C045CD71C55F3B6C - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = B08E491A9BF89C1D1B6DE2E5B229271CF2DFBFAB607B5BF9304AC91E26BDF9 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = F5E9F38F137B11EEC401AE0D974138C65F2CE13B1783E99D976193318FB5C7 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = C7D5F25EA5F8FCDE29080A838A5EE72891506A5EBBD8D6851A75DB7CE51081 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = D41D3A8E9C9C23FCCC25DA1F8B8C3B0A75FDA409F734AC8560567E6A71A611 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 7E056D8C28B53F9FD645F27A1029298C47022B5B110F20BE3C8C6CAB156EB6 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 40264F74638FA16F8A80CBBCD3A6DB00F44C9F6D37842B2691E1F9F30A5C63 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 12F0EACB3703155FC699674925D9E9158536352D893974DCF7EE48EA80906A - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 2113276A7BC1A8FFD1F4807322BA262B80160CBC0A493AD63AA1E14949B397 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 4AB030B52F71262D9ABC4DA089777580C5311A64E99D9916FF06193737E799 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 48A782D28EA81749FD9C1EFAD8B9862AF0FD760604A3FED3FCDF8868B1EE5B - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 049F743FBCE3F48F383A3BBB90086B582FD68077D9D80019554BC4C3003253 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 41E090907C703F0985809E8D0EB5840DC5B1CCCFFC96B8B7EE7F4E9DFF6E87 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 830BFDB0FDA1C0503B59FD13B8AE92B63D3C407060218E58A413824D91CE12 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 59A5DAE9305CBAAFF1B8C4BCEBDCC8C05D5C1C1879CAA3E38D9F67D3099C0C - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = AC704FD8CAB008FE6986885ABE8BD6D9FE66AF992A3A0D17D4AD8F6D87AC95 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 7F633B5BD328989DF509E75D04E951B8C9AD1B3182CA33A8D1A03D65363660 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = E8ABF967817E981102D4DEC0AE1304A539A9747DB8362817A2A9B72E516B8A - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C75BCE9AAD48E9A5977A17EEC4DCF8A92413A84CA9961E65B73CC317EC597F - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9B51D640035C1F2D58C36F1E4AF0E98FDC84C42A20A2F4F8FA68349354A95C - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 239CE34ED29D1C289175AF088F2ADD5EFBFDEB11D6B695451E984BC5176E77 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 934CBD026C0A594EBEB646726900E59AA17C21ECF2B27A65FCFE899C2326A4 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D7F34596F307A034AC58910DDDB16EAA5682BEF4D7EF1E8661DC46510D47FF - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = AA89478EB3C61D8BA75B48E3B49C927A348B9CA4FC30AF99869A9927D8AF6E - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B4EA8AC58C39E7D2AC50187D219528DD753EBDDA73CD8838D122558419BB11 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C95E19CE1934D2005BF7F81FE42D78C8871CA271FD2E43A47D8BC03F822D0D - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = D998F9D2EBDD3D6646EB8FC0B165F89D64AC4B028C2B6E7F217F683EF98745 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 62B3B90B6684C01A95DB2BD854E21E08BB3813632E9E4E0F37B98C08813900 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 1A9C168BB119D27CC1C8048093EFCE50D4EC17D5C9013D65AC676301C73C8A - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 9C4E8320FB7D3F1FCFA0254314EB74AEE3CD38A146B3DC1DBC9A8C8DBEF501 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 6376561612EEBD6F15B78AD9E5428E7DED42B6693D99414DF5FD7D5F28D803 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = CFB6F55D3867B326428032C67FA2E3B54D8F04B9F61D317E3074ACE4560FD9 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = D19A9D1BE23CC54F810339EDD4E15C7039841C4802A94CBE2E16E8581E776CD4 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = B229F2A40D4A0275B4D930690927F1F5DF24F10AD9EA0F5C15B074EDE29DE172 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 21C4FF899502B969AD591D23641831AAFDB9F29B4A0976D854E6412F4FCE1387 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = DCE5D6B6187E194CFBAC0F15FFC7371AA213FBA58FFA4B8C8205D7E0E80F2864 - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 5E0CBFD0386F1F093C433891D7DB2F2206BA8089B790DB52857F9D20FE25D9ED - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = AFD1FACF637BCE39848C2F86206C8B83BF00D7525E22724AD2C5F9313BF23B27 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 5D58F54F7864A3B2B3C35B82FC41C094D9A9AC699FE915D684BD03AF125F9DE7 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = E6B27AB3868E9654140889E9CC78AD5FB482A0C3ECAD9D67557E1E52E966BFF1 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 75EE1416329095B6975C556E46277F6B5A390203D0F94D98A9416D6080BB3DC7 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 0437554C5E7FC89F1EA2DBA4F4CE5956710DE120963E2AF99C15EF03FF0BF0DA - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 4D1D544AE3EB10C29944A675F43D52517C6BE1BA964C884A906068CC6B6D2E58 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = A95AED7E615329B231B78D76778D76D9C5A82AB4B6BC9320B6B5A0D2CE5BE002 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 1C8C37D8D2447718DA85C0B3732D5912647A3D1F26F41EDE72032CF6087846F5 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = A9BBCA855D5446D570543C3F07209C69165340A90C4EA99EC82D5644AF2AE4CA - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 7A4245969A6DE10189C4B83D62F04059CB0D6C61EE25996A0FAAA5391FD4FBD4 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = BFA06890B546744B74DE7CE7598F9A362B063C07A91D1B805F0290E65F0D89AA - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 2E0420E78E5D9124A4B11EAE2BF98BCDB46B94515F170AD559DD79EFFF808516 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A96D0059BEE960418847817B9BCC7E768BE00ED3B5C5B7615141FE711095A627 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F766E9CF8D4F0744C5EF061317179AF96B2A4B31902DC589DAAD3848743AEEBD - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = EC55A0785A1509DAB3B1B26E2079CA225FAE46E7E2F86E8A31BCCBB8E463592D - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 82847D7A430A645EEC8DD7C62761654AD484F7A68FB53801445E71A0BAB5AC8E - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = D30BC3E62EA955953ADDA58AD69E821A5338714BCE55B36B6F4672600B4F6D61 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 69B57622ECEE58AF0886818D56DEAD5552F03BA8BB5BFE103F966E67691B20B0 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7C0D224B9BB027886FB78CFA195B88C73D5D1BC97B9855CBFBEAE87A6423EBCE - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = D31062F289C9F682C43294F1117A854EC62DDEF67A65E35DF668EF8D6B2BE1B4 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = EB455781FF38E80B4698B5BF6ABF8B80331A7DDDEBB591FEAAF53AD26887CE29 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 78B94D94758B3C63C6BAAB66E2AFB71977F967D0C56F0596ED9E165BEEE71FB0 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58A62A65CB0708624D71C3CEA1966F03963E3529B112F24EABAD00C9B2D016E1 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 7CB60F2616CFE4C4B133130FC46F60C0649FB7D17B3B308592C42DB0B2544CCF - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8C4B38841A2F74E663470A49453CE8F9B6FCC20514A32944ADD108E763699CB1 - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 1FAD316BFBCA523D9ACF25A574F1629C031BBDE92271A8CB21F4C5076DC6F449 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2BF10401D161A15C5D2A528BC293B6FA0EB3CC0FEBA63CAE112FDB575A8E9876 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = CFB37931F8F32367B5215E7FB506E02CA219C12568EBFE91DFFD86751F7651BA - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = B384E6C5CF48A30778C972190B570320908307D9ECB4E078BCB1EF224EEF8966B6 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 69B63E35490C2E68D66351332ECF134D36912787EE97E0A994C6F0DB98BA7446E0 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 19907ED5D526E966C886330E271D2AD36EDBA0F0269407E5A2AB0D908C6F6B0C35 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 1F2F65DD509EDA19B302C4D26EA9554F0E46F7F4C44C5223B9828D3C9E1BED0A0E - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = E5DF7AD6A6E44605D2EDC1705BB206F9F2BB121DE64C1A6C7CD0128817EFE60AFD - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = A091CA4AEB121A3AAF5724DFDDBF08D13CB7A057A9725FCB35EE93B94E51F2C35D - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 90206A6C657C0CC982AFB76EE3F1A343F4B5201783350384FFAFF3C8ADA7885AB3 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = A2489ADB4140C5A92E0295F0D997FBB560B2A06D3BBAADFE992492251AC5D5B788 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 1B98C2D9ED238C341183BF1D2A884C8D2264D4BC8950EEBC6C5B98B24A4E837480 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 87384C27F8170C36A87A65180D2342EC2CA66291AA38F0DF09943D455E5FAF4C30 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 24D8A0E5C29724C62757F4FBFC566B92093CAAE327A457426171ACFCAC7DC68A67 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = AC389C7F205306B70D49DE2AB3C6D60BBF8A6BF5A610447E3EF02BE1FCB07E37BF - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 6C6FF07CA1A43E4B77E9F6D4C4BF1DDBA5B4C1738485D7FCE19DD9877D982F591D - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 50FDB6C1B64C267315AED54DF92197D4ED8DACD7D554D43D850017610DAB58C4C6 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 433FB3CD0F6D484CE20B2E65C8A9E6E3C75340E81E1B0A57F36BCDD8F6EEE1D523 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 9FF11D398F11129629456C8170C7E85AFB3688FA220ADDF48A5C78248A5A4D7237 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = EDF2F56C37629A219E8B361B723A313B379E58642846ADC96E8FFF9B0AFF8D7CDE - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 83E795E8254A4199F9F17C2D5BDDD83DF2D538F029595FF72239031D31B171031D - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 635889A6571DBF62F7760E314B010AD274AAEDC0E75F026A396EC355ADE289FE04 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = DC238BF560AB5D48B95F4C160B7D9BE7E184327DCCA9C9E0D1E17DD90519E7F1D6 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = E37CA2BCDFE734679EAE4F09FC6A189709B6AF1D5DB10C01FE3AA84A27C8974506 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3029C79B7BD156E9582569CB8A6084E8C176649AD6A878F0E2FB84E702DA15775B - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 9E6522D974C18D957D702C59076C81BFE64245978F8768AEA8C58C0F857B8B53D5 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = DE7AD120F30E33C51BA47F33C43390E228AAA0420559DB5E55A77406E01DFA0AD4 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 376149ABA8317D30BD5D481A48CC5DCC0AC2AABFCFED1F6BA02FD3E81082BEC7BA - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7D5DAD4392DD1BEA1C2E2C85DC9959681B7423457C33ACF0E5ABBF0050B87261A7 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = CCEF81CCCCE43BDBC4CC82F6D59F55C7C43E392146F3B98137D797F13F42C68EBF - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 96FFF869411C71A4EDD20DFD41B738E77858AA7CD4075748AF1EDA5C07018A3083 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = F54FD8252A6161938100BCFB1AC1B1C73DE4A8662706E4EE16721DD39F495CD488 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEEA9E2262C6C0A9D2A44F400FE57361024C5ACB0FACCD7CF20E4EF35705CE0A85 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A35D64B33B06741AB5D3B746488818B37C4478D0F02B462426B4DF48A8DCCBECC6 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 82A09DC07FE703A4D3679405451576116F79DF54478248FC6FE495DF41A05E56AB - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = D0AD12024EF99DB762AC3A113A9CA0A49EE03B40F5C2373B87E88FF846180F2D37 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = AB74F27C928E11DDC6D2FD952C5417F24AFBA212ABB9007C4631F7E5EA65126DDA7F - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 9D67771D17B6F4AB35AF90E06341009C9828E7F9942FEC484BDD0C5EE9EB6D07D9AB - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = CD35E6549AF0F0DEC14B1220C7FB2818C4ECDF53AF87ED3E3DAFDDFB487D2C025539 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 86AB4B72DA9D6E2418435CCD8FEE0805F7FA00CDBE389BC86C4A577521A6C376EC9E - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 4BC78B0F330B5A8A08A78A4E3275486C4AAE0CA4E28388787C054AC7AE0BF71498A6 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = CE10CBA14C7DD632C9481951C5B7BBDCB5237AB0ADF319CB8A054A7027D794D26F03 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 11C4093F4C1DCBD2F9C5534BE962178AA6F28EB7636C99E10C5CF4CB7AEDDD80807B - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 0BBC84622DE862CB25CEA9210D681C6E414BCB24216674AFDD5583983E8DF32E44AF - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 07A072CDAA4D48B2F7A5BB5EF8D3C37F5CF81F0F0FB4C67FD93511360C4D52A73E6B - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = B8DB93A90FAAF9429E478D54B780B988B0B1C5B49EDE56993661E53E6AC244B1B92A - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 1BAA98E8FA882FE54EFB00F30BAB4A419E04FF59F9F8B77A74FF662F0D432D0461BE - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 09076ACFD8816269888CF1195BFFED1357D3FB7F41435B393A3957E9E094EA4AA635 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 0FBD35EA6633C319A1AC859E28D9F340C7C9D3BA94974B78FCE105C9A11ADEA31A3C - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 0FB3CEB378EDC586A2653623361214716D42C5DB11B23F3B91ABF142F487D281D889 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 8017E8118F4D32DD84DF2D8426C276068050760ADACCD83A88DC1DEA31A83AEA3CCE - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 763D2333331E6023D7758AD3C1905FBD2E45AE879791D3D0F38D841FC6686AF43498 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 779DC12001DE7CC2191AB8E56819CFDE1B77968A5A77C7091354DF20C1CF3BBD592E - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 72A533564A849FAC06CA2694C9BCF3220D9004C3B1ECF6B49866681AA1E73C39CBE0 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 468D7ED2B82BDF80CDF85A5C9EF421F18174C49922F9DA71135F1B3D9BCCB76EDCC5 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = D668A7A9772993F5872F6C99F2C4555DB68403A78C443FA1C2142E7A2CBEDE8987C3 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D6798361F3A51129A9D8593B1848A6141147EB499EFF3C38C6D1D7F8C62DBBCB46D1 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = EE596EFB6E10AAF382FB0D63FDDCCAC58BD283C03C979349EA237B8EA2F4A3AA7A21 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B831B2108BFEBD71B207FFC53EDD8F5FF901A6549356E0D48B2098BB5039232CA062 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = A4ABBE30DDF18990770E6E14C89374E3956E66261D7D3AF060CC05BD31D126C98A39 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9FE1245879787CCF66ACA7E50BC5E9707FC752E9D86BC0B4D51FF077DB794B3A05D7 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 52C0B13CDBBEDA5EF56FD822EFD8901AFD5F604A361D6CCDF0B037F829066733D3F4 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 32E74898112C5FF60D3D6B2C5E170C7C2B146000ADE2F11EB927B7F1682F1C8F07F2 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 954447EE518A6883F3B040C834912680132FF938A6E7069DBEC3466303670C8DF407 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 199A3E02951C446C563D17CD4806400ABAC1099E62C01FCEFC7A9E6795B8BD06EC27 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 1049DBB40D1AEFBD0540EEAD5D8D0BDA06C034A50E718F772D984C5ED5A3DFDCD9CE - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 8A35BAA4DFDF5028FD943FE407729E6A5D24823D52D646D01A623A4898B43C6CADED - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F3530A6D139FCAAC3B52BD9A8C87F1004FEBEA2C1DF043E86F4BDC7DCBFD847CD1C4 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = ACB21FA7B1CFC381BA02B59A0A52ABF28DC4FCDFAA64B6CA7A8E1BC55714C53E3379 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = A28E0E9E47E97C2D8C32626722C90F11CD29CF04AAAEEFE8A4E124A13DA74F178E5DD2 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 4D9E985AA7CCF2ED7715B4639770238042F4F41BD8E50A3E9D975121F43C517E930D6C - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = DA7530439A044FA6BF2404FE030EEF24E7CE499C026749F7A7F8A6B9CA2001C06CBD01 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = D56608747A4B5E894872745C88DB0393041BE9453BE2BCCD2A058CEA1F76A7FFBC79FC - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = C154F60CAF10054932F73397BB770D229F700774A922C075810FA0B6C9D347BB8C1008 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 99E2C70096790E2A7CF3FCD6D0B4CF9A15954F03A0CF49C1705BA822B2E28A4143AE06 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 1D234DA86B21195E8F4DE1E6E6B454389B05463F38BE610B8391DEAAD5D9F59CBC7EBC - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = E007E5D564C90958349DE4A7A26DE9D04E36AC06ABC81E68347793CA0348FF05B885D9 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 9614540CC63EB1798507FBEAE6B141593C36C86752DE51ED13917F73DD13E1827085E1 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = BCB058F77C0F851D856765E134D4B568368EC8FB2F53494AE6D313EECF0269B83C89C8 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 500FF2DEA7AE7CBD85EB4ED5F96D7BE2E93604C3BC249797A7E29E3256EE8D9A8E0227 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 46AD42F73072DD0B81F805AE4FFEAF77CD37B881F6C72DDFA64B735FC88BC296C44A3C - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = B6FE9BCA44336472DFE3BE5D1589F4E7C02A132DC27AC153B418126E89464D4F0179F7 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 5E9AFC21AA1F1CC066035308EDB876B51B9CA6D12474035890B08D85FC6D04D7EAA89E - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 355E87358CF9042FA10A1AA488FA0B8EEA3BBE89DF11A2C9BA14B93D08526DFB97AF66 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = 7899E693096B6F092ECF4813C47695181D2BFE03049D4AD49696F589CF3494DA19B70D - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2908AEBF7274164CED90AD437C2984A4CD3ABB6BA13FFF66661D25891A48A27C0D2119 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5CB458FB7A5F0F6A95AD49886C8E6165F60C472AE0E469D92C2E3CD021A6D7328FBF01 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 5F14CECD60CEF9D4C90B4CC849C32B2EE5DD8C93343EBFB9E1C1CF0D323FA19B5BDCBF - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1B4384B74C4B486723F0D40BD4ABEC2A9369AC8CAAFC663A16EAA102B94530916558D3 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D3722F23959277537B560A186749642ECE4984923298DB89D8E994605F2DF76F10F040 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 0A2CE31C03DE5A30489987905D4445CBCD7B10E3EC6EEC6E7F1E8C81D2B44884DE71B4 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A41D381D94AE0284C33C9A1D9178A36F01E715CDA2CED545F4A61D8FBD418820ED7786 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = BB14F6A5E3E07FE9B01899DDDFFFD234B165AD329F8A0898173F1F13557954171626C2 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 837DFFBA250914F90AF7C2C1C33B618A2B2239214E4774657EE29CF09998F54D8220EA - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 8D189B917264B2BD5AAA1B5DF542C5749B4B8E581D6B28E5A05FDA07EF935EBDB74904 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 46D38B8848527102C33D5520A2B3F94F032BB1A1B473C54D6FBB016DC9428A4EAF6CE7 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DBFEE90696093FFEC849782EFA4B8DF3A7DCE4BF6A3BF08CBEE3EA253AB438E8BD7422 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 6983EC3627A1A5144957F92AD3EF9EBD37E7940CA777424C65B56CB6C87F9A2612EE60 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = AB552C5D31FDBC92413C58FB6930CA4BD1AB5E7B2B0B8E33E3DC08D5C5289953E4CEA0 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 8CAD6A087E62124E474BEB93B10BA2351B9502B1B5B6401C2A622FF8952C513DA30AF2 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 626715171D5C2D2335E59591BFB032A3F01A7F67D58852E84DCAD1F078FBF29B465A1C - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F726BE319E031EB8F785734111F7B2E4F2AE83960EA043A16A113F65069574F6D1C465 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 44AB77ABD38C35AB98E5177DE3FF97F031C91BD37C73307A3611D14F6C0100F44FD8A85B - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 44013388DE35170E8D291879D2341FC08EC54C100FD6D1904983838E999EC4848B196869 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 843C352DF0EFBBADAEB8ECA4A895BE081781C4F3B0E2E4A58F45BEC087D22F9C3241E1DB - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 29200065B0B32D06FD8CC55558EB694E8196E9AD9023C05843981B22E86B962F7D16272B - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = CD066CE45F9B76FB44567659A748FF4C8B54865F3017BD7C2FE05597ED97C934CABA7408 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = ABE52920F478A98F068A00E11A41B2C7467304820B2722ADC9B553A499C8F953439AF703 - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = D67BC5B8D03654CF05C27BA8A201B19B29C3F97DDA4F3EFECEFE2DA4B2908B3869DFC5D0 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 68F24E76070DE0A6FED4AB230ABAA8329E3B90AB0FB99BD5368E06D6EEEA1DB701084731 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = A18E47E2BE0557F602055756DF66BA6EB38AB396395E831675F9E086891399B4E6F20DF1 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 4752BEF596ADF41112C34736E00217E3EA5768678129CA56D0545B900CD927C0A8BCA433 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = B919DFA285A5A882BCD002EDEA7787D3751B0EB13D06E12AD3482099A091EDABF361E471 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = DDEEB9D55D41105B423C222E903C814E6D1A7592A354DE6714B84E75852C17EC3B76C439 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 1F87AC13A609A1EE908D4DDA69E711DB123E63421357C2A645BD4DBE0D42780795B90DA3 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 1E951B7BF2EF1202112DDC7BC2E15565DE92723153DACF85D6CFDC76B319EA4B4FB37FE5 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = CCFBEDF3B9501122C73C18DF370D59349716FA5E32A58721C85D51E0D3DB1B0C059430D3 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 9F270C7196612E5C42E808DCA14890E355BB03D6BC23045FB4048562873F7F79B2C3C8A0 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = B4EBFEAAF33CAFCD2A7017F5D4D0638D8E41A8E9D8CC133F853A89C3560CC6E58FB0AA00 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 7ED4A4ACB07F5A11711E57CA77DF2B709C65A010E1C47EA830D471B35C875630A2D5FEA1 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 22C903463C5778B9B886B6EB95DD7A97EBA35BAEEF3FDC4F14509B6AA4F287A8EADB9A27 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 043B62AF2F5F671F0A4464A18803CA15E6F488C5F2E3BD94D7CDE874C4FA08CC410CA53C - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9CC114E946508AED4D9CDC95ADE1F88912E71F2537F04F1AF143D80FA86E3A4A866EFF4 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 8D6668FBD31BAE1D869002A5F062AC744E0F384861811F5A366485C5CF42082ED3AA8C7F - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 575F7D33C817BCDC00D6083ABA5091461E6F7A58041A9987D5DB172E3D27BA10F675FE27 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = A96580FA8049757E6520757B5336334A1249DD80296C47F6F48835BF619A823D69116C7B - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C1293B1AC0DD751FBA52A85953F2D62C76744D834118CC2B00F6CA8F605F815CD47A9980 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 65F79A2B465E7F117C0244D3B51F545ACD653BD190A8A6D065EC9C42D75BE0BFF7C56550 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 61823094B10FE08D7F51014255F9F4E331CDF1C1E51B45AB0E0D9A93A72061721CA0D316 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2E7FE00EADF808D5425C71D4625F8076E447D1B342E3266092FC49D56769BD2E822BB3D9 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 3109850DCE8C33B5B4D3F9C24845A8804E0ACADFB54C42D5958B5631BA645D17EE32EE94 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 5D419636B126307EE6DF150A74E4AD9776886AAFC7282599FD1AA3C5E413F2ECDF60ECCF - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2E709F53ABD724AE49D841EFA1131AAD706C57E4AC0CF7300F73B388FC9377DF154D2EB0 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A37D03B9372081756D88C72B7BDC9312D2D37250E3EFD67784C906E9538A0BB3CF774CE0 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FF3FD27D6AAE9632001881EE2F9493BDC0E64FF0D7DE7CFA482C309E0AD90E08515AEB79 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 0C88355679DE6B44408B463EC690CC509D9BC6E166A88AB1177A829B8F93F2ECCA4AFDF822 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = F7FC713E8EACDA4011D564848CC7445CFE5755A78C800FCEBE3ABCC200378E15098B218D65 - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = C3EFC21880C6959305CB13ED806A96280FE22451F9E58BA72758B75C6560479F73B33D653F - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = C79A998054D6CE1844218CF9BAB1DFE410CB80F9A17925BDB34A7504758B2B04C59B733402 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 64E7C2DD086B1D3DE95F1FCFFF4FC80704EF820A9613ECF57B5341576A530F9475AAA36E7F - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 7BE72ED32265DFD1FA0F656CC19A1C53428694B71A444103B2F6813099EB765F8C1799B34A - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 14AC7AC4CE525E7703C566C5C4CB5E733F557C68EAD66A8632A793BA8259B1CF7FC6FADD13 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 758268000F7DFCB2313611713F8D715418938CF0D021455627DDE5F8F1978D2D216C95567F - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 3C880A1145CE2E7B039E06D005CD5ADBF24380A5C543B54048B5091CB8BD113B443B520A00 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 8D0DC81DB2374669822C09B594535A570BC077474F614B42A947E928D1F9A8D9C40AA00302 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 9A7C0F2CED63F5D11EA5EE6D3667AC3E7E757F93D9BBDF28F166723C1BE0212261BCE0B994 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 0A49AD1A03E9CD47534A5E01B4C08C1BAE0E0390E3EB64C1ABA1B1C9C7727F9FE15714B24A - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = C6793C10BC500654A53914B9AAF419A85CB3379A8E1B43E9B7DB9227B674B27A4B5D8191E5 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 580F16DEC536D1C7923FC8ECBBB0419D267B5C6D06C884B77EC0329BC3239CC60876FBBDB4 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = DC817B27EF84E188A2B68462860F2E8C7C4E8EC7DC73CA462E457DFF1BEC5AEA64DA38F02F - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 535249D36968CE3318094537A3BB91545ABE05B7297E7744185A184A4C621ECB68320CAE6A - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 45E6C2E708B73CE902A93EEFD94304E641EEABF7F3BE394614D490505DD3085B674EE0ADC4 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 9301219E88626E553CCCC3FEAA3BF27CEDC6D3877D04680DC4531AD49369816EDE12A77B18 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 8FF6117A19626BFBA74ED189C7EA5751DDFB6A83CC4BCA99AFA0D40459D97A27302719A216 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 4495DA67008D019E1E7C998D1F2EA9B87A33E4FBA2C427A6C5736729A4520AC3876BA59D39 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 83F573AA2A42F8F903B7D5B67C5E10D89BCEA5076647E5E53CC0DF43C3AC44A43146568AED - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 687B324B08D504C07FED48CA4CB33B962ABE9BEC1B1BF89B0D73D3070E64F4A732C0DA7803 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = ECA16AA73476E8957AC868AFB93D9463BEB7627997364D270952E7F6D743EC727C6B1FE700 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7339F04816D9723FB6280CEB7E6C3CC32A861CFCE30B75B07D92DBD2F001A5F3ECAF9CB267 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 3A14AA9F8E3513B03AF5B708916315D0B706D1B308D2B6214ABE51C33E9798EE078939C0FC - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3F20680604B2F50239D1839B227627AA0D4B8834D6F64702CC81E1983A66B790551134F927 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AA23287E37C99C444D186C70F31282E1F59A3020F749358489847404D36AC2CF33D9DDB67F - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 98535C31A74C8DFE2538A6742F43633CF3DBB20393187087296AB8982F443AC22F8F718204 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 1EEF0B0CB941D427B0CD42964884A3487E43C19734C72935186521FCEFDD889C8F0396AEC4 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 6690D5758D0B948B3039A945A60EA95B0CEE6F58120B8BAA3B0B95A99D570B25DBF033ADCD - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F603618016D39C3CFE67892B5FB57596A2D93E9D51E0EB5273034D51D1D0B42843AEFFB89F - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = DF4990BAF4F2E8976B3A7CB504C8EFBB5ED2C0B0FB3E7DE3E6DC1B2B856D4F8FC960BF0149 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A8562A8F1339C1F8D6155C8579814D6D9D70BE9C7EA0539938EAAC39728E5CDCCC85646AE6 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = CAAAC3A199E5CF7B9E836C2E4E37CB2937244ED5769559BCE19979381D56EA6389DB423283E9 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 4A52C49CFCFDD4627585D583667F78707550C2498DB3530DD1BC8FFCEEB287D4FB0FB6ECC5F1 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = B1F993DB9371577D17DEC96FF27E72F1502073853F317966B6674E7938B50BA36DB69F315781 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = FFF43DA707D0A764844B5F040F958447EBD582E4B8B0620CAB60D3E8921C4B6DD85E8F52EA4A - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 42436DF07A38739274ECC5D0C7BD9841778D4A87E65B46CCBC16F38EB1E267109389025E732A - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = A418653B3F6B8C0122A1DF277C14BCCA90294DC8887F85D91F6F597A86E8E0A9EBB40E86C37A - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 0B473C7D75F3269BB29726E5013D9E9B1DEAE89E8BBBBBF63AE8D1224E1AFFC6BE4CC14E0822 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 1CB009C8CE6CB1B02AF24DDCABA738748A8798667F9098A32A4E5F54B0F5197A01CA2037E761 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = B8E486334FDB67D1318C06A365388331BF6064AD0127F2B07C30C4390BAEAFE8FE5220F77364 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 324CFCEE10FD1D5E5DB74D41C2C4C0A2B426A8971E5DAE9E6857D111F090551D8421E544D2C4 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 4EF5A50560888E7165FC20E5F8216DDE3AF3124A696696BEB613926DD867044887A3DE82E84A - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = C330CC9995A04E51F5E80FA81A6FD760A8AB069877337C8E6C29519D390C218A37454D692491 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = D8AD99AE058B96BF3F976957734D107520F07E546EFBFA326E0EB5778820B0FD888B16266823 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 0459314DD16DD0F3F93017A67273BF62D02221BB22919EDBDE92F45005CF0D4B356AA0CDB30E - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 2F8EBFC8D7219789AA2D46AA7774CE0FCC214EFE3A0B540D7FA2E9E6F0C29FA56295AC67E8EB - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 1E546A7A3C9BEC3115A1C57B83434187DA39ECB8AF1EAB216CC21DE60D537CAAF879BC606FA1 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 3F3026ACA27DE67286191147E3B31E543623F54E7C114E84D6B6A0A811B64644E3653388E50D - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 81F61D5CF120623AA7A6080F7C382F87DB86D27F64EEB677B3FFC81689D1A551D32E129C6189 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A5A8A9A2C8E0E064E29C91D67044D53A1B3A450ACC292CFB014DC620DC00BC340C2C3A595396 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = AA0A4CE54D2F7C216A1AFE16EBC682F67B636FBB83201DFEFBCF6530CDFA946E0AE10E267BD8 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 959D372BFB863FF1E940B190234ECB4CD964F3A0A841BA5C51D99B785BEC95967CF8650E5F95 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 41C9F94B5A7BA17CA479C88175E2E85F8D29707FCDF4515583D4E783B4F3F3511C26F4D30382 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D1BC71E61E870D9A2073326D162789F282F43B4ACCDE67118DE40868220DFBC09DC964FE164D - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 0CD8D2AED8A20185CA8E81E1BAC1A097752A430C4809A534967335CC6597D86F34552B0F2F94 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 4FBF939459AD906A1E9E70AF706013D5E607B62573619EEEBA0CC9D441FA0E74A5DD75E31CC4 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C2CF6FBE8A78411CCDFE8CA6865E9D767DAB2CB1625AC844AA88540340B38C4EFDE5D9B494C2 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 3334AAD3DB494976FF61B72EC1431B5063D458BE1DAC5A7CA8C5FAB1E9B2B87336B41A9F8A70 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C4F6C4101EF1D1E58290E04127962D6C3C9D909C46F78BDA1752717891C42DA6CDDF8D8E67B7 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A0CE2089082A59DA267FDC447C1D4ED1FE26313D4C6339CEFB3A824F3D7283EA9471F336F953 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 0DEB99D4005FB661D8FA78116832FAC3B827E7C37BA2DEB266FEBC4C8AF58827475DF8077FE1 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 8DB0FEC8B4EA74961344EA5362681DAEC484C0A1D63D5B46B84B86F2BD998342D1F2C0045D48 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B1EF6205887BC032D66C68EC597A22D340346485C9ED443CE6A193E2D6BF11425E471D403965 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8C9D26D292D8C3510B3CC4ED49AEAEABFEF2D579DD0FC360246F34301EBC5BE3CB0CC9766CC7 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 4342B6375CAEAFC042FDAD93B39F7AFDE1C78BB740EE4AA6CD635CBFB14110AF7267C26D2B13C0 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = A1B26FF68BE6CB69B88E75D6A346437DCA9936DABEAD8A0834AD1E193776C4DC19B82657D2D917 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 53CF2CF3C82A3B48D45F02E87A71763275F03C09052788D87C89CB9A864DB05E2505546E934D5B - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = E582974E0E029F0734AAA09DD05C1DA581E3D6E4914DEBCE67E57BC98F4D3CA94F2D61038A8A9B - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = E4FE97658894428577EDED6B303366695522331097B5DF32FC4345E7DF6FD4733503C53FAE7B53 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = FA7A4BF12C69B36F10FA8D358F8A4563222EE2587ACD979BAFBC3649502B050D52D1853D81D40A - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 43E514F197282220CE4A54A37CCEC23C10691DBAC0FE2A4BFF55D9C87412A6330D075C1F28C5CD - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = C7602A0AEF045F69FE42EA10B938C20E11E013A2D1DE573CD1B2089D8FA73572117095AE8B7F1D - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 520AD11BD8DC2065F3FEECB4A123FFEC193951459121F8A101D7277EAC4722416BFBE82E09E422 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = F444D35DEBF61E46EE9E1B2F6F67E36BD5D50717C74D81B0EC6876079B7FDA322F28504687123D - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 853B6F3CCEEB806BB7B9B54111EA9BDCB4A3B898D0953BBCD1B2ABFA0DE761D9E7111C31A6D845 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 74B6744CA954E5BC680C9FADDEF33284222073FC806201891AEE33F83AFD49FB2411D613F7F20C - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 6E0E5015F169870EFC60062671187979E17B469CD02BCC90931954ABFF6138F54960543E41DF66 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = A99E0E4C88245066033AE8CF5FE22B1620ED25D8EC784FC89A04F1CB3709395EC2EA23B77DF7AF - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 80DE0A46DAFF779DB30525A4DD4B3E332C601AC3CC9B1D4BC172F1F1C1BBC92DEE5DBFBDBECDCA - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = 2F5887BF2DC4C16030ED4D8156E8B0A586ADE223508FE24D11649C8542535B218454AE8C81BA1D - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 7242C157D5882934037CB11B21A4A4E66CE05D81FB5F274A78CCABC0DE7B9006C1781E37551643 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F95DEC0A19B14E5ED0067A356F7B2A5FECF4DD69F3ACB5DD4348DDE32CF7D758F10061F612C748 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3A3F1ED70D95D39323FBB34997234F28886179CDCBF870ADD09816F4124740418986654CF13B3F - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 3C08BE5EBB6FE3A9A1D37D3C5F55E904A0D1BDD4E1060ACD31E60F05372CB64CCDF3F383173CEF - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 6899999441829004DC2DD3EAFB15BD6922D6280411FE956E8BB850D385A9BE25BCBF2BB32AEFD9 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F0EED9C82B41735C7DA911484A5609AA88897FDF0EA74A5B5812EE5AC724B75B469572E597B126 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = CA95AB16423EA71AA4623D8CA880069E3742797CC3B549887518DEF1F2E0C1BDDC733B57A56A3F - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 91C75C183FCAD10F57BCAB7AFE8EECA2EEF689593D9B8265536FDFBF47004E047A212EB02C51CF - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = DE218B0190F1F432F361D395DE5F4ADAD5DFDAC217D35A63AA24557F976BF57EC53075C1FCF075 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C95F875B7420920EC84B26404052097B27E2B740837DF3545533354DBE8903247A52B9A1F26DED - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ED4D76FE1AD326DD35D85D01BACBC756A73E09034AA353BB60CE13994AC7D0DF574EF937BFD478 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 07C53914DFD789739B99A61804935834454AA25E3F4C318F84D8973CEB36FF0824AB79F54854F2 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B6FD97406DA3C9C2EEE032242CAC09C7B0F60764F810F2566D7BE58ACA30638D3C31BBEA193D1C - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 74E60A17AF502D85639D43EBF8EBE06472FBB2C8853DF2346380F609D753CD03059438CA282674 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 30F81E5BA360786675CFCC48E11F71A45055A6F91E5A2132D17FEC7B6D335926C3AFF6FFA1EEA7 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E3885223FC36AE2C78B2346B58DE18FCDA28629575E312087D756B58D5FEE6D24F618A4FB85A13 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 681BB9999815EDEADF2C96E0817D2866B91321AC7818399D38DF5069DA7A9216B8FB1F1C957536 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 0615B8133562E3312FCEE922057835C5EC588E8AA5253834FAFA480D2A5BE99BE5B7753730D4E3DD - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 86AFE5F3BD2944B08A0CF676BC3C54F75204DA02A6BF6AE2ADD461D7AD0A7AE6A8B70255A524DD89 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 14A02D8A82D6BD040DD3A04DC9AF2999D73BF95F625789A76996FDA2043F6EE4F9563203AC72A338 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 0BE26FB463D6069D1BD73D557AEE9B9E773853997998D1EE26F4270E9F7693DA76CBF7F4E675BE31 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 9A6971EB40F743AE38DFB4B914658888A5BFFBE5B2416DCC20B601FDC113D317978F5B5C1838338E - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 9671F33E3C157CC1E8296D40004A2DFAE2C9365369453302D710C73D902D46242F1504EBDEF8C89D - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 06EDE6F7E7247C19B896EDE5FFE3A4525030BDABA071573BEB6BBECB409C58C5DDC7352F21CB2183 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = ED3067EF5982B36687F2AD61BD13C07BDF02FC869E24A22C488808AAD5A2B31A614F7A0919C3C180 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 4CECE31B3110D2102A19E3109195C289B6CA96B199CE1682466D7F3501DC9D1E9723B54F8117C858 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 97F496613A1A124B820621C1200F4C724170DFB26D61393334BE0E2AC62816AA22DA2FFB9BEB486E - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 8C60CF1F667208E116D55975A6BED8D96CF69964803EC4C6B0EDE9A37FEF559A7FDE8FDCE8C9BAC7 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = D7282C6F91C23FD67BE76EA23AC9EFFF509DE21474A0B618453BB6F5CF603003DF0D22B4816A68E3 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = FD8D1E8E2DBD73AB9FE6F10862D82B422C9FE1AF01444F4223BFBFC688E54292EC3DAACF42D903F8 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 2EFC91520A3FC409D13EA36DAD72482034A0586BDC46E90DE51DCB35FB87719453B8199EA6F72498 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 67F5200105C417F2BCDF6CDE54AE7C0E7DF4174633A93D865BDBBBA206D4AE73AA17DED5FB2ACCDC - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 2A8C1771A1E6C10FE86F1084BE206F756229613D7495792046170EEA7DD7E7B0D98BDCB8026EBD35 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = A663DD61BA1B75A74C8B80D5C757C2CD0F960BB49316805356F9308B06B7C5BACAB721EE3ADF8685 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 30F9FED27BBBFAD6FE7FB567673AAA552933A5880298A521675B0CCAF1675DB10CA012A31788B670 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 30D63F34648C29E4902FCC13B32B8925EE1093B66AB6C0BC252E6FB9694079BA48FAF206EB7614D7 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A929BFEC0D472DFA55D8F0BDAE0700BE65177EA765F4A1683AD3388B7754202AF7F5FAE6A76B8C92 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 6A6CE5AAC8A04D8252680FC7640DEFCF251BF6DEA697EF8E26C09A7BA731AFD2B9B705CE47DD12CA - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 5732435ACDE3C04C217E9C45DCCA2E3ABDEDE740AFD4A75E73515769A7E89B4874286C8BE56CB85E - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6CDA43C11AA9D5B01ACD7E83E335A95573B0AAEA96BABBBAC47FFF33BCF778753BA12EC07BA945A6 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9D3851B4A1A41E608E3A50C8778FF7790B0F9A4D3E978887B4913E2C40B92B8FAAC7B5E082064A0E - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 61646F0407DE9F82F9B5C26C70CF9DAD8B96950CA5C0037F0D4BF54FCC8AFC6306587608A1104953 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = E90FCB520687191E71F9EDA5B1162DA6EC283DE659236683D123451DD179E4F11E9BE7ACD2F8CE39 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = D318AB27B078C6093A0C8789E5761104BCD647BC4E30B9423A84081C314E1D56075C29B42F455203 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 5A908B98706DE765F9C9EAB5D12D1F04ABF282F0AED78D7A5BF085CB9BF41D46B38673C3850CB54F - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8EF7484A2F414D4EAD3A0D07B2881DD89CAF8AB06AAB2CCDC041698842469A4592E8D2BD0840BA31 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A370A47CC98F8C4EC91688C6447656845FECB9BC2832AD22F08B0371EF16A169CB22D4A73D82FF86 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = BC088329D60587A92B0CBC9D3AD730E1717C82929A4770552B77BD92813596A3DBB55516B1CA3EA9 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 82F3C972603F474B80727BA5DACEC5ACE3ACE6E2608D51168D9D6E6C56E12E10BB363F23E59A45F1 - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FE26015666D51AE788688555CADE413FD64221F018E458961712AEB056386D824A1BF77B8DD12F26 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 183D3D2D5FEBE8963DABC9DAE4F18D45099C7D88F43F2BB40CE537081CDDDFE1E5502805AA180F438A - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 5590318D7ADAD24B320567E46902B70ACE16D3035F7F8BFE02EEFD049C9118D340D1573608DAEDBC4D - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = B6836E78F9FADFFC76B770FB21283FD361260DD738507DFAD24B4B6D8B84D6FCC1444D923E3A2AA720 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = CF6B9C3F706E3CD51E8396D625C78C4BAA0A7BCEAFFEEFA7205AFCF367D8827122603049E3B0568FA8 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 9F4AB089CEA61CA3D95C58C1B189151E6B043BF7830FA58135FB6371CD8F06FE52BD21CC4EF2AFBAD0 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = F306EEF72ECC7F380A54245D174FA5C29F71A342F5804E577B844DF4FB69526032490E83677B7E6597 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 8493958A6E129068A0FA9C1F8EA2D8B572896D07D4AFCA411DC38CA6E750457DC0DC2050DB8B78070C - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 0931D92CD32042FDB1CBFCF2A33241A8347E7812C9BEF7948FFE7CF942D06CAF2957C02CB4965A46F7 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 4A8158E15CA96C068332F7F31AE23DD90C722BDC29F73A31B829B730CAADD693CCED5D33EA3C98444B - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 28B6C3BBB074A3AB5DD4FE18BCD9B1117AC5D2BEAC14B2BC39AB03EEA52041055DDBBE487CE74071B6 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = FBD9E3C1021FB6694D89F8199739E6067262A50F45D01C6E53FB6833EC035680A00644A53E1758845E - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 274E05A71CC879B8C2EDC484086D2700D88BCDEBD31087245C268A5151C8AE373948CB31DFB12A17B5 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = C1FC767D4DC1D57ADBF5650AB1B6ACF7A1AC61C801501C6D5DFB551E3568A261752B4FED2792F18B72 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 2AFCD6D129FCB819A8EFE95D332D0F06950C8C12F4A398450B6E45F84AD86E698806B24313F9A0449C - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = BB322631D99825F110143B161D87B6CBC2B7B558E5D3C78ADDA4819C6736E024D563AA50A2EDC144EF - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 06DC95589039D5C2A129E823569C15540B270054B6D3AD6105D139EEAC3715083387DD308A9C26E64C - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = A94AC0DDF29C6D039B49586EEDABA16081948A03511F44E15ECC5FDBD557342D6308842A24683C587D - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 57333273F7B80FBE88F0443891AF01EF3783BD952A19659AC13856A9E7124C95951DCFA4D4E71A6EC6 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F3A2FDB8E5DB8BD85CE64B9351C603690DA7D26483A8E9E1F131ACB383665F74BE2630365C84BE65FB - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 5CBE12751CD85B9A7F78D3A196DC5E6F222BCE147DC07F68EB8ADB6C58E2B889C54C1D23E0A1157CCD - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = E931D33F1597AEE5EE6402101581B3CE7C657AC199E123EE34A3524B96DB8715E6C053889A54F64920 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 5AF822944B7A7FB2A58E4914C31A413B1EFE3126EAF82760CC34032BCBCBE0A6818E53D34491A99B40 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D5CFD5BDDADD21500EDC0CB3CB8A861B531822F796ED14743793A98B3D164B4443ADEADE271309FABF - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2201CDFF44E52CB4CF67E057AA299FC31310FA8F22DE91685FE5F53D2FCDCEF2FC708796B1649B6BDE - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 4BFCB5FE133B0627CEB280F3E83919706A6F1D58DEBBE5AF3938048EAC780C9304B49B8D4A1C1190E9 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3742C930228518219205F6E9F1AAFC88DC00D75836987A9FDCBD9B2D00AA4580E8DF0F0383C8D0A39F - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = E7FC68EB0AF9842F940564DE6DED4BD955A1182927E274200AFD0CCA591F683B12E416D0F11BE2B66E - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9CE38D5BB8F6B098FE54C7BF1C273F7E17198CEBF99BDD2F742CE8A4089B79E6373C9FED5B6BE01B70 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 93D7149F4D6649F381B82A590ED1EBA6D7D9088884666562A8AC47E5DC654FB94E52C0773AAFE24A21 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 0C7905B42A6A73C5A060B89D00706C5E241CEAEA0BCD8D168318817BC55E7B0A773B4A628F9E7F52D2 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 329BE51A1ED7BD56446D519C0131ABDCE2A3CFCD7C31D37CAED0D51D17A3C63C551EBE824BCE893904 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A231DF8543E1BBA1A7291699A124D2CE6E6182602AF4831C81E3123235F16ED757238D69BE278C9CE6 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = DCE182FED93D60A0689EDBA9B493E0CFC76D70F3B275F9324F490C2C4C1EB90488544DF1E54D61680C - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 1F86AE25209C374046EB8ADAE47E0F15CE2BDEF98CF93B9B97EAA0D5D689126A9FE3C5972C9878AF1639 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 8CDE4D55C4EBB3FF076C33539EBA0958B444378346F45916DCCC2253FC56B024FB8AE9501A0C21A8AA3F - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = CF1B8731F28C7DBD0A1AD66292DB360145BF25108E4CED95E22861AFD0A2D4D9F34D499E286D324E887A - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = EB6F677A4E3597290CAF6B77F4D0F12C91820B8E77832B8B2D0DF9D8C526B44351D514F2A6932FEA1E6A - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = E0EA33F5AC6B34AA2EC10ABD4A73C497F4E08335F1B0F922B7672D29254B666BAFF5F72510A47016F34C - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 62841CE65BB2EF9D2DBA11E54B1E17A8A629B4DED9EDCA82096BFAE660243D0D345E6427F30706B98E4D - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = CF3A8BA31A1084DA83F076F05059AAD7CE73CEA88C4F125E361E99B6A5AEF2E8EF384818F3AD5D26118D - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = CBEE0F405DD0E7D059F76D1DE15EAFE1CF8CA25670E59F7F0FC6101E08DBF9E7162FE8466A02ABB14115 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 5403A1F61DBCAD6B2BEC374CD949B666F475C505A1D814A4CBF272262AD59EB4D6CFDC6C9825AD1D2245 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 686FF250F41AB6A3A88166DAFA53E0EDFDCE601B54A03C50D318D1DF4BA84190698E20334CEB20019642 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 60EA776D6DE85422D84D5B617138F94FAF4086BC7AAF7700D8B0D5DDB94750CEBE41B524A2515BCE1AA3 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 5326A35B427A77E0BAF0F4A8BF0F4C86861632AC00D9357F7FBDF2692CA610E80FF6C93282621F6A79C3 - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 412C6020B11A88012DF8517B5F57CBB2F0C052246CFE9021979DD8AB70C42A8FA2893B4D2A7CA1A4D297 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 5FD9F2C4E55F3677795B7A41B5EED7FD10C6E0A5D4CF258313B36FA24494D24C7045BD58B433CC42DB61 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = B81593962144CBBFD0FB64A99D7112773FED1F68DB415600A8C7CD19EDA71113D377BF4E5DB1044FF34E - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 9B69AA217EA468A58D12409020E8DDAF636BDBEF58DD50CAEC71E3B9982763089EF0DB8061581AC7F488 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = C9DEF1A104C5067B7DEDAB341C980110FF98EBBBFCDB446F43E91ED2B39702B87BBE5ABB73DC4EE0302D - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 42CE3EF0C7A5ADB37A36A614067CA65AA88B77AE4CC8063661D7779B937491265674609E922439792F2B - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 93764F17CA4213CDDA76CE2255C29F136D02F2EBC70AADFE403E9C266326CEB49366DE337E9DF1447BAD - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 20CEC09A70C7F0E2B3B495340DA95F0D93BF70273806697123F2BD09F97001E3548CF4B753CCCDEAD3D4 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = E6C7A6DE3644D4FF8C08447B54D4B6B8FBF624041D7873E5ECDEF9058669BE39D85486056BDE8EBF6A14 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 45DBF4E5EF54D694FA1707E9D9B884F39300DCC9039424C761730C74CBBAD2562FDCE11774755A585D2B - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 9C5649081A83D73AEB4022984573535CE28252C664C598B4E14F1FD4CA908D000558C6C3584DF9DB613E - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 99EBAC00545DE97FEE5EBEA869C516B51220D72FAC2FE04F56C381A5C35D300A7364337A1B769DF0F159 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = D92A99988B977A26C79EA4F9263923A41C8BD37DD340C4F5CDECD75CA5C757DFD48E4F9FF0D43FDD5D6D - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = D9599A0C88BF5E0D56299499DD00966F0DE4F7BFA31673A96FBC4BA67AEC816FD334D23972DCB57AB720 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0F4CCA2B0B8BED7BCC25BD20B10DC2DC299D80F057648F37AF8710136CB8274561DD312E00A1CFC9127F - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = CC498D7E7F76AAAE7E8AB10E8755BF096CF7F2A87F9B62C562981E5B34542C2204E5265D3C39ABB29091 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2A51C7F797612C15C1D1F119772F69AE88C13FFD95BCB04C2493A7527D300B08A022B9EBC6EA81C82020 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = BC6D2AAD04D9DB369DF09A1C6FCA0978DF0C4B68525470A894B21C5DC591BD02499B2FE0B17282DC0F01 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 66CFCCFC8F5A52E1C5B633AF2331B4FCD6FF177C4F516D596C4BE6002D7CCF433B65DE2114E059BF31DC - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 27A7E0B57F45D1C0977A530F724F52C76C7A5CA9001D0FAF51C075733C0AF2EF8AD6AAEA39579EDBD908 - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6853A80F352653E990098520006AA85F1D80FE831104D72330715FC78B3418375638561B8C55E5F56DFE - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 08A2740DC2C3FA64FEBA456EACFE70B9985922F57CB728B471E5CD2AF41904B234C272F6F76F8A9297F629 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 62A05503437F4F4D6DD2517FBD06FE5E4FB4DE12917D421542102AD7A380F99151ADBD3C9FD9D1F8E56D8F - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 9E52F49A2133B58F372CD456237829D6E3F03CD71C01132057C1874268E256ABCDA06FC1F3189674A43CD0 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = CEDD44353C1CE8EDE2E2057E225A74EA80EA2DAD4BD2E17F6BF468A49E73930D15B51A8AE07EEEE17C0AA0 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = A1D08348644E5C05234E5134947F6C182CAEA78B51FB314705F97024ED0DCB1B84F1B1F72D4374A0D153F1 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 94CB24AC4957D9D8C28740E94D56F6BF40264111EC3EA9696BA83D567D1F182AF37E5AAF62E9E662C50A9E - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 451BCB21949FC82BBCE0B7AE16B7D92B37A3C3E6EA597E0894160B12222C91F6732C8331C3ABE30B2BEA15 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 5BF58730AEF9345AC66EB1801B5F4CEBBD59A1A66CC8F91A017FD0838888F56EFD820F392A285B6F53214E - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 7DAA5B21CE98E96865EC37EA1BAB1322A41F31A18B201D41C6E4A16CA40746B619ACBB05E2803BAE76072B - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 86C67F5D4604AB566D169CF658BA02355DA4F8FCD13A7551832E4968E62D061F1436FEF86D1AB8AC5560B3 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = D2A4C6BA8D3CBAE6371EAA2DF1689EDDAB8082B034A10B38C4DA8AE9172E6F1AFAA8E42DD6FEA8F0B33972 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = D9AF0EEBE2BDFF7895DE64063325E78FB357470A8D9F13666E77B0C7E20BEF4BB02AA56915C73D99F7E2DE - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 4C685321763EDEF2774D3EBFD05E2C26C1528B5C2DCFE179C22B773438F494E0A6D16AF01049271FEF9DA6 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = AAD3D4BC3E216590A979D559ADD142F5992ECD507040A861B95F81203D1934F554C8673EB7C865AD8AF669 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = E93ACD639E18067D60F459ADAFC2870E3DB1560A93B59EF9F8F7AFDC342512871B14EB852841FF97007FC4 - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = F1F6FABBC34DAFACC6BAA943CFB782571F702C02B0CD76FBBA21461C0F844CAEF279F4B9D43C896EC5828E - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = F7BC3F3440A14513CC0EE348FD5DE42948D3CA937F63C9EF4FA9ECB3BB40A5A35A067684BD0FF2E84F43A6 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = D4537583278AC690D196ECCEC8E93486F18FCEF496EA1FA5CF88F627F021D35D702F58E11D45084B03A6B4 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = E8CEA54DAC2E004E5819A3BBA0FB6242B81D4B8F7ADB149F3F3EC1C92C886B66F748A89187A665F1BE2E6C - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 0CA009A750296F87606DC314623BFA4E59155EE107D8E5AB6A563AE74E381A2171A154F7390D678667E0FC - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = A115DD60D399184A85F975688C601D684FF5461B1A468F8EA47980EA6B58DD7AC846F4B8B190A4BCCE8EEB - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C490380F1DF1D24B1AE173F202AA1FD1805DB4F2AC19C76EE542FCBF40CE171EBD709EFE7A8AEBE090D58C - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C1E4F89A07325EF0543909F0F588CCA76981856D42209680A6A8E327B4D2D669122FAE7E4BBD908946FBDE - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 4289BFD9FF4A098E91F79F8F1BF1A47A6D1E5AE4835E4EB0D951268A4DF7862CF432DEAF25FD33204D3274 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 0B7211E464895F80C05FC18F90CAB23B2AA9B3E0B50353A8254A0F6A2B6CA1111141FDC5EEAFA6B71D770E - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3666B8B63169F8E180F1716AA71C651FC7620654C16935ED7B08FD429A28A9C0B99985DD384488374C1997 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0E40D3ADAC4523C93CC1E8CEB412F61A07E17089E9017AECDA289B3CA8084B77F3BA6412FD3BDF4E50FF2B - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 31CE196F6F8E9F4522BC274C2AFC2BBCDDEC1A3DAFB962D5394A6A093F923C2B9D7A73D4E67E40D12C6FDD - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = E38F5CB7F9DED5496506F87AA770D2C0FD79A982ED3A7E4AD92E14617F6C0E00A0B0D15FB3BA1FB2F7AA46 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B85EA81EEE42E1D84646CC798F00ABE79604BFC84966333962566309940478CEF80CD33A62027FF0DF2C68 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 5B21F7448156546AF0D2222357C7A2F6371EF15E31BA2CA0AD5071783304665DF3257C7F25D98976D0131A - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 51FF5FE133617233FEA42101E732FC6DEC2CEB983C0E624B500E3CE5E94EBCC9B6F7AED1D8B943650398F7 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 101FADA14391AB8D0FC56B47014C1D08E80295FA30FF6701A241E8C09881C4D2CF0C840F81F86885A3B450 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = FE36809403CB90A1E8C1D534E0C434501DAA6C2521F234033E6AF84C548230B7B6B613FECBB8E448FA679278 - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = C5A90DE55872AED1219A29D35BD740682282CF0EFAD9A91FAF29268129A9B42C183125E826D93FD199AE6C9A - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = 37EB2BC246F3098687CAE585D3D68EF0847D26827D2EFBCBBA192C2EAB26A1E4329FA6B16D5B83D41B78A8B6 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = B5D24A5CF64AA7C4C9502AC7889176FC96FE9479CBAD69996B7E97F4D8E5AC70F778EE8BECF733A782FF64E1 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 382268E402A3722A1C219DF4F0A87830943FDFC16562B4895CBC41606443F52712F7D7028243177296B3A53E - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 2EF37C693C122EDA7F9DB400A195AC1F3DEF56A414EB0706591937303AB62B17F86FDC6035B2229E786E645C - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 605307DED3DA28457A6D021D45AA3B5BD5A1BA70C333E0169541C4202E3517217D4DFEF277E8285AE0671942 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 5BF982E1928B732E738A20C4BCAA17521F2A9753D58DD37D49E0BE9FAB3CBC81B63AA34B2879725C7B9AAB83 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = D03D24539621E6519C79E8E1AABE13B06F1964B937CD8DA4432E87226BE89CC2537FCE600DEA04C811F7FD95 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 4A935E79BFD6919DA3C18D57B7C3AD30E9B5182780BE6D0F0E490E530B9518F1A789EFB1AF7C6E2CA4B1B0C8 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 8BE2B8FD387673539A22B0777BD69AB2309C9FBF3B4FB50C770001371E4F45F08D6ACECDD058CBA7235B556E - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 7C32F2899723D3D25C42E06E75456F2C83EAD952B262178B49300089BE1F81910508AF865F2B07A27D856E57 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 564E50F3CB3958DCD2757D1398540C8B41160B44C0554706E37CC28EC0C15409F3E4FB090FC7A467144D4CAA - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = B39424B99426DAE367EBF413D5D60C832FADA6608D9C3182EAB8084BAA33496FAF4612C3D8B705A0774EA89D - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = BE52103EDCE3A0E4CF228900071F9C6E88AE5E36C7344CC47954FCD2CAC0F32B4F6FB0D82298687E190478CD - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 5997D6AB52B3833002F1EEC129B2C8FA7AC1C5B81FE97F3241114C8D2A481E15A2F53FABA70BECDC5ED6365A - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = DF608952FC0C41163CD8156C64CDE91D8C160048AC6A777FA052BB5D4991A4540A6829E33A6402D2464AF48B - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 779A4C48AAF3D6D2A5C93AD506D761663ADD642694FFA135ECDEAD9A426682C7A1AB9CD2518B037C038260A7 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 92CF3A3D352971FD50642D438AF24C7EAD92EDEBC12E412B38B744DAC6F0BFB4C6E54C0F8451A83AFD79D790 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B8D64C45B003F8B8C029CE5D454B59426E5C1E4122E2BE12A092B139284DAE4942F2F6629A15858A4F5801CB - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B2BB3AEB31CA0EB7ADB64168DFFFDBF52DA2929F443298A0AF380C0059725A27B52268C337EE8767605DE207 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 04177B3270F941A0601BA55A95A0351281CDA34081A3391A9386EB90FAD153F8168C05C8FD43EC5C3C5F5C99 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 890038E457E846F1C4715952D83C64E4784BE62852954DF1EE0885CB71664CEF944FC58302121E21AFBC604C - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 508DBBD891FF56FA0D697D37AE25D452885F2C20DDFA9DCCAADD4CFB8ACC862E027A38CB47AA307CC8DE52D6 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = ECBD0EFD9AE886E37CED7338138E2CCC8372C2DC057F7C926CB60B60AA38D17C8CCA76CB87A799F054B4A343 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A31FAF507C27DAD0865F79D8F0BEA714CB10E530152E81C78E9BAA69170090ADB17DE76B048D2AAE4563473F - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 31BDEF4AE4E6BFE2334F0543B4C22AE68264C575BD5E2906CFA1A157D5EAEEB7474A5427B843313303BA80F5 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DA7EE32E0C65E8EC37AD5E84DFEB038E1E92E1F962F3D5F7748D925169F04F41B77FE6BFC4EF312F989FA506 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D89F19991EACFEC917BA0A2279356114BEFE1755EC1B088BA64066AF3B20DD0F25A76C90B78CCBEC50F9B0FF - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3C016F4921C3C154F4164C2531AB29AA12CCDF9EB3E2A066CEE0F221AF65F426E947AF2A26A0359B6743AB5E - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D3244004F6ECC317F6CF602BD61904B15CF1FCC09C200936C50065788706D8EFAF8F12ED26ED1D212141833C - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 5308273B7EDD1DC6A54C1B72B19EEEA30980B9BAE61ED1069AA5869B27F2E2B5E571EEF09CACC0F6A3BD128C - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8648080FE5BB17EEBC10F04CE8F425A6BE652610E2C0CA5B7B3DE3FBDD29835DC5A60D0D130FDA04B3B1829D - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = D459C826D2CDCAB8F5BD685F81038EC2B477F3C8EBA6070D6BDDD7780062387D7404C638D5446FA94DC437539A - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 61A5E27D24F3DF68CA63C311B1211AAA43E6B29972ABBECF069BAD20709BBE6C06A1CC843DD053DF744AE121B7 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 9048B2000C50B278ACE21B3F06A5D88901B09EE955833F37BFAC594CEFA01986603E7344039655768A0CEE581D - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 7CC61F11599339FD4439D5F13C28906AEA089C020BD16DA82AA5BD3E62B28DDD41456AE566B1CBE64971F8EE22 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = B07AD2B9CF30AC4D5FE4B8B3A0FCA59C960B75A81DFA96AE0FC07733190A424E15FCFFCB97C839BDCD7777879C - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 1B59F8A68F192413E6BB5CD7612856E11A2D5980311A140D33F82AE71909DE7B79FFA66CC7FDADF8B7D20D9D67 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 33CA2AFCF941DD9C43C01E1686DC31127D95231A36011D81F21AC460BCF7992C218B92983B3C0D8F4F498546A6 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 31E2AFB69583E88B8DC067916FA1B79CF22D7646D701CAFFC7AF91552A50550B110939A5DC443BA3B549B3D133 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 00DE09FDC9E828968FFA1A0D959008D26513A447A3EE5ECB13EFDE7EBE61FDD45B58CCDE954EBDA9DEB903404F - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = E099C23E462C176FC47FF291C6EE8297E1C9643F071B7A092D78C031FA0AB9F52799AF3E6FFDE7DAC068E476CF - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 729D93616969A5547CA61D6584339449DF4603BC6C1E297A10C159F0A51065E635535D01A732D5C1AFBC8D37F5 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 8302AC34B179D9D7CE42EFBE26AB1F5086FE7695E5592B2A287F264F6BAF219A5494C191358A40CA1E5BAE13F8 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 08A42703AFA618C06AAEF9ABDF45805549CDA63CC471BCD2257C1E7E2BF1B6B991D6EC09C1332F1C5FBCEBF6B2 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 0BC847CDFFE7C464FE403DAB6BEA3F9FC5746108DF8FA4A6E7D2BCC84FCE3992A0F637699271299036962C65C9 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 9BDEFE4C13117D686A02A470F715FDE2141B773BA5BB07492D29DDA6161F13530204A67D29921A3D2594E6CE2F - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 22A304E8D2649A0623FF90DC01D4180D7A43CE5F390EF576A778EC8EFEA82DAFA1C8E902D004A5CD86E2212F58 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 9FE5A173199F1768613CBA6D55471BEA3B3F58E10620017FD1C1D973BEE2A2A0DD9E4EA403EE3F817BF852BB6A - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = D1ACF937D3C9BBBC80ECF45E18397019195A8D3058D5B9F33A3062A79C7F986C5042F30192180C8F979ECE7105 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = ACC9FB613E8866F05F27E3C04BA12C3C7C763735C55A1D67AB35FBF33C24DF60CB534B5C1FA0585C17D3F9C957 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 6C8EF1F20FEEF0490DD0F6CCB91B2C36EE180A398345F68EBB7B2E47A1A36128F67F3BFBB94F3661F1B6965110 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2175FCAB2F43068EBC60A78241AC223AEFE89B604A400949F14D6BDD946390AD40E6030094ECBB1D7C1FC2C8D5 - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 906C721296F0C62C5AA21D025A9C10264C13876B3AFBA6FBD4A11E255971E013D68B25D9E200273892E8163327 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = F2F6E9B1A1E0617DAA2A806456131CDC9D7C86E5E967EE421F4F3362864C38C7A4EC9E592AE4C69C36E95BE6C7 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 4380A3F24E3346A2E497F37CCBA59719BD817DAB160EC977888ED7DE608B26AA4F9D0CE3301ADD55C9EBB9000A - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 91E9041DE3391C811936FF943869273334C2E39CA3070DECAF65F608417B2955B8B4A87A6B580EAF5E8D3E3141 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = ECF9D5B8CCBCC73B3688CFB9C4092C9D726B8DF8E9C5751190C85D942B0FA800762A06377F37A61BFBB497E3E7 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 348F4EDA755893A25E3C9930647C83E0B371FE594DF789A2170C122DA441F3D2E822F4B516EA6A584FFA5EBAE4 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DB011C264A58A3D3F6253923D26FA23F202E4A6742127F72E3A1FEEAB27A441A718B8945DE402350EFAD2B9600 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 87494CDD167876EBB2F6774AA57DA98A3B0EAC20A0299902F248FE6B559C0BB800CD6230632C2BB17492FD6BDC - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C19434AF56858861B1C29E0102AA7A26E77F460E725301809534357F27EE3683B484E882FA295550A67A626A65 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 1DE88F2D3A8E2305B80D396228B219CADADA1F65CBDEE50441664FC9186B7EB10FA4A3E136B4E1C2002DDEE086 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E2664F8CD02FE6EAFA937A5104DE863C80E8ACD1B75E18B61196403D8E4C989B7A047A4CDCB56D8B3C1CD05147 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 447A73D6F93605738E1C167426E512649F16429D1F78459436A84173C5F2F745B4926C7E6E9872EA6306BB69B5 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 8E994A9EB08E976429759873943E6B9BE852C33F9471E1E2C253CCD91876476E9FC52057170C71F784DF1E3F03E0 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 38A80BD1841D2C460F393847AABBF010F57704CED1E6D9964940EB31BA7433663CECBC504B917DA4DC884166C283 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = DC0414811711091D0973244600FB31291AEF3858F2DD12DDA866830AD1BAD06EE67855D41F91A022A58E57CEAE95 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 41BB49EF05A8A05525D2B1A01BA40E52AF93EF3BBFC819FC60DA086C8CC8D05E9DCA6B32F4C1823A3809968C9A65 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 1472A1A7C9D64D38E2C7E82B49250B18500374C7A9D7AFD704369ADBEA95819324C92EE7853B885793CFE50E246F - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 6C59B55E615096E4A9652B22C6629EE70C4869F0C0D85B5EA3ADFA1A0BCB99B5E7E92B479ACA93035FC89BCEE566 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 1D91D35A52782B590658B81F27C50FAAEB28840479B150C312C526C9EEF96525F191148669CCC8752EBFDD99425B - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 36E20C9206F142B2A8B2F0CB8C688683B2683D1B8AE5F85457EAF2E8A7A3DAF7DA7C34CBAEF3C2E5754AB3A4E1DC - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 5DD0B71B40E19C5B99D7F414308C0C5833C926043592084E9060DC8FCD476743507E66328CD08A13303AC17192C4 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = C6C00123E72A60AE1098BF6933582CB0312B0F9D9E126DC964E5277745F7434E21F36ECA6147BD3EF6E7FBBCCA94 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = B179B98E2636FC31124386D2D46E54018CE59E5B6B1466F25CF2173B8BF67948EFECAAFB0901BA282D162F5C5405 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 367D8BE55E8C0780F95577DFAE2437828240F0B344A22241DE2636E45D959E7EDB19A2AEF5439D5C45002A837A66 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 3FE4D221F9C37978AC8764AB1115C3044E557E75C63106203D98187C96479911959332E6EEECD14D2F559FCA1607 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = D94CED8619D3EF5B649BCD84A4298B400130185A71D26C94F5BA9C75664722E230C9430C73EB458FCCA1EA66866F - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 524AC9D4560658DD606AF20C9B5D80B4C35E150D0BC8FB86F9CAD82408A83CE32550531901F51A05C6A6DB99C7A2 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = E073C45FE1C182394C06851EED8F73FB7471E7A1744118B57E9D22A03E5FE608D60BF87BB23437501E33F1819B38 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = EF106C2E1A99C684E7B787E5ABE5150C9845D8C6BC7B2B8C7DBFB8844DB2AF7E5C193CAF5DD7AC7BFD432332FD0D - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 3A58CC4D78B5C8F52E0D070D6E6E205FE2834521983BEF90DA89F0EA80B338CA4A6313F762F0554CACF7A9786794 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B584B41D2164971979E6ED2230BC4434A2C0FDF7233D2D401FBE015478B7AA931DFCC46DB17919C1CC8257E42A8E - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = E527E836D1D10DBFDA0E725775B7874CD71BC850BE1DE7F25DCDD12B349B13563A463D28D4EA2E90C9818DB9F2B9 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 81251D3AF80CCFABD024527840099C05B053048C46B1CE485B3AF8EC2F40B8B82DC20742D53E28D80D524C8E3018 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 5B9642D89E7BE5A52A6D130F91968C01F4BC16FCCDAD5734978F68795A12BC7D7C84E365D471F581BFF2957D69A7 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 7492CCDC4397299991DABD6A3F15731883BCBA473971295D11BDAFA07D135B96107D922A4E71DC14A2E796BE67F1 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F93C29056AA5B1F4D5B2A1E32CCCAB9D83C67B9823595E2861066B0203B204651B7E951ACB2D2BABE8DD97E55B47 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 893061B9611F71FA9DF0E9BC893635F6987952D9538E196B6200249290D0988736DB4C24C999F733468098D33E42 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1817887374B611ECAF30BE20E6B0CAA48EEE11CE07BA5E5DE806F65FFC63D15D6AD561E72A7ECF56030E9CB582DC - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A621C52D3735AD5BEA497B9A7D8563EB9A032D96FCD851E770C93B035E0129756D2F02403661997BD9F48380467A - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 3D544DBF7F5D767102D2063E187B57F5092D4BADB61D04B8515CE748EE5409EB79D45818B12D542DC800286D376C - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 378CB93BE70D77161066CC0472EF7318BFA35F85D6AB86AB19AA9718A465D161AE57BD73178245E755F28EE33F11 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D2B058212E1BFD6543FDA7A75720F173A2B64B7FFDB9EDE3AA9DF31241C797A703B873DDBB0018D482681FB887F8 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 835D2B7D717027AFC224669196FE7C8B812217017A64415EF617372FDE6F037E34DC96C5A722D44B06369B738EEC - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = DE1BEC74E1CB7EBCE87F717A9D255B111D44F83F33C2D0E7EE1CE1F4CBC5E293DD68FF47D8C5110D58CC90212386 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8B427E508FB8673159F7575D130B2B82C573F4DA761DE2F1C8562D1E78E099D5FEB64F1435FDCB300526E88179C6 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 65CCA173C045AB2535A41C50647B466583AE342BB8364D6C99CDBE4B4B747CF50D9240454E426A6E67A868E33FE614 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 3220BC1EE520A6C475D8C62495DC03123F79A806428BD107AC865755D13F151D1F94BB5CCFBEFDCD54C23F5F63C23A - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = 99928D89012B30256A6087FCEE7F2177D0CB36455ADB3185F459BAB8F4758CF90CC4BEBEE20BD1C7F18214C99DCC10 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 2388E8F93DA6372227077C73955E6FDF184F65B721480463CD0D91BCED9A63ABE1F5E88F09890C352E6236BED655A9 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = E21DC0F95E94E001A24932FDC93E89CFBD1E67247F0DA43E5CF831822B3E34BAB60C2463B2AEF2E284DCDE563AD4BD - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = D2910E5A2F35011FCA31EE6A615C658C78E6C66377ED8FBFF735DF778BFDEE91AE485F883175CC0E8B9245D97B065A - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = C7BECC1A07ED276B2E87320D4942EC9B9F582C839DE23844D94B71C1B54050154C3E035485A5930CD854F83E4F2DFE - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = C35F6C2ADF7268DE666CFFBA99262A047E051A12714CA8683FEE77AAD1C6DE2F9A8BCF132F362BDEBDE2550A7FA59A - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 0F249F500DE2E406FD53752CE7CBD3A5DFCC676ED9A5BD532BE20AA66744B4A9A495DAB814882BC9EA00F5E056FFC7 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 811D5D4029A9F4EE818AC51FBFE014EF70C136B78153A08B380448A4B296B26B954F498CE47E618DD0E6653F8C7BDF - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = B6CB7FD726E7A03268F9160E4FAF2254D0E187D3CB244776A2F7CE9DA52771BDB0BE8A3B67E4A5CF1CE6AA187A6BD1 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 3BF05999E87D72414FDF6D3912D5BF5AA1AEE1D5BA9DE3E8E19A171B8E4CCB8776FE6C263288B9D8A56460E44FC2CC - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 009EA1BC50220120087A6C1CD3F8EA200CDB6B15561E43F39DD117FF313C20E877CF521A66D7A1EACE8944CFB90BCD - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = BA08CF6CBC1F30FD53CCDAC3320DA3327BB791B743A72F14E20A806BCA5A407EF86D755954BE0378A164234AFF26E1 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 6D58A28231AAF14E5FBAD9DFD37B60059F2F95A2C98E873B6429E29C3228E20CFE77558609982091E4F1CB69208880 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 4AAF25E0F2691A95C09DB32A832B2F33F07A2DBD740BF9AE2E921CF9D9D500A63E490FB04F63DC8BF64CFB2620DC8C - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = A2C73D79F5398D7069279D5C9886A65284AC160458FDF6AAB574F084DD39607E2305D80AA57FE301960F4AB573F750 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = DDBEAE5FAF8E10CA5ACDCA36226EDE8C0BD096149C427AB107644F13D30C5AD6F4463B2F13394FE9E7F2812D139321 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FFC9D501881484346DDACF00B6163C2F7B505C54BA731F7F62EA6B80076DE5C0A82B646508ADE52CED708172C4409D - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 45743E0AB03647A35B36D57881422F5B21185A4E357714F8349CF2539107BA2C7EB264A3B11FBAE866FEC4A728EE37 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = F4E563EC13A6E7ADC5574D2021949D5A81876FA54FA206A841883742EDEEA994E7F03DD43A3FE5EA191C34D8A0CB09 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3CE1EABD4FD3DA419407BBA542BF482E3C5B5E0779857ADDA056A6685A2EBEE9A008EA5F530B304C7EA67B6F7AED97 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 1DA494A6FA6D2D9FDFA4ADEEFE25DCAEF055C66D6414F0E29CA05E8F900EC2CC453669FDE897154AFD2B8A7AD4537A - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 14D99D277CCB54B8C05083325FA10E6F83CE185A24F725395DD912C60E70FF811325E8C616F88B9155D0FF33822DC9 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 0E32CE151B1400D4739E024C9214547CC7E4FE565ED3497A0B22DFC9CAE5A3F927845DE66729A818A50DCC385532EE - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 0CD7B685E00F5AADC75B47B82FDBFF0274012BBD24CC1DB394F578A18C0211F5A8A9DEDA7D3451233EACCBFC020875 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 756FBB9255CF78B9BEDE42B2F1EA0A6681AA96DDDCC0B9E0CF92A51BA74087EED0411E8820272CD66580E8869A07DF - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = CF4E96CE179E9BDC2A127D0667D67430E9B6E9B9B5469D837ED4751BBD623BBEF6633C98C218F988A4EF172A0EE39F - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 844AB703158FC1C928AE4D4AD75AFE754C7AA1933B3A40D5DA21ADE93EB77D9A40EA116C8F7FD8284FD01585769832 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 33C91E336BF8724F274B50F6AE48ECD8590594C4051E6A3F0DBA3A2DB99C94597181CE89C29CCF21227267D25B5C3A - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = BD4A1E9740A1A40D8862462920F80E8BA0B2D90099684A4B11AC99C1BA889DD4A1E0FA97602495371C0FFF625DE06C - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E4922055952816D825BA9E5DA85F5AE28E72F36CE9090ECE2A7DC0E7BE62CD36A53D64B0A6375A7FB05D174EF4053C - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = CDEC5DBED829C1526002B9FAFD07CD38EA109CA552ED759FDDD4B2926890190646CFDDF71F4DDB44DE748D1A930739 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = BD14F783056788BF8EE192F2A1A3ABC055F33792C0A581455CF9BDEE7D8324BC1C58387E91F15AFE31C506FB6FFFE25E - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 80019A7582B0CD4F739DAEE7D2CF797F0E671FACF30E87B2A92E1916E8F60D43F0C722B22F1D39DF831FF941AB650E8E - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 26468F73B9E6C1888C6FC5799BEAC0F82AAA3E69EC4FFAC3FF5AD9E884D5AF5BC32B45BEE76AE1BB8A5ACEB67DB56551 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 1C1F5BF152910EC036015F12C386718CEBE221C0935F594281E410E6417C0D4C2DF930E9D95758722664666791402033 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 4CDF2E8D07C9934746474BAE5140FCFC507281D238826A2BAFA0907A69C8B3696E6D664296562254834D93D822826B1A - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 59C341B359F76A83EE3AE52E4F40C0AC7DC5B389CB24E06BDB79F42AB84793FB84F299E7206703C0C1C2A7B2713F0F30 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 0B71ADF8419F29A80AA585FE6968E0936FBDE9E46AFAD64921CA4BE95DB1306E600EC02497EDCADFD6E77D133FC20C66 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 9D913ED6324CB9AF2FDBF73ED020903809C4D16F5B4A237AEF5EE33531F37B40C440103E350BC7DBA51AA377A164359F - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 63E019E2BC65A730645DDB65086A6C6DD29DE0C6909BDCD5C49BBE6014C939A3FB720C784BEACE8ECD78A3E0FB65A298 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 5927FDB0A1759F28F0CE1D3EE4BAE0E14B8A86A97D9F2D4B6C2792614507E1E26ED4274F561852562563EA0137238F78 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 38DBBD5BD9821CA9454F28C375D88798D4AE0267B2823D9EBE817454B08A43AFC64E92BA29319D5D648137199A8FB723 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = D0ACEB19995C4A9AA98AACE39A773EDCEFC213F847C92323AFEB9903FD937DEB9E7D97FB98076D4C746EC6052061B885 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 3AE5DAD426FC419B99E198E8AA6590176353908C68A3D20E4BCE7079A34B7E36C4B602EBD1711E8824C2F672ABA96015 - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = FECF987B1DAD9A693234F346EC2695CA3E279A41CE2287751583C2A02CF10145729A0E4C5DFBFBAD7C321B206082C25A - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = B958392575871E0E5227BE112843835500C06FAB30F59298B45F376FCE72C6501F0C06C66D79F763DB027651E5568D52 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = E7B4596612906D4EAD667AEA1D15EB27B0C2EAA79197256D1DD674E305C83271FE387F5BB47CB2730CFA9ECBF33B2196 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = DA963AEE2A51656B08EDEAF54F58E7300891FA9B9866B0A45E37D30F1DA40E7F44D0D8333F32629620BC3006A4272C28 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 8C70C9884FB915E1DA6AD8CA1A5876F8E2E71FFAEFB54043DFCEF43E001BC50A3D7FB78637A90A297D57DC720FD09C67 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F181D3D0725F6A125D0D00471EF2431371F010E4C5184B493D51336B784B1FFA66A186A64E45A0F84ABF42433FB22F7D - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = DB44720526D9D37F55922EE2BE385717B1E891EDA60F742249B63B6E35D29D8777E6F9D119200F1598FFED58CA119720 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9224ADE9C4AB82CC63840D14589BDC2D01BCB33FD1304F70FD1D3ED23987CCEC771C0F1AF26A384A6992E8DC9EC6AD1A - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 3AB8C3E00953A352226F9501F1AAB74D22F8612B5D3019F61D9779F60AC343CAF2A9C64F1B6268FE301C0436987FBCEF - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = D9176344EBAAD298B88F9296E9C9966681C44224ABCE57A50A3AA081A9D8DE23239C20EFE55B35A8452E46CC24611D06 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D5B9566076DF4A4EAEFF46FF2B5D12CCD4DDE2E2B30CB8C3EB4E667207101A4B02C63D5E9E35A04140F75AD42BC5493E - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C2A88C46E190CA4E746279ECA58E57E6822FA82D737FFF9763A5D3369B076E61C86E90B15E0E0C9904FEC1D0184A80A9 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 8ED630E48204F2779F658090D08C050ECD2470EA3B99EA4F190E93A1DD6DE1547027611BC6E8D7E7CE1858F82B9C716F - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 935A04EDB480C16B758907E5164FB038D6C58AC1A0F38E6631F2BDC861C8F912932E9FC9800FCCB5453FF5E24EA45AA5 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = F76BCA9BEF86D34132C12B481CC4BB21D0607EF11AA5062DECC555341F77AAA35A756CBFF2E234E111B4384F3634D12D - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 4144F934DE79326409CA117E94E759A2310BDAFB06C23F88A08105EA98C834A55F3BAA8BA9D4B4A7BC41B10369470907 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 11CB6DE4F97F4973865B3FB7AC31A9D0FC8293AB368298C3A04A6CA9D9052A1240F73A426FD04638FD300BBF2DB0EAF6 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 5DF040290D2CE9AE2D10FF377D317C04A1FCA5B51214A124AFABFEC4AB703B429B00607AB70F7B766813CFEA8E29A9ED - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 7891A6A79BA6B68169E8969FEE7F857E8645582D22600F372B2F649FAF46126ABF0118D60B7A2A2C362C5B317A51EEE7 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 033BD399095BAE09294C88AA8FDE508229A3AF401B95F8A27039DC03378BA740615D1AF2F4393868385E7CB175B2E665 - diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/encrypt.c deleted file mode 100644 index f13a728..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m1_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m1_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm1v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusm2/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusm2/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm2/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusm2/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusm2/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/LWC_AEAD_KAT_128_96.txt b/romulus/Implementations/crypto_aead/romulusm2v1/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index a76f18a..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = C90F619FF363B13D980EA3B28D620BAA - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = 3A971D74FD7D8966300A5EC5C6A4443D - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 03D3D92EF92F2D640A4403D6818860E7 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 318347822348F7DDAA2565A32F7ECF65 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 691061001FD1BDC3484DD36C9CD05489 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 2108DBAADB255728213C69F0332B8A89 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 4970AC0B3B98F2A0C2C5349DC72069A5 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = 5AD88D12EB9E781798C3F690CA59004F - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = ECB8878035AE951E50D4075DCF5322F5 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = F0705D93267C3A31DA5E1455BADAA9E3 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = BA412D9E8FADDE475EE50F7140B4F843 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = AB8AB194023840ADEE7361E96F0A53EC - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 83AC9930113086A8571359A409CB8EF8 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = 0E8892EAFF82194F6B785F1F748C9F3B - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = D58AA27FF4BC5617401BFC54F46E25CC - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = D47FC2FECD330EB9519C90C4CCC4812D - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = FD581C69F162D108C8E67F0B0433E80D - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B3DCE3FA402520C92F0D6CC4F0764262 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7AF4AC00266D4F0D763175698A48E8AD - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 604DAE08C1E382E495CFF1F148D952A1 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4A1339D6A88D492676D7BD400FDA35F5 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 8E81C6F415F076CE79FDFAFAF6145A2E - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2E3A3671805CD343421E95B5FE3E2BCE - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = E5FB1B7FFF5354A016D998616B975123 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 8472730C63B3C7C770E9290D4AB9B3EA - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A638452E5E87190570B756A14F6B9BB4 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BB00D7FCFD54CA07940F45C926338E85 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 22320A53DFE2502A0FCD6FF45AD81364 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B442BD5667863F2568B9D3EC334158A1 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B460B18EDA4D2756F527BE162CF1A6BA - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 51E8F720B9D27CE185637DA30DEF3557 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = AE003733A8BE94A14E3C8D4BF8D1F0A8 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 08F4551396C23AEC8CC154B0001B6497 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = 203F668C50FED0D8ADB163A6E686AFCBD4 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = 5043F7EA1C56BC0D23E9676D58E3D28730 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = CD0E9915B27A6E184ED2BD13D2D206E1C7 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = C7ED4BE3D6C49307681D6E45FA2CC8AB26 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = AB1940D5BC9EB9C25BF4A46AE95DF5C3C6 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = 49B92563A9A9DE25E57B82758B87006D36 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = E70FA64EEFC22DA92246D0F2932B081278 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 686DCBCBB222EA7EFD9600057A1DC2415D - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = D7B1ADCF336EE05F5053F70291DC404CAE - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = CE4384BCBACE1B6F1AA458BC4F27772421 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = D6CBC8CB06C9806BAB250A82B54DB4C0CD - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = 941090A93CC99493D39C1C08558868E505 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = 73DCA0EF238C65F1115811EE02765E9AB0 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = F0799D1DFC63EBF0BD3DE15C2A7E6CFDE7 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 9F7DB492C3F393B9098E6D5438A689FEBC - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 05B80037582902CBD6AA8AA151CAE666FD - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 89ABF93A2F5C782C98260D340854DF5AF6 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B77470491F183DF6372F4D8268C24F5231 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7D24FA2A748A122D22411D2AD5FF184F24 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2C3CABD03C8C002481C4718F7952B9D209 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 6C7FDA12A77D92C7CEF320A73BE4D60FA4 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = EB614D7BAAB4159EB1801FDB0AA03E6981 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 61E286FBC34372A609B660C40DA486EF5B - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2B412379419FEA937DAD9BAFC4FC10F75D - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 914A7D8B560CFD03E80D179FB40E30BB5F - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 12908BC5B8817E733AAE435C66F029231F - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = D3ADEABAA26A3CF208B4BBBDE47E286046 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2725409A7C796AEB74375ED0077DAA5F7E - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = F131C58A47218BB7E36A73BC7CAB3F2116 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 39F0D9EEFAAD5EC8F475D7C856B0483675 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 920CCCB809F35720166D7B0380EDD34DE7 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E99E7B55DA5377ADF3A8603289BAE8702B - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 32C330F88B418E1215FC60CC042E042D93 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = C870D5AFEA02A98C3DF9CD425C560F87F489 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = 6F8F38A7CCF66BFBED3BEB0B81489E39BA94 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = 6F577F79CED8A0F43AEAE141647DE364DB8B - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = B8B27D101937CDCAD2043BF5F0A471D92B6C - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = 0F778CC2BBC9F3E1D91FF6563EA397E7937A - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = 010E1BC779120078E3CDC4581FC51CE5A401 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = 6FD6B26705D8FC2A9C0AD876C67623E93C30 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 16E265EE7C6938A5EAEF5EA254EFC7475BD4 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = 7EB312B6E8B5D843BD3BEB5ACF99A86C65E9 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = 49B722EC0C6C68AD6D9640FF7FC8336D5C42 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = 9CB1BDC62460D9EFB65D97E34081C4CE45FA - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = 43A5374D0CE5DB2B3F811E55340E499FB92F - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = 8F8506755C8E3A72BADCC1F53DBABFAA05C3 - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 2171A1FC875F8F3AEFAB19CE0BC73BE0AB71 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 0C3C26F606C17AA66B08EC26BCE5857E6CF4 - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = D48D0E75E5EF1DEB04122A169CB783607607 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 11590B4787A695ED3B3E56E4C4EACB436C63 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 201EDB0AE82B38AD26BE884E7E47BDE2595B - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 8279376F5626A231D7115A0E012E358A1451 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = E93C95DA933692196A0E15251CE1DF054DA8 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 8C0667AEE4AAE384B681ED1B55C25C63BE47 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 150F17BCFBD0084773E24AA4B6E21FD91FB7 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E79D0D77A6A92083CF13B063C8692761C979 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 38F62D10BB97EC5AD6B9D4EACAEA43D4E053 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2938AF85EF14068FBA585B8A61EE1E92102B - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2E2C21E01EFABC158C396CCD280A5239B216 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 9FE03B7440D5BA75566F8B814BE710765210 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = F7C3F09DD62A9295300E4D2F9B62BF480517 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 696F25612C61FD4F2C744ED4517C3410F20E - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 9BA8225FDD0D51BDC49F13DF6D592ED7A62F - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01D90BEC35AE4B58F482BCD1E562C588D6D0 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 6E893441E998D5F3270A6249B3AF6BD8F656 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F6369CDD6BC136B36BD395A3AA448671D5FD - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = F2201A53A00B281941FE24385DB76155668998 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = C704570442BA4E958440CD13974C3D86544BF7 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = 1AD5043D28BA6A8923254D390A5B6FA0CF9AD9 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = 5D35408BD39E801644B4F517D44CE0ED5088A9 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = 6F6BAA554E44C46E61B986EE2961C88FF8F070 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = E81A31CE8C65F1920FBCDF5C8D55A32DB6D48A - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = CBE8243E96727232DBCBCDBFFCB9E6D8D50106 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = ECF527A6E98539C81339367EB467345CD000DB - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = AE04D7A44398B4070A00355563CB417EF40248 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = 3477D085E61CECBC7141E218FE4FD976CA6D98 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = F27824B1B85C0123FCD9FF9A9CF3D1DFCC0771 - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = BE36B261E5E4D9D347E2985F2C4DA29A54C0E2 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = 19FD20FE5689A76764FEC25330B5FEF67BA72A - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 5F811DCEA8CFA715C867AC5A5E5672EB40EDDB - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = EF765F95CCD9E1340D8A0EFC75E451533E7D6E - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = F7ACD5914E70EB68664D589B4C4E04EAC33E90 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 567F510D4970BF619478C6D5A6875FF37BFD80 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 7231A29EC7233809C7D7D437A0FBA6856AB195 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3295094B15B8EB1F51D70E1F5315C3C0FA309E - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = CF668AF6C3222F29BF64B4F192BCFAFEE0642B - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 2AA402283189861279D5CF6A98EAFE82AA4B4A - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2A08D05FD16BFC3DFD16D4DAB464EF9744FCA4 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 95627D5738500E47A4A31EC3CCE61508A09426 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C48EDD2811EA2D0EFFACD6F4F7E8FFCDB8408E - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 373823CA19E177F84EB6175B7CF066D2C2D858 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 0DD3CBE77224C061132DCFA4985C476E8E1C7F - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 554E25639BC88454F07ED4A9DDEBFC85311B90 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DD34C6F315E3E0C204DE7AB25CE888876C77AA - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 84FA1773D470A6CAA781131492BDDC8F215BA3 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B8AB12A07CFA16CB7EF7DEFC55FDCB87DFF964 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 4694A232C2967401AF5308E3BD104455DB7A7F - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2BC38BEA358E2B9CC55BED510C269A0D0B3B86 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 4E12FC02CD120CC566DFE9F2237820F76FC4D8 - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = C24A8E8331E9560D2FDB6D6A9E57FF37A954D95E - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = 539BD4667566E30D4B7C8EBCA19EE1D485B36520 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = E6B5FD64C402728F1C55DFE7AA0C974618ADF3C8 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = 07E9B819117A06F9552159A6781616EB33EA1B73 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = C1606C15467E903C1130C605AA7438A253D83005 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = 6958DA985FB2E1CCFC5CBC7AB48EBB5C74F434DF - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = 6E91F665ABDCCFCAFC1C6CF9EDFB16C497B2A9D5 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = E28BE514123DAAB74F10C175672478561B936863 - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = 94FB82BC66F7A56DA2AEE8FB49F33E8B7F702C00 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = B5F024D2D49C453F39D80C1372A0777D6A8CE04C - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = 68FF6D948FCAC97243DA0AA17300DC073C501D72 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = 5D1DF5A2B9CBBE951B0D4476D541AAFC57D97D90 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = 3D0BF9C15DF6A5BAA04B5691B5C28E4B7E51224D - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 3BFFEF82DD4F80524C10EE0D13DA0950838220D4 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = FAF26684C8A2EE3A6B4F428616BCD3C2CA745675 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = 12928F1F381ECDBDAA7CADD8A86C846433541D12 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 263E299F2CE04110FA94F2A3585951E7CD8D027F - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 09DB59179B31301A9DD1D3ACB9752DF01820F8C7 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = D48307BD927FEBC105DE350BB97A414300B9927D - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = F57FF1DEA5DDC7D5644C6B2168ECBFE1EA9D211F - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 60F5C9796A7D295F6CD22DD1B2DC7292A4686A16 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 467BF70E5F4081288D828A0159FDEFB0577EBE5B - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = F777597E78B4FC2F45121DDA943460D7786BAB14 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 94E293006EB9C0374FBF759A0A72FD66E6A1B756 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = D877E00CBE2728265429A6C5B5A80338207CAB12 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 65CEB32DC4453002C980016583410CFE20CED159 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ED2A80CF29DA14B1F04E47517CAAAA512410EC82 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = E81D994F9B39295D16FB3CD95BE20BABB8B27485 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 5D78DF931111629805D3560AD4EDD812FE0FC0EF - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 4661C632E2A5FCCF287F9F661910592BE6EBDF0A - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 577AF5F85D117936CB10CE8C0347772AF1B3B928 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 715BE74284D14C53F1165A41312894BE63097596 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 12BFE4AEB7CC486D60BCC711B881DDC8744BCBEE - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = 70BD29CF42E67143FB997F18F0554C78B6CCB5B728 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = 34A642EA6EF6741CC8717391CF6D9DA8AC46BB4294 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = F592E04B5C305633A3025671063CDB9411CD9698EE - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = 6E6B2EFA562A7D6628A825D99E4251C119C4032F04 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = A3A4AF89CE2094387B6C5414E076E7742AB9A74E27 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = DA53B0272C8474428E94F6083F89160CB16E6778A0 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = B1F303DAA781123E600051BC71B32BEDB700071479 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = F592901B2E645F2A4838F3B832CFDD98805794FB77 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = FE47055C9B28A74E02888B05B8964EA2A0D153ED82 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = 9ECF478B4BFBE4FE960538CBB344AE5935E472E32A - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = 3FF471F23DD2C12343A55838C2625514C64CA53551 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = 4F7253BB77F404D21D58F69D169386290FCF94033D - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = D17BB2A6830C1855F3A7870214A8E83C200DD16337 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 41079E29A2E672E46DEB5F696C574CCADE57ADD1D0 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 7621D519ED09F1094498418163CDAB65A9B4C72B26 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 56AA2956955E98026E5961FCD27F38D7733EE4205E - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 6E052F0DE29CC69D4F0F24B1F49622072AC9B6C8D3 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F8843830990F00D5188DC0C73308F73DCF2624F634 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FEA28547BBDF0AC95B37FD2480E28C20B182883DD3 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C3BB848AAC4CFD5FB6BA6EE5537302F9E323A9E1DF - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C02BCFAB84E5A9481EB006E66EAF803DA12321A008 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 664FACB9D5EA3EAFC0CF262464491BD0D4C3309E1E - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6DCAA46A6D39AFB0C763AC093A65114BDF9721283F - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 6F9E9D9D2D29985E693D418D7A80810E14C7854027 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = AF938C0F462961329D456CE6F4ECCBDBA6D144D88D - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1870B9654E6ED47910AC62101157410EE97262990A - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2AE6A207134B21847DA686836E4DA69E79911B7B86 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 826872EC29C622C3ADDA0C82422748C77E8108D2AA - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = EBB8F99E00F61DA0696AA43B993FDE64221CB4E038 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D63C99B442B93016165C3D9CC39C6830FC12D72033 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 54CE1683CAF718504AAA1EB106BCF1CA6B6EEFE0EF - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E90EC973DA089E04BA6CCC0556E6B3D30B33486A4B - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B08875F46F035F449AE8E5A10FE9ECC894A0EDFD6F - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = 7EEFD20825D30A83A49F3C80EF5CB32067AABD27A515 - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = 55896480F1C2E8AFFAC6DA5DD4499C15DF21DF8F0EE9 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = 6824D9CBFFC272754C499DFB52C0185E884DE2EF8761 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = 49C627C43C8B2366DB05B5A8A42C549286AB379639A8 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = CD542B0DBA4A4CDD9C99B7674D2D27D57F1BD1E34188 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = DA1029BBA548E5375BA2DFFA5A9605020CA8DE6F5ADE - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = 84C767B3FD080930C8E77CFCFB339A6523EC4E2D84E8 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 5922DADC27F5EA348B8571689D2275C77996B2D4F55B - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = 439A9E295BFDF38D00201EF98D119A22605443760942 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = E61C13B9863AF431FB080044BA089AC9F225BA2B33D3 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = F64437793E97A4FC0EEB4B12AC73D95AD80BE9411574 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = 701DA9B5250F7E3007842B9B36037F3B58085351951C - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 29F5872B850B243DD801D7474A1C033DB3F46CB66915 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 80621F813A0E9803271C0428FD815CF22FCFA0D09EFE - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 687ADAF4B5506CD77C977E66446B90BC8F2A5BEE1E04 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 78FD73747777EDFB553358FE22994C60930AABEE338C - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = AB47A068D1D97B336AB0339F599F5F9EF0BF4544A44B - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F26B2EBCF8C0556AFB327E642E28C7AC986741C57051 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 360183F3B27684493226DFE624E5381B16C02413E254 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = F222D4D8B0660E982BB6222B8C1613EC4474EB195C8E - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = DF354784692E67343453941C8E35DC9BEF693C2A0ECF - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 571BD3F757CFF181955979E3C006FEB541CE55CA341A - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 18B9AE86587CC95BD111ED20071EB089529D6B0BA54E - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C63A2B84D057453289B668316986E8793219B149A3A7 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 52F16488A082C6FEFF1F5990DABB9F7D57303CBF7F43 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = CBBDC61A9C2CEE00158B40C05250DE274BB4E95B312E - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 3DE3F8A37EF0223CF8994E997BB1FAFBABA022667410 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 8E4EFC8786E23CC023CEE1D73E93A7CF5A129430C6FC - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 271EB9FF40534634B1278FDE8CE22F79096AB299D91D - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 1A8370FE8717BD3ACC0E53C07CDAF3556A0B1FE3DC53 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B7A28845B7971CB7765361EEDF2241DE85FABA5798BC - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 1A45EF0F8690804DD17D95959E578672F0379682AB86 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 0A27B380D6697A6BD2E59763FA355E949D4E4E692D62 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = F263183D7CE6B0CD6920E1A5756664A95143EC033A4621 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = F30E5ACE835921A16282E9B407D2D6AAD6AA0FE5191E36 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = 4AE9AED506C9C9467FDFC015252BDE017D5C58498B33D5 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = BBC51FE591BC31DF5A4879DC8CF35B9CBAF0708F0B6FF0 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = 15FFEFBEBE178EEE3BB190BD39EBC79AF52142CEC547CF - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = B2C67FF3545303A2662801F4D7C5B492E173AB2320BF07 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = 442695149D8164359958D5B6A7461656D5A730C7F022A3 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 6BF0EAB03D7822B3FC7EA26824A67D0B7FFFAE239B613D - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = 27F7279F2FCE13773445FE07E78ED9DD6F385E62099C7D - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = FD2F6F7B08DC305D6666086886625270C357D160A5142B - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = E3B58D361A1012E734925F4BBCD19C4381EA150E2B4C8F - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = DF3C0AAE758F3FF48E2E72E050861935A5ECFFFF7C4715 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = CDCC67C3A207B8FDD7CD9EF7A21DEC7BCB0A3FF14B0D94 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 97823CA19A310838678BBD5CB481CD9AAA2F16AB8DDF56 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = DE23460C1D0640DCC35B75D74A6BB4FAD4A355F2B93255 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = 6E6E579A48FDA79242B0DF68763E9B437388C5AAF30441 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 89192E965D06CF08D5F4E2AFB2B5AFE6F9B67B049CD03C - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C8E02A670FA3DA3130792B3EB3DB21340B60C3AD300135 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F0D2D74F4BD25DBBE7BCFD615CCC793D7E9260C89A69BD - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 30F9BE26A07D53BD2ACF3E861B6942ADF0F4F098E5457E - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9753F45F76583654CA7D4CA45127B41C9EB9CCFE5AA4D4 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 59D4C6F8D143A7DC6AE6674F0D8592D05EF78068DD0554 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4FA8D80449CB7996389FB1F22F0FB8464159B24CDB3626 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 102E7114C54D7E777D0ACD126B914F88D80B0AB44A0E4E - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 6C11ADB5377332FA479EDA1907191D81F0B07550DF0B84 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 893677BF78FCC4A6DE561E52B62DF5161031AA95EF7CF9 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 8EECE711DF9043F42E1485B295441440551ABBBA1E2864 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BE9AB3EE61517DA2B72ADC678067636780732BF14589E7 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 95CAF1B9F8C92C6AD337563C14D4673C1B4508EB61E81D - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8BA0187DFA8F22C0B6180CF2E9F5FE472D5700417F1C2C - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 208D3C39842EB3B4DF4296AEDD545AC80A41CE615C47EA - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 755CA8BD215C55A3E289F46046DCE2BEC1360E8DBF88BF - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = E682D263A63BCBF02C583E659E084D255A7A4FE3C80999 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = 345322B40B6ECCCA402B05239AD31E82781362D6D37463A0 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = 867D83CC200DCFBECB063A706F935C0870F1404BBB44A474 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = 9E36CB2CFE8CD4F47E157B4F4897FEB721AEB2DD606DDB04 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = D9CD3232C0A7212886816CBF477739865526A1CDDD650494 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = AD89D37D9B44793A9CC16BB690E8CDA1AAF1C2890DD450D0 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = C31B5A7688C18E690A44802F3BD81FBDCAFE9570A3664838 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = 1D58867F615BF10DBAAAB41A87FEED9F87F3992E9FF2B970 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = EE963EB10E97D9B615322C4772CA3BEFCF47FFB0850B37B1 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = 60BE7448B317015CB67A5AFB1D6D0D684ED8669F05661143 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = 56453B7B59DF4A21733943ECD4DD20267672086AA7DEE028 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = A4E9C7FFA43D696CD17D0C47CCC283790A3826D68CA06435 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 51B204C1CB5375668A934827A3FA25EF188347294F5223D7 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = F1834200E5A7C763BB04149F6AFB3C93A05B2E0E80E30A75 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = C788C24DFDFB66BF98570F69C0477799B6C9106F8CAB7513 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = BEB004382E89514CCBD3C33C5331D95D96BE285EFEEA9E9D - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = B5B97D75F484D18642BE94ECFEC3A873D3593E8C8EDD9C57 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = BF70FA81DAA0BEABA0C49273E67F673D538820D8542616CE - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 27FC2C50FAAA9E4C230EB8C6F0260E8132372403367D8100 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F2E0BCC398161C5F0087B6FD194C32F66A146BC9104C4F01 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 45BC907CC477CEDCA182A30A3C12FD4085F540850B9E26D0 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9AF7E0F3DB1FD362CD579FF0DAE7EE04462EC84B4DF49584 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 20FFC7DF7B5DDEF766662798F709DFD44A58C53E29777EB6 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 53E63A616D13F11146EC8CB40C511D1BAF6838E5047AFB33 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 8566784987F8948468E9C512062A0811CFE738E2BAF0350D - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = BFC96EE0F4DA979DC84353733B0D60DA290726CCB3233A6F - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 63DB689257192C58DFC985137FB8F2AD33156C63503782F2 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 6CBD0D12809D6AF7E4DFAC048C42066B34507B705BC9726D - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 5B45C740257B97054DAB31D8564B0E568AACA784CF6A7E6B - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 39FA4083B5B65DFFE0765E5EE830B246533691AF84E363D4 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CD53843F6BE9BA119067F14F3431192FCA873E514F521C5A - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 64425959F9147E7B5DF65B885AE3E9D31B2BF539F30BADF5 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E89283627104F98E8B8D4953485DE5C1152366B90B33E122 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C42ABB98B2A9A8B8D60DC5A806BC4740032B61071FB9385B - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = 347E8C22BFBE1A02974A51E257334399A618F66DA5CAE539CB - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = 813796E99F05180D2ECCC9967704F09240208ED1A74F6038C9 - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = D56C55D7D7AF0CC9FE49FD1D6D99392655B9A5E0C26836C180 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = 26D92ABB8197BD19230804894656D086339B86AA2E8EBD6569 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = 77FB3EADBAAA1F105EB83BA0F77A3B0C68C1A036EAD08169A4 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = 7918123BCF403C118DA2AC5352C0E8D21712BFF017028CC2FF - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = 122EB811CC499826C20B4A6F3DB5CCE1004CBD221C8BB1462B - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = F7DD8B3AB1F10A1AF96B0B41E6DD30D360F6B5547160EAD20D - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = 7A8EADE73C1F230CA4F4997E772ABC17C4DBBF50DD3ADC0EC1 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = DA95A170077C537F772AC91CABC378D7D59CED99E23FC8DE42 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 61E009F42F5B34CAF4C36548A126259886B9BFF700F46D118D - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 144BC1AAD6C4DA83A2481DD7F9EE4C9881B9F616C2A4163E14 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = DF5E5472B5A5C57F8F6DC13DEEA16AE2C23DF638DFB65BA454 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 68D4FEE9800814B0290875E183FBAB7EA22794F001BA82BA53 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 192197BC698D397B01A9F196DFC7ADA56EB24894E038FAF0E4 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = DDA00B1554A43DE98CF107C488C44DE826E9BFFF46B5E5BF20 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = DE85AC2556CE65EA8AC68AC96D67F9AB7141DF614836186EC6 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F32ABA45543E02514C8552E0A7C5CC8C808F9B3CECAF2F3C57 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 23F740F4E202F0C570010403701CC27AD620C6F62BF9DC26E9 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 5C2A342C5ACAA4EB24FAC5221F8AA81545E83C4767F1E57B3B - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = F2F5A97A0E3F2AD771C9535F01C0809A40D8965353FE2B4F07 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 7B95A2BDFD8A86AFD35BAE46D6BA8C5C81B10A3E4BC488441A - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4FFF2F80604F3366DC4A86F9BC6159F09644F935636FA076A9 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 0366959BAC5C7167650A63528974DE731A66A361C1E45305F0 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A61994C9370B650BF8F3D3B9412BC48F441B6688CC46DE0EAB - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C36FC5E3EF88F85C0D54C519370E5DD1C301150D229A433AA4 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = F718BE808F5F92DE87DA61F88A4EAC11A0DBAF74E59F1C9216 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 1852A46E1CE2CB78D69C80E68C86652BC704115DE83516107D - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 4CC574614FB6F1FF13F1A492F0851DF892DBD2BDBD8B9382DF - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 16A3391807EC2C206E4FE468C4ABAC3CACF4ECD0E9C90CAF5B - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B6777E54D3EC36AAD98576ECA389E1445AC02C5894ED07C34B - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D3B379E63836282B1D66F9F8D3FB27223C6C6E5E45ECA0E0F4 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 494BCF39EC608C2DAB3F508E10108E42C6D8F6DF6879ABCF6D - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = 9D6CC8C770DBC4135CF6D6033D609496EEC59ED3CA3B31F84564 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = F66B20C74C43A7D6184CB0EA240B6943214B9C768B73D58DB50B - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = 3E97D70F258CE3B3BDB621A78CB755498C36BDBB62070A87C13C - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = 9AB0E22DB57AC781DB4278B5EB741068BC2D281E315DCE840E73 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = 3CBCDACBA34A2CBD5D53080BA52531AB9155C970777A8F553DB9 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = 64E4D03279EE87F1517FEAF19DF89A032DF8D39C25D5187F2585 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = 8723CFCC657580C051E524964CCECE7F9FDCC95D74DB4E927008 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = BA23E8570F01E0E39842259CFDDF2CF036A14F6980AFF5BA11B2 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 4407DCF03039E923472EB938148D53D6CD4C0E8ACF739F2336E4 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 3DD3F7C21F2349CD6705EBBD86B807E85C07DC3B563520AC1505 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = FB52FDFF12803F938AD18EA2FBE544D3FB1F0D14C67167C4D5AD - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 3D7774582EAE81133C24D59AB811C87A44E65E822A2CD0F60BBA - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = F3975B46722E23E4A3991E5F43C66692561FA66A59E4ACE94B18 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 58705F880660C47364A65B31FB88E28ED30CA92CFF9D3B1EE8EE - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 5C933A027A467B04593788B06FAF7DD3B22D03BC776A0E078C6B - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 19B0A87789964A72F995763C47F58E3F3FE9F5574E35FF89AC2C - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = ACDEA875E21F95AE17EBB7B0AD0EBB812C81407ECE57A611509D - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 3D25F9D1550B659EABACD4349BEEB85E6DCD0BDA9B8B739B42C6 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = AD28DAA73402437285EDB0742F6E445918F4E626D68A6FB5B64B - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 21126A02A9E2EDE62FE0B17A451636781E0BB9FDB3B7D942B4DD - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C754BB83D17C76B02547DF1AF9DEE8C16CB630D36D929DFFA63D - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B592944653277D014FFED76A2864513B1EF72F057B1470FA1AAC - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 57EED3DA870AEEAEBCF92A092024CECDCF9B3087F8909C6A08AD - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F54F5B686F53CAE3944901FA6B7B9E0379157CCA4BD3A236B2CE - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E56E45C4E6F11D5CF78313CCE7CFED5FC83B1F4620686B6C5897 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7227BCCFD935F2CA53908E7C4FA4C8662F1CA2916C74407B6107 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 48B0E904473C977C0E983C5CAAA31521207221177533946B7BB0 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9C8B27FA6402ACAB1410BE82A1B2CF0872C3DB23F5AB9B388C11 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 857DEFD50F383056F123833B20080A8B7D50AD335EEF7DCAD2CA - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A7152E836AD6F1A69C52462075F7D2D4CDB5E775520E45B8FB39 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 02F337DD380FA43354967EED42A635CAEC3C76BE7665F0C687CD - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = CDB358A1CE565A18F68052079E43F4A792638E289BD96E90CB70 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6ACE5734637A2FE34993D85B0B55F80B6664E5A9EC1F3470D883 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = 4AF14B99B418A6475EB4BAA759C82A1C74B89572796086E9D04F5D - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = D121FD3D5F959B23499A5F3778EA36B483DAC225C622613D68F275 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = 228EC2EE40102E97FD53D43FBE8819EA45DE530DAC6813D48ADEA6 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = 51A6CF44C9025173FF5F301F4F95869B15E89C69B7B29B971CC7F8 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = 8934416119BA4DD57DFCDAE85F7C0AB7BF0CB116810A3373DDB7CF - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = 8CB437A843A0D24BF4DE425A6D5876A735FC846E8E7D840E0D3E20 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = 895353CF7F29EA4789D2EE4D566E04D42B0276895E27BB75608D1A - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = D114255D1AAA58541A1EE2997EDCA3BDE27B0CB386A4082DF4F2E0 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 1E95D6EECC1C2DC1DF5B77181F88F812B792BD1D9B9AB18E61AD91 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = C42BAE846950933EC267A4B82932B8709F62284A7F3DBFD64E9E37 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 76E3D61FCFEB1DFC88A74832E4E5482FF01CDA75DC5425EC21C6AE - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 13DCD57C766735152E3D981F23E5E268B056F874E9DF396220F1F9 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 46D192356055FB8C3BB4218E1200F4B1EDC7FBF8BEEE257D7A2B3E - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 31CA8C7B9B1FAAEDD158C828824B6FE22124911D37CFDC3B141099 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = E5374017F2C0A1795152287E6E2EA243AF4158F498C98F83A3AB01 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = CB1FA104466E1CEDBCCF05752C8A82C1E58A9D4EB91E690B58E6BC - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = F1A57034E12551E2D16CDA212344EBD0B579267A0C37F4DAC88698 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 9FF8464E311EECECCD6225A7342F7AE1A9544640EF70D35EA0AF04 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = CA469F62FA5881B2F23655C77DB7CEB4A28F68D3BCA477CD3E4EF8 - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1BF74DBE34A5BC07AD4D4124FEEEE4914EA50CADB03930A640CBB4 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 33D607A7B0F76C0472278CA7D370DB85D26680F4EB3BD9D6E9DB07 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 938F5E8E1B2CB0A03840BD694C60095420C9E6B0EEA53652D68122 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = ADA939040F19F2D83A52A520DCD900B454453646A57D934B77FB73 - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 25755B74489367E152657A9CA918F10367DBFEE20344DB179D8C21 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 0FF3DEED5EE07566179477E5DC5E8A424871E36F5E160FF7FAE5AC - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 121EA90C481EE72077AC3FC1EFFF02D84D5B660D2872375330229A - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 03CF5AD81897C9F81F7C758C2FA94FA3643CAB0AC0A25899EC00DF - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DF4AA159DF587B63B116489C5D9A2124DDC48A95F5FE8FB2AF0998 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 6D25CEB89AE43B11698249B6E2D2F044E8181BC97EE8ED039B48D8 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 5AFD962498236132D85DA1B8C18658D20CB65351AA4AE2F361AE00 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = E02AB9E07B94922CC75E74686EBFE8974B922B6DE8997E19A3EF7A - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = AF15A6B9528EA7C151ADA499239B9F0347840BF7155FBF38A07943 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = EC1C68C4747D84282A50B39DC94DE5005702CDA703347E1D7BAB85 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = B6072CA9BE4C5B5F12663DE3B3D59D8B737A768C8ECDD632C6ED8C58 - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = 096E3D4C7625977B638F72F6B581EA31D598D5499E351DB6EC14BB34 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = DE6907C0F3687EBEAFF48B080D70CF31176CB44A944E00B23C6167D3 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = 89DEE939CC1E2CFB61EE6BE3D457746236AA9BDDF9CB359C377163B7 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = B970E33B329CB2718EE1EB446747072DD56836A3D72C21100BB00AC5 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 30D098A4048FB96BD37DBD2A69491177555D7E60013F16B0F332E64C - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 8372334B2BACA04ED5091BE34E6294CA4F10F374180D1579DFA18590 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 45AEF48D63A969A2234B20A30F6B460B46DB6E4074DBB8B0D9EC72B0 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 384C288F2FE7ECEE416C0C2DE4081CE357B4A4AD2766FEE203A25587 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 19A34F3DF21959A4A6C07DB5C14FC408735DC10845405C824831A1AE - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = F756E90A71A58645231B0CA0940F5A71379971438F4AE3FE6D35E85D - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = AD3F6A3EA96D3FD9D8D4AF6B282CDF4AFBFF546D4C30D1A0B71421B3 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = ABB13CBE268767A6B2BBA4ADD02D7C358F8732DE707D1976EA74A3B6 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = F51CBA59B5FE18425D4D95F06538D805D5AD0575DB01D34EF87C0849 - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = D53EC39C3DE1CBE1A8FD511832CEC17C76BE141289B926DE1E03491B - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = EE918777CD7BAA142CA24D75D240E7AF22C001F9BD71CE5FD722B19F - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 04C39FBE8836E3AA0CD6C1EE424FD0BF84064D120548BEF493D365FC - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 265D382078DD9DDAFFC17D6D8A227B15DB9B5D4BAE925C282A4B753D - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 1EFAB7BE5373E45A4A50B445A7B926B248BF6220CFA8680D8526F573 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 0B39A73B2AE94459946CA031D1E8D8EE0C2B13864ADEF24A119DA319 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 5461A06CBDEAB90F0CD57474FEDD958E5F8AB8F0C35DCEE714CCC4F5 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2884760AE8465AE66FF360C77828CA9912F829C6CA74C59D1C9FA6EE - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E8D60CD75A37B3B8D3306C58406F0AEF169BCD0413A0DC2261DBBD21 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C27FAA41B816D056E078993D9BD87E064D91A2A78B41D54B0F28107F - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2BE382C1603D14DC6B4862ECA72001B3E856CCC1EFE07DAFAD768179 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1110EA2BB02F941A0DE8EC74EE91778CE2FE9A48F00D6FDE72E1C425 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 5AC43D0BB83720133B4C8E8E44509B5AB0EABEAF01A91563724F6824 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 778050B10DDAF53226037C27FBD090D73A37EFA5ECCA8B26AC8DF12D - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 09981F3516C22CD0875973393EDBE12420A917B70A0296F2BEE9C70D - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FC93630AA9864AC69A10699935186CDC49C1250B485BB70E36D6BFD3 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 34F49D0CD7F8296E4A9BA3B0E7825146FE1C3A375DD4B144371BCBBE - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 5C1427C6A55F4FA0481CABE5FB4BD54EC5E55388D0320FFD10F318D0 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64401FD9AF003BE89B7CA87FC5F663DCEB033254507258724F3E3B7C - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = F9B3152B17C536AD9A68DA1D9F71334063DC81E548AC9FA69F0ACBA53D - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = 005D23922DAB4D15115B07C1DEE45FD9FB6DB267E337AE0482543945BD - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = C28B412EA1D372AB63CD5DECF599606758660F74910D93C18E49644747 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = A85F71278FD0E1F0D32FD523A49CBC5B45716B127AE420497344EC8795 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = E2FC92998C44625C62061E8185BE9051A8DF573D6239F2CCA718CD10F3 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = B2F3966C2BA5DF5094E939021EF702CAFC25F84EBD8290BD9F328041ED - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 46866A83B7ABF6753D8C26EC574CA5DD8116D353D7A00060350D386267 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 0FFE3F038C26BD91BE8C49B4EAEEBAB864AA437AAF456AC5361265EA57 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = E93039E41172C918A902F2A0FB211078B3F8E1015EA7AFEC19A39508CC - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = BCA28C0BC6EBB463969B1497C2D7B0C1749D4774E8BCF849E0EDB4B37A - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = B964A367954137AFF1A0378FF701868C1D6B9CB056467ACCE1B0B52986 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = D81319B96238D8856EAA1CDCD2B6235CFE8E315B02147ECAE16F2E5D7F - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = D1686E0F1BD0803F19820364EDCE770B6AA3927C2F6712B7F1242040CB - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 80858398ABF6D8B17BFD7C5414AD22ECD6724B6CE8D58948E2DD0B1D1F - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = BBF43E0ED99CD35E9E0ACCB8808E3ADFE0F972EF51315993B7B47D24CE - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = DE8A39DB464936AED7A2D3C0E47203C9A473F684C98A063C4CB529C7AE - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 0FD75349954275CB9FEEABAAC92D1F536FA8E9A939F3301CB7520D4324 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 1D5F1D7CD1DB0B2A5AF9315A5BCFC62AF47A6BC2A8448AE6245C3589B5 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 46E98F6BE94E2A3738D300C83E11CD9CA455F162BDA43E2D54ACE610BC - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 94F561AB87A6A3610EC4495A44287CDE2A3F28E8FC3E38B691FA968BB5 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 36ED481F96CC39C0984923EE7503428D0085678CAB98D5F6A0A0438D29 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F03AB2521FC7FF994A4D7B666EE00FEEB905943F4635D49349E63BA2DF - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A4861E3871F413EEBEB84493BBC2BF31D9493DDA46AC3352DB9539FD65 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = E300E7000C9FEFF89D0CBF5737811451337B2C0B57BBFF16765E017104 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 5AC5D9987D8AAB2918B5B84EE99277630815D33F485E12ABE37AAF6568 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = ACC5765F9DA9B5BBE1FC8406C3085FAF746D22BE2CDA08C120DF8714A2 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 7F23271862D80F5D374381C070CD9D12642B34FE400349940174DDCC55 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 484C50B37D1D148E0283DF665829A62D47FBE629E76485580DA596926D - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A20C9084D02C068B1AB1E575E7C0A02B15706DC199805C781AFDA1A9C7 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 765371DE14E4DE1F23603E4A2B364633BA8DDF56C5A8F5D59F0C208F5F - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 83FC24A84A6E99887C8169FC07AB8EA8515EF3371E0449475D0809EFEC - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 44A98404CB9B41E572C9834D6BF67F3EB8D4C7C5D85B6C9538DFF11464 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 1208E7347F87E7A737A619E6EB4C288F2E4B202A7E1813A04361872D33 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = 1F3012B52089F3479F6AF8B21C917092684EB2F6B39972FCD1B38F0896A7 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = B3634D04B813AB6D97692968044B5C88917B03982B201B15D3E7FE3A2530 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = E8F3118E9E6AF0A536A3C1A2449DE7457E7C3F78B065A22FED069D996373 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 005424D2634C12007DC6487A7C5C24787BE5D0EA31E74A2973CBD727A2BD - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 4BCB8407A9E103CBA66AD3551B75C969C17C225C38E2107C90B6BDDF154A - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = BDDDEAF9E52B406B743C1CD432B8F8765D989B1C6048CAC1E49D14DD121F - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = C5D9FA87B4C6234A156BB50427D28144E839B14B9F65B58AE03D02472F66 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = E6A27D8D62E3DDBD2C69C43438C4D55190D4D5B6DAAC8ED67D8FC566C182 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = F087A43CF9403AF4F553A2958E1ABB0AFC559CCD2950AF3233EE89FDBA04 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 6BD9D955CB4BCBB8FD3FECB87732893A667F9C280935F8A8DDE724400842 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = CBC0ED6D06E272D8836F10446E3BB9C0B0851E1B077D37DF69C27F9469B1 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 51B70ADC89AF65F6C7BEC984FC349113FBA9304D1B0C4657ED1D590675EB - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 9D27F21D3F393605EF308E307F79C73C020F9DBAD27EE09F2DC2CF9F43A2 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 14BC5A426127E8A26375CCA18A8CC39B9369519699DCDFA3185A584F29B8 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 8B454240021DFD52EA3AB9342D60709DA131EA92F7B5E8B3B67FAC390006 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 02A33BCC03093C1BA3C3F8B841734170244135AF63AD18C6F050D6BD042D - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 796213FBE5D757574FA71C9591DCF8D42B981092A9CD7D1B93FD6DB2F8A3 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 64CA5A53A2DA0F19772201EF78319E54D79F0BCBDA73D6F4FDE688F17DDE - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B7CBCAAE6C9D6517AB1EFD2F6498C71675FB2972D68B42A0A47A60584653 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 7C01FBF9F0AF62CBFBA437403B73AB5558B35BFB4CEF213A646EFCB145A8 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 57FA21919ACEED8B57FD6FE5DDCD749A6EAD0E455CF348FAA8B0E125FD87 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 41D1B1AAD4449E978859BFBFA9752B53516210FDC6BFBE416E14EF8A06AB - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 859BDFA9A518C0CD67C0269DBF90CF019874ACE8D798EB9A89966044E847 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 19AE4D1FA96DE4C4FABE0868216A9549523A098F7397D45666BD67DC1D47 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 612606C66D9DDEF44EB0148655908C7ABE0079F3BA9921B0A6B1E2F2FB5D - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = CD5D2544F3C11D33D7C75F501E45B040D41B3800236D7D5551725D045C4E - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 051F77A86CA9B62185C47792E3188B37DF290A9B55A5F84FBF8456AE4E4E - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 3C06C4AA7C46DFD1CC3EB41265A626D6874AC61DC4674789342D4EB12600 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A74355139BD7476DB7D2C5493CF2BFB206CCC4B832D6996538A818FEEBFD - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FEFEBC10E0E8C3747F787DB170C7710B62A458C018A1B4AA7D5370FED334 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 392F674514389D45A77206A1418300BE4C10824AE943C4F9F8D653F2C59C - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = DE2CC941349120C6A8BAFE74DC32C5DD3C51170F63BF2FB7486461B08407 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = E832F83D8116DC9F972594CCC6B3093EF5998061DD278DC080B4AE521E05 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 0814268761BE7796DEE293441604141A6F2174E840F987375AE9FBDE8C1C98 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 41C84D79F5E1A1438B74E3CC599F5DE404B87AC525A2A9052A2738E855A6A3 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = 4FE77DCBC52AABDDA342E94120ECF8C52319DE15CCF0935EE7B199DAC5F320 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 1BB1915400683FC451151791759CA771790D47582273B2C2B27E8F51158489 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = A7130D3F87C7016C054813DD56DACFBC6C6DEC3552B0A37833F581B9D85A92 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = EEEAAAACD30FACB9B7D2B6F937484AFC7D492FCE4B500E987C6D08737D6DFB - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 1525933905783909F68DEAE8266035DC4D21ACAA94921FCA75B9D61C0728DF - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 93C1E45781F138953053892F94FD9CEF514F01ED12FECC6818C7F3C028741B - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 2CCF4FEDEA8847D2D73C774BB84D98D89C526EC2CC8F478E2313C9FAA76DAB - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = A6744A09C45FF18C7481E85D16844BBBAA8200BE79EBDF86F9464B1B781267 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 3FA059DB7448BF67980101BAD175CDCB402613DF1F8B88279AA6ED09D4F324 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 00CC449AD60D5C98E93C1630736C04C53BF47E5AD90F07BD5B531DB46D55C6 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 3727D45FEC60AEAB66EBF1FF4D3744306504B097ACE45485E3C3AFD26B2D01 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 63C88BDB2786E9DC97F248C37F57AB22DE05B909EBE216EEECAC2B11B4F4FC - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 8A9404A346FDF035C1ABBA3E2EEF2AEA51B276A918D948356AF267E39CE4FC - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = B99E3E630384B46F9AFB43FDA70ADE4C8163A4BF27E942AECCDB8019CF2BB0 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = B88C03E9F8241B7245271283B4EACE275B365B5E3A751A7896EC0AE219AA76 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 74F329880D222750DD6A89FE9FF92790B9A9D91987BA07F9C083DBCE46F4E9 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 779604D1E1B78E6420C9742446CCED3CAA572A44EAF16B7F2FB208D89ED143 - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 68EB3E163540DBD526DA8D69FEEF6E68ACFBF174AF2CC09085DC9123D692D8 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 997F8259C68B9599CFCF659B18209653F3F084F84362B7EBDF8864A6C261E3 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 8B31E8CA648DF587E926D4396EB5AE4A939D9B8D378CC4519D826486D17EB2 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EFD952E4E926B97F8E20F0182F978BB79221C03A456968C438E1D981424D1A - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 6E33A72FA1F260A54F6A05EBD9A28311B1DD725B29D76F5BB5CA263C8D9C8E - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B421E3552721890907B9BF4D2DD77B5381CC3B57C4F848A76A1FA871131609 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = E86E185713238A2ED4EC687C831CBE82F7E4AD3B56DE1AB200F6E843A2CBA2 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 3F723DBBF8C6B70D8E38600F03BDAC2D5A60AA67C0AF2D72346F5708061E2C - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2075BED4C0D10FF8F251E1EFD62914AF49445C0DD4E3C7BBF6097508D232FE - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B487540196CA00A2252C6212BD11871C10EB205AF78D4EC359CD3A52A103D7 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = DA66F80644098248912BB1887FAE94C4158FA362E3A3DAFB3B899F074D56D0 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 0F846437746D1ABAECA44628335BC345E71BAE8E039770B226D9C5A5E83719 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = AA8D5499F2FF60DF5B97BF86C560FE1C0CE733EE802C37C488D20751FCCE3E - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = EF35D807A587391EA3CA82875B840ECE60A452083A254DE72BF025DE0CB361 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 72B69AA8E5E938270F5A833F9C6189FE3D6A8B91FBF30B57274C57A712BC6D56 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = F4E46141D6FB67C7278AB9038D220478D764CD694EF091F72AC66CD461E18089 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = 964E12006779D9B2EB6FC03B0FAC275A73AFC163268F71029A7A06FC3A7AA23F - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 9FD7D531CAFB79B2D287418E6A6D84E921621D1A64619FF95AC692587F7011CE - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 63C67AB15D00F77563DEE6D8D171959A106B8DDD2717704AB27373C3CC25B1A7 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 4364A07D3793816CF069E327B5B360B03B15152F04CB3F3552C5870B6E42FA25 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 43885FA7F5C9BF1718B23FE7C92C364B326E215289760DB0A7B11973305A7FEA - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = F7E42781AED9FEBDD652D3A7020FFD943FB9DE6DEC0CDC4F697CBD2C181FECF5 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 55B16E6C5785F6674831DEFA02E304162960483512829762F36B15683DAA0833 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 5E78505B86FAB32ACC44E9661A33EE32A23EC33BC5A8D14D59BFDFE5232CD8F8 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 1909F7DC70A95B298A64C1FF0BAACC08AD5D99051BEB9D49CF2EDDA275E6D1B8 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 7C5EC1B0E56B2D2F05C2E2FAD4E94E3494DCB7F953216EE73272FC1FB542BC99 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = BAE58B9006C8AA4CBB4F5457BE016F6F93911DA93D90B93182BBD3BAC0AC0306 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = E9060841AB42221AB03243D26DB0286A07BA86A0A4A7AE5D7318054748E03BB5 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 7DC6E1C99954E9E4FD73196B40D90E477650C154E55A5913C1A242F44839A743 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = 5FBF55900596129676F01594255E34E89157D8FE97AD2D688599EAF5A1A8A442 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 0E624BEF8292E8FF3ADE05C6772EE60D1AC055795B3496D65548342A689D2E3B - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 81B97A2CA864AEB0A0C1CA3858172C649F8883FEF9031FF0EC24D1B42124E3B3 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 8CE9790161A74786B0C33BD10F61006B00090F3F8E8022D89579A88203DC161E - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 91F17000828C2E2D05FA7E03FAE242DFB7E96504280ADCB348AA345531C0FE0C - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C551742082D49A7DD18F52E98A53C61A77F4D551B82F24F41527BEB02BC83B13 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 6604D40D48F7A37FE09659480820F9E25672A7353E83A2665F384E42EDC01B44 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = F9FE9CA66FAE49C69441B60DACEDF789CC81A647B35938877FB8052530944A13 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 45EF0DB34038D84BB862275780CB5E1BB4D648D4D10B911D128DBE8597D8342D - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A08E019D13D706A5D22E42D09318A799BFA512646F4C86FA1116E89FD88EBB43 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5FFB5B7E1E002A07B5FA4B1C72AB120281C1FED2187314475D8230FCD4347F13 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = EE0821EF0A01E3B88594EFE771FBE650D91DE5BFCD5D53459FFAD905106C2615 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 4AD176AB1F0793C890BAE4D02698526144B41358AE5765AC416C183DE1F1B7A0 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 42684FA8B9D91A27F5C47D290B2414FC2158B848BE015E9C8D785E7E8453AA93 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 48B802C68F0A2B808A4FCDA2DBED47C673B5FEFB06B2B89F0B6615213A39AE9A - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 82E89598CA017800FF30B7CF55A058D01B511565332605866A487853FAA75FC3 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A441FECC7B67796ADE538AD911FDB7F2EE4B8B9868FC0BED1ABDFF55B955C9D8 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 889DDAC3ECCA8F9DBF511BFB8525C39844150CA528A2D1F4C59E5B1EF15C0AC7 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = FC64EF2EBBE93E1FE7509EB857E131554D46CD635DBEE699208E4D9D4903078035 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 690B7142586015689C63A2A48EF02734BCC7B17CCD00F291C3382C12F63C49C58D - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 95F3B1709AE415CACE82A2E06C9A66C59F5D39EE14A369419AE40FADA1B3ABEB27 - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 148AAC31E7C298F28FF99FA4E4438A512131CCEF80740DDC47A19EEDADF73151FB - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 8B8A8D0EB11A6143CF65574BF82789DC39BB8CD84EC038B9024E28532C61F0E688 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 6AE3C28426314E5138873999A245C45D39FEC3C7D5EEA2D8D2AFEE33FE8EA145EA - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 54F676E7536251D7736201EA3F2C6B6345F24570AB643E65B9DCEB11EC27873DF8 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 07E3FA0DC5FF8B6C99450F1C8B8466E316D44E1BC1A3C97C5E07DBB1F1A7F9F6AA - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 49AFF38D0C667675B3550D6C8488B0BB9ACB84F86930172BCEEDBC2DA2BB7ACB6B - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = B39D27380C76E8CC5AA2D5026FB10641DDDEEC3B8F7FF7987587DDE9B5845B34C6 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 952CD59D4DE61263898EB96121248C415E0B28140A887C8599A672F13CD6E88583 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 2442D51A723EA2C44752C8378FB1416E40B32AF3C88AFD05CC097AE6716AC6B560 - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 79A705324C67E977351BA526F1FB1619878E7A833D0D7EEC743AE3165843DB46DA - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 47D507DE7E66B6CF56B962FFC831231C4F071B1675A9ED5F7144DCE4C59979CDE0 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = C67A2B9CF2438FFF46E4E502E89D929DAA86896016A263B2AE0E27EC87EC112B8E - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = 0D86EC289A42443815D45593A38C659195762348ABE92B2CB35E68C414E83BEAFC - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 88B0FE04A52B4D0452013914ECC21B1DE9C0A4E93CFF17A34F0F4CD979C1056C33 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = EAE814B305EB0EFC4D88D47999234100C9B52640618AE066B1A7D30AEB191EB87E - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0E4F7D29A6B51B78F588C86195AC9883750B34D807B39F0EB4D701F4A5BAE80210 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C25089DD525F35EF255E49BA0ABF890B3DB2138B4459C7C418425B1248ED6CC15E - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 69E529B6BA5627E422A40EC0C5319FB86E3AC99782F1946A6412539C1904B697B4 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = A9327A10D1CC83AA836B3C7CD26211BE13D17B9CC5BC64BE0ED9E5C450D6EAC365 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 7DC2E4A7DAAA5765D3662718E5D37BED57378865C750BE05D09DC8B0FC548A17C7 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 5FDDA50D00D4199D940EEDEF1D656F9F6DC5C8793F4CC654E8DECE1EFF79CAC050 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 4E234F912E2EA773A22DFE062AF0DBDC1205E14CDF12058C1C2E54635A0109979F - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C7372856BDAEA8F82D91D6C99AF3ECCAD1A2594F940C3CB44FFB3284C7A394F766 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = CEBB002340C98B1A329822B7EC872F2F637A641FD1A05853E8A9C3451C9C09F520 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 22D0B9DFC94E27338C0022FC855B3E92977C1B166E377802EA6608FF16C2734F41 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 50F94C234B6380EA85A237F7055E4B4E51DEBA3869337D009F9F52B0D01C3BE45F - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B1B3F16CD4E682B222C313B061341CAE4511A146C15D8F8FCB7CBE8FE98359AEDD - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F143604A0AF6811E807C51E09039BB46078E4D8862195D0F46ACCC836DBBC5A3C4 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 4A0A305F754F60051B16B6B5940B7304BD4B819B3D55E87BAD19B6A1B10B8F5632 - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B9B1FF125786537D3CFD02B8DE7FC4F1C178C7CF0D7ABD19E7F3C11B9CAAF4CB49 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 2109B93660A3ACA0FE3D557E78DEF1B6B1530B0ADE7E19517055BE1D51A82371CFC1 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 2D167B6895769ADED9F3B7A918D29977B0FE0C7BFEA25FBA45527F3066F35E4BFAAD - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 9F65D199BC84040075C28374B1B778A28C1375ABE9A01388258675AFC77D5C9D32B1 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = F1F62FE5B991596EC655B40C6297F6D8D6A361690D8643E42BB91F5876BA67282DA0 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 0CDBCCCF61C6FC2A873408F86A9019B89483DB9FB591D67141E5338D4919E5FA9781 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 90B1ADF266F912F8A8570D2F20A7640FA5B67A01FAF5CBEF5F06C50EB33786555072 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 6323C22371B994931DA525C063DFEF2FA884BB27A3DEA360300A21863EDB9E75B62B - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 41A832B631F8BB0EECB2C643EAD5190FB51A65BF105CC26ED00FA07D87D4295499B5 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 12C84F7E0E27B1E03753057977372A959D35DD1B450EDC6F2F8B2E2D3D586AA7DBE7 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 01AF8D86A68FE4070460D0C23EA3A0E8734265E185B86D3694CA1EAAFD8E9338906A - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = C2D7CB46D268AEE9F350EBBDC769C333F1CD4D859903DE5BFEB51DE3CA40507D910E - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 0B80BD48387C2773D57056C8141F69B31D11971E0E4E0877D85E7A0F638AE3B8B4C5 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 2C61EBA6A10DB92A2E7AD2986DD9518B964EEEEF5EA6718FB9CC1A65925608FF1759 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 7B519E9CA25291828D0F4534C8DD644854A93801143DD28FC84EEE9297821DF76B60 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 6EB1EC631DF0E3CFFB5C70121C0E63F06B27B78DCCB19767AB350BAC6863A1E6FC34 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 640E77B30A8CC4FBE1F7AC67F565069A6FA7A8253E4DD7248CDC9F8D25D7D3200820 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 5612698AB3FABBCA4C097D023A15E66369422A8AA58799B8E51D040CADA36B3EADDF - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 356BAC1422E02753211AD6A9EA77FDF2AAB4676C3361EAC2272FE45BC48526D12404 - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = D7C2A44871F203BF47F812E49F28FE18FA25CB777AC0B98DD3A96DEDF95CF33E4ACC - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 31E0E09260F67C64A7EE7CA18BAEB13762114CACBC5C99049ED677899FEC4A691B34 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4E461FC84B53BC73630AD42BA8D37A2A3BD8F91E5ACEA64194EC82B702E70353E2BC - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = D18CDB50BA2F8CD6E2EFC958F1B96753A78CFCA08143F3C3DFD75248F62DDAB1565C - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 82FDF9595A36C525893FA635C4F7FD9777B21EC3D3E976A9D9E2BBF848335B6D6840 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2287DB0DA63EF24BAACDE2D6F60C4720CD6BD2A882F15048AC1CC4045B5E699D1F69 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 7605BDC67FC6695D343E3905DB4C04D4CFDD41C1F171F72C3C62F6A4C40FB3ACBDDB - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 662D1DBDFB7ECD31205ED82F9B83E4766973B370374CDEE13D26702F35EF234393D2 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C3C95C978FFBC97216BC4B9261A5E715AB898AAF0B46D3B59881659A5B3E03764D33 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 4192053DDD9B0F591F3565E2AC3CEEFC1D539B6C0D503F8CE58D9DE782F9A9F14933 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9C20969A274D61E54E8B582429D66EF4DF4F9AF99B14ABD2380D0B4AACBC31FF9DDC - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = EAE3FC0F9280A80157F4BD471A3CE25C1AD22142EF3791AADE311404521D1546F9A5 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 82926E7053B8E7B2E72F5D960EAA54051D5C05797DE0A53F28D8B395BE95D890F647 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 9B69C22291AA9C74EBE6AACEDF32388426BFB1FD3DD70AF955204928A2B6043B6451 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A70D17D3963607BAA2696DC07F7C6D2DA00D315465210631F223283307160424C1A1 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = A9009293A68B5A59DA7B43E96E075DACC834061B7B50F5E836A0D57A39A3AAA6080AA8 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 7D7FE7550CB243BABC80C6C05A5EB22EA054E32B90F437A8D1B408AE54AB11748930E7 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 51E803DDD0B93DF44D0301CA81449599945542FD28E03B51807FFD9C0CD970E341195B - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = BE09316B04C023AC12C2F4349F1CA51E4129FD84420960065A175C0B956F24C203C38A - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 7EB92200583DE87CE9E24F43F7F888BBBD91AB6FC408509646C22A6FA1A5818173BF53 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = FE961E4F7A2518CA3A76A52F769DA9B6D33FEA448508C666CFB8F29D34BD6CDC718A7A - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = E64300C9AC7FB4308ACB210598B6D0D182B393D8200D3C185781EB7439AAC57760A13A - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 6762A37C68D44EB444E88AB48D44D45DC8A05FD09636FF3DE5DA40B998622A4C9F1043 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 57345848EB5015B0E98FAC5E24EF532C17E24121AA7ED6184C08D8ACF83FB3AC9DCA98 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 1E5E405C6349A9422D8D4671EB4506BEB0F7408466EBE6730EF9208B5C23FE73DCEA12 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 7FFFBA7908CA5DF5F3F732D939826B74E0D023F11F460B83228858499F25D0F1B9FDA5 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = F7BD559B6D92D5D0597A940C5B28FEC9A7C576C210150AC1AE5ADF387BC5AA424712C8 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = DCEF0CB82F4EC40A011F7651F62909060AAEF57B20DA269D114EA842109AD044B1104F - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = D9134324725D92ECD4D9299F9DE4B1FAE363D1792D2F8D1688B780B4671A3377AE9B32 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 4732C7969BF9C758D4607EC50CCA108ABC8E76B02F2515CF7C1514324105F788691962 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = C7FD5B01ABF298E92CF8F90ED3A23288AE03D898EB594C9D33313A3A9A1D01219DD769 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 302ED2ACF21772661043EE4D78308343FAD8AB7C94DCA5E41736C5DFC5A4E6B60FAC7A - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = DA073347500725FF38A60B9355E44BD137A0F6C9523FA3212047D7841334BCBEE331C4 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 8C3B02E8938178A58882DB7F3D8B4C745F87C6E7089BADC7DDC56C2DAB038F56520DB4 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 3EC5B6ECBCC0C91F622C58E30A5658D65A8724F4D1925B8217C2084B053FB2C17AE4C5 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 03FBA11327591EC3F88DE962A1A84E42C9CA41A4868E88185F0B93B495BDA5A242E0D2 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F6E6D627920F1E7D325FD33DBFC8DD9AE21BEAA8769D00299C0DE04060AF41DA2F0B5B - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EBC8AD957142673981D02B35DDBF7543B845C4DDBD9FE37DB680B422375B9B4B343056 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C9B3D604598F4805BFAB39E37FB24882E74E8308E99C436033B3F9EF38FCCE0FE027B8 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 3A9931C19BBAC8643BB8D9E58195BB9B9FD779A96C538750F72BCD3F1853339C715333 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = D0A516935FE7C093D245B862C573D179159E5D1689EB943677B1BD79C4AC662FDC3790 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 3E1A24CCB4588EF79D3C6E62925E180CCE3EF1C29BE9775561C9DBAF8B10682A575755 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2557F9F943B507AB7671F63732339D3AA866AA5D682C8B88A8E5F42B3DD430F1D9C12F - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9E3258E43E6269EDAF1EB9F51BDE4F8811995D2B45C4D4996A98E08E75B242518A4224 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2B5D0D3A22FAB3521F4F26FDCD1AEE1315DAEFAA3123CA942F23AE2D39C5ABE9CD5DCB - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 0EBBCB0BBA52E11B3B34B989574F9F4C1B426AC605EED9865763855F4CCFE27E82EDE8 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = B34A0808C6FF7E33EC9EA9AF9C2FD14318835C422AF0FE7055721DCD7C1C6C7EC1F8BE - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 7B5B90541831B9988DB34BD0F4DA91254E3C16393744624951F1269C1C82B5A56A7F8D - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = ED82385EA382EFE8F9957DA7BB88D5C84ACEA709C9CC71307EA8E0E5291565A898537CBD - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = F3730E618FC9ED48E6191F29511152239CFBFD5421DF9FF8A472434B4CD550568AD5226B - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = E51970FC61A895151D891ADCCA180CE3766FA30A5F3C5D5CD58F7086908472CA90226DBE - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 86AD6F80251CA7552396218A6B25706F534FF25270AAFAD29C7674DE49AD5711FFE1F9B2 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 4A068CA16C7405E848BD5426AEBE21F937BF6281C535CA519DED0FEE874BE9DF8765E59B - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = B2636F0545BAAFD956E94536596994DB5711097E11B01D0EA449F4E1269CE9AF113A95A2 - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = F217EABBFD9AC13C348EEB089519EAF53955F1CFA7793E48AE85F2E66973803318BCC091 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = B9A4C9649E776D000B0709F040D7E4DB854DB6D08ECEDAE0B0CDA29F782CDA2403257BAC - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 2828E0B105F4622E61FF15251EF574784BE7D54B8E7394E432BBDDCD425E4E196B5F98AC - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = B65D55ED310957C6B9B03863A607BDF320145A660791F219C76BA95F14F8D6FB6D2816F2 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 42CF6A3060D30D1F50C5AEB4EDC44A4BF59E131A887371561E53601997921D70298A4D69 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = A61603A543DDF18FA1B4BD5FC70952AC1DD8CB42F09F156D72BC37633CC774615266AA65 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 14563B852C22D02E3658D8DEECFED8979B5180218A964630E33ECAA8AA32E11C546C72ED - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = AEAA9603FED294CACDC321A81356FBF763EB19B752EEEB9194DC1E35803A4DCEBD2C6FFB - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 823749200D2135BAE8FC90F06B9F5B472C4B2D2AB1B097B9FD4151B6CACC20D6CB5F3748 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 19099816EAE5452A41D5E08418FA3747A8A858623E280ED1B644C56CD267995F7D890E0A - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 656045252C14381BE01E34A109C486774E81C2D4FC8D0694E23447406D9EE174F08D4036 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = CEC6D8A72DE2C23A58FB303DD89B987A05FEE20B3EA11439824FDB17F159BFDCA95E0B4D - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = D11F9D7E45B8C08B5A1AB294CB4054899E13D2DBCA9C128FDDC41DAB559850576F16FF2D - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = E7F62FC3A0CEEECE48B690D293F8F700AD6916240B9528274222FE45FE2381D1FE56417F - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = CB1100568D66D0B40FFC1A1E35EFD1B9E7199DF1F516A3BBA035ECEC9B0073F765A1BE87 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = E3BBCCAC13030E915D831DD1C074F683592C0D4B0E36565C2EB23D0FD47AFDB5D11360B2 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 238875FD3AAFC766F9EAFFE758C51530F7A718B280EDF17A4D356D981E53E836A212D136 - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = EA77ACD103169223EEC0A882CDBD808D94EB742BF50CCBE17FDA9846199A4E873BA332F3 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 847D209E7CF996053D736716332C73A38B39C092F3DF9960DDEDE3E3910751D62A261281 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C6D9BB5BC926B5BC740F2ACBB76244DA0CBDF6403E6F824CBAE95718C5B274938960BBA4 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 8AD6BC35AA3B93994008F910701DDA9EF0732A5E9ADB521C0C564F4B7DDD368E5E87B5D2 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 1D81EC648F3F104223E41DEBADA888D5D713DACD1D7117DBC80228DAA5EA48BF0191533E - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A49288476825994A2E3F655F1F38E1443DD916AF56638EE9172C3F99F06E9C3E3D041298 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 4951EE5FD41EBAD1C6CA225265918D8019573504A3FA4D9A24C77E4AFE0588378BEA6F65 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 9AD3B2DDF34FDF6724E976720F6C160A09E473FEF2060F4847C25110D3245B890561BAAE - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 00C2CB1FA34E5CD9F1868EC892DFAF3E251FEE161836BFBD832CAE02EFA0B22298844DC5 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 9586C83155B0E31D050DCDB048EF06B69BB90FDF74B7A74050F644048FB4F3004FC48002 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 9BB37D7058B01DA6FA7B992BCE258B47270050583C55B612321B69B8D71139A8345F457F31 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = E275F91080B8FA468A68DE02B1C5E8E4F48D42F1F863F30C16D1749F9F5E58CCDE8339295C - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = C5FB4D8E49F7E0306F38B3202F2EF215EB7071EA2B806374B7BB07C76AACE744E54DCE85D1 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 40EB16AA662342F4D05C4D040F912B5DC55A03FC13E0F673028C241929AC9ACD6AA1394592 - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = BA1F2C9139B93393CFF6E1677D86AE955D54CAD2650F2BFA0875D86837078481C14EE807EB - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = CB14A587730B647794F6312E6E7FA9F87E6BC545CF30274287733A766A51CB6EF018A55CE7 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 86D1231F72854CB57DE877A4BF3CBD77CA9A2AEEE0CF8EC7D851CE18C38456B21E31FD6AD3 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 14D4367232642174F772F4201E9F91AD7AA92B7357D2AF044CD3660B64275C2C7FE1CCEA6A - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 7317A19B762D3983F500F67DC0864BA7FE9E4363EBD8A15F6D947BE6DF52C4D145057BD64E - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = D9C55DF19E3BFCD46CBEF3E90D3D82329DCDB8F2BEF046A00005EA22FC7BC91F0FF451F8D6 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 9E098CB02AB7C1A4E59CC821D6BDE19591A18B94D8EDF3452FB5F0ECA4AA431872F4B490E1 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = F43BAC87065A0940F2A55F884AF7FC3EF6FF6E246E4034ED376C0DE0F664D03C4F674B33D1 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = CFC7DC26D524E4C15C636E37B85B1285D3B76AF9B44C8AA0B8DF8F04B9A174B57CF96827BE - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 146A4FB92BE45E12A9F2B8D508B29D1E6F0BC77922436FA20A7DE63B9861AD9F31EB16A040 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = BD49AB6EA0CD509D10D5630C2CE5E69839EBC60CF231C2A6C22379D6E5A394986E08653AF6 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 507492E6161CB4B6803BF879988BD53F5AD73DC1C2498B7B0499B2EA4D033152552F584FAC - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0686FFA439B029F0234AB5FAAD70A8ECF8D363AE3E1DB52AD3A77A880740C04779C25E2F33 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 8E8CA3D6E8297A0DA943D207EC6FADFE75F77A446A50134228B26620343589391A4DE25D5E - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = BCE3D05355A35437860A90A9DD378ED723B1F29C7228B160DFDB074433197AB8BBCB2567F0 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 0B162FAA766245514414EFA48D95C4FD2FCACB629F64F2C123B50CD857BDA34CAD4D482598 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 37BE0B8CA65A9BCFBE12AF7B6D9E9F97416B7B41FE74E4BC47CBA2D82D78E5159BC0083F4C - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C8BDC76D02F1F101920B37A91BC9F8D49A3BC5012B0CAE54DBAF29A8F1409B9C7DB801A318 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A1924CD8DCB71B9BF0B114D45FCAA994BA2167D7C76E80E7A40EC04451AC56EAB480EF1E1A - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2E4E1AB9C75000FC5A80A5768CD7DDB548DAAD4530D991D0B35CA97803F0A33F4A0BD396F9 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 6017AA6C67E778A9979CBC4EFF6BB964CF50AAC2649A13D8F18F321FA0DDC564C25AE91521 - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = F0135BA3D3129805DEEB5DE4B193A99B557C05C0F68D50666EFC32371AF3D34BEB9851B641 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0794A2B14D9D389E090B779275850F663EBE24E6D455F94BB200D404022A09A90D25231686 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 985EA1180C37D38ABB72932C0620C699BFD8132868CF8CCDD5CE4F97E34C86D084F3CC8581 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FAEEFCDF8EA3EEFA43D4AFD12636F9CEA6B5576CB74FA6D7EC06767F3BDFB2362CF57A4ADE - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8E1864848E3D92DD9512FB6695C6FFC17DF078FA71CEDF9F70203FFBC53B55C5CA4C0276B3 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 267F4A12F5512E5F82E24BBAE96E6DC6A79D8FE4F28110EE530731BFACFD5AF5FC30D91E54 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 5E66A83960CB350E69C400DEA5D7DB57D876B00EADA99DBEC81A740E14B0931ACD133B1DCC - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F85B90E4D0D23F5707F47B7EC6D65CFFA7CE1393AA3CDF7BEEB1E6CFB0EF77C0152BFF68F2 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 5FC4826B64837502F3B593C289392A973D2AC71C5722BAB46E3932CAF476AA846E7D216F715D - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 3FAE90176C37AB7321784FB467EF57331275FD24A27D4FF58043BD4BDA9DCC7686208563F3F9 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 1E1D36B227CBA5969F26886CEF323E6F5272B7A77391B522406C6E742E8D1239C15C199CFD82 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 3D2636B34EE5507A8F0A35F121EE74CDF8F6CD096C22548D9B27A34A2D47DE85482A7CF95A26 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = E2D5D6A4A6643FF2C6900E609C657EF34BD8E6D02D2CEEB6D3FE1784FE0CB8E9E896CCF2AECA - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 8D8EC4E01210D856413636986F75583EB25161A0F05C6348D32CB0628BE141F12DD1CBC714ED - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 15E45D14C7B98E9F13B787430FDFE68473F2D8FF8F9AECB230179CDFE1C5B29B4E18E3231622 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 773EB6E7FAEA1F44FDEE0E86F5709146BDBC490CF32820C82CD538A97F5072C4B3E37BC862DA - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 2D7F438C17EA189D63E6ECCCA892C30A5DC6AD8CF55BC207885DC982F159483C3C85261E4204 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = F76EBFB0DC3281795FA7D06A5CE2B74EE15ADC1AA874BD9402D4B8591A29FE8258E72396B579 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 2A26BCCC67D1D8E8CE69CB569F571D90175A2C503CAEC3F627B0D4FF2A0C9ED769F2B539EAE1 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = AAC979ED0C5D763501224B08C726F92A4A9AEC6A5DF02CBC1803960B585D1D90DD77CC6BD5B4 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 452EB3522B204DDCFD7FEB7740EF7B16CE92C8C143C3DCDABB878C2D33A879E11DA0D48D889E - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 2B04B52AC6180675235240EE6D9A1F642AFB21DC9D5BB0189F61BFE3AE93169D9C186E8B3BEC - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 2A525604AC34109B7EFB1D5F7558B1EAD1BA5D3F9F6081880641202484F6606D4FBD0627956F - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = 4C87B46BE6EB178E591EA076AEF399CABC118FC2A602CF24BD3C4858C18124731DD5D6F4F20D - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = D8462DE0756588820CD242147BA1EB8DDDB24520E047217FE6B47F7C8A11F527DCFA88D69E5E - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 390DBF4AE3C92BD3747DF49F55C4917C9C71154179596F222B6BE901593FA7E9403AB93C5011 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 25F235255068CBEDC576ED4A3B8E95FF757421A8A65688DCD6C5626F31A48F93942FCDB0054B - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 4C206A4025D71B4A2988EDFB865064A6C421FBA8D5C4E1E518DB19F9743B066C3BC46EE86A77 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4818BA127D8394B6B2BC787B5120C444934A35DE13BD8A65EC4152A122480100E58FFF5425E3 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 305D9CE2A85EF6AB8A953906D33D5798033C2145AB1B4990F959382232B79C5402A6E52E8389 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 5503B82895C79BCB9E895C34BD0FFE35342C1113F15E15B803BBEF00733FC0A6D8D04FC4A95F - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C6E75F053759F1037FCA880587F45B44321819EE2E5005381257E132099277436FFCF0584C25 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 55D9EFCACF60DB52883AB82A7D731CEC05A0CEC74D1702812B113213C696749EDCDFBA2E0053 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 6047835DEF5B98DA6A7609691A65F37075947A12FFDF797FFC3F57F5DCCF40E3433C55E8BDF7 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 66B19C6856DEC0A771FA117B1E4BEE3AA80B0A131F87F8D58C68BB0A836B1EF8296E714C3180 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2DD57F2961B8B277430783C604AB25858CAE8322AC4B7B185DBE03157195EA686E937E86D227 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 5946351E33676502C725B07E1C153017E510618F4D707441531C8396CF33B053FFFC22142A5C - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 58390F4A6326414F535DA23A42F7C7C8ACB4485A3F31F6F6A35578C5B2004543D97CB81783B4 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F640108847E206256319F3B5FE5AA8FBC946CF0A49146848E852346326C5E0DB274A1B8A6903 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 1E17CE00073B5E6F111F6B56A2FAB3BBB2A87E51B9054C86F64A9D7F615D733AD2D6988186A7 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 31416B5E5BF7D1555CF101B8B7DA0F1030C774EE8472FB5E298DF79AD1D3469932148AB996A7 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 372F56ED07A98F83C59591C46D8DE64EB376984932D4E2B9F89159E5BB75976FDAE09144628DEC - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 375745B3ED52BAA9648BE93CA35CB4E9859C1AE88C6643439F6472ECD771E75403F3F6DD6FA086 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = 43EAAC515BE8489D4A6C9B1C169F53118430CF19AB32279EB633360A56BB4327ED16FE59291EB4 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 959F570870E40542C2AAD504692BF5FEFB1DA7E01A769033104859972ABEEF292A9877D16BB401 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = DD9135BB8899794C1B118FCD0C8141C46F004543EE73C18FF646670613EA4CB1201B96073F8023 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 38071CFA03EAB7F7B8511594FF61F46816970AA77C907E3CC0843A608F2B73A56F972BAEA66DF6 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = E159769095AC4B221730E3D02C5A0E7505CEE4A1A9CDD947A8E1EF544706C2DA277F17340E2E4A - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 2C676E11C36F4F53E5AF1F2D7BE57200538C00F4CA3DF05ADB1A1CCAB457F3FF16BE7AC850BFF0 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 8F7EF84CF998B35B5BE0D93DDE22D4D8CA8B9B007279D1801298A7C639D30F8A9F689F8F707471 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 18C796BBD0106E0B2B9C2BA40650CAE0FA99A07BE2499216E5800D8D16AD77CAD650255170E657 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 7C78C0884D2CA4ED9C4F3E33F7946FAC67A85E49C42E825302222667D33812CF30ED483BF1F02D - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 859550F2794B692B33C67F88EC68F9FD324873619B67FE012A9A047B6F37F202F9EBDCA7476C49 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = D3D93C368E98B45E609BACD6E41281172B34216701D735C4A41E48EC03F7B7E3108CE0C90C74EB - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 4BFB0993152581DF9742C54478A972D9A12D2C91BA163E844CD7525ED5CD3B404CDA90DEB2AECC - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 2BB53E9880007AF850D5EE4FBA6D86E0F01C9582493F6F59765C6ED900DC0E7D5678F6B026E69D - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = CC94F9E0E981B78ED2C03C3F0D393A6A743F2488A3045C03CEE694AB7733355F38BAC22441C5DB - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 5766F58DBB9ADFA23016D7627EF22326DF57FA37A5E8D1D9962D2E4B68632060EC96AF16EAA3F0 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 62EFBD348B4BB3007C0A2468D5218A572AFF1DCBEADAFB6BFF236A586BCBACCB73F2B1CE57F6F6 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6E4B4D4E3AD5671900BC7F89730777DD868EDBF12F127DFCE28FDF5EA4D95BE94CB307A5CBF62D - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = DF00A3D14EBEB2410A58B9D9ADF9E7D71D6C5B0A1B1BFC5B6AEBB7265C7EAD13B891D3E489E14A - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 0E15E40E9A7B78952DA167508E053A51FD8C283F596CB686731B838A5CD1350BBB2403C28DE804 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 30C41612BB25EE55D395074ADD57AA57ADEF2E81E2CAE910E84536655F373320FD2E90618AFFE9 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B19FAB4DDE7DEB05359091FD613D706A47E1281EEC25AB8E4C95AF42BCF767996A86BFDF9A3828 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 1699337240BC0DF09490B7872EDD133CD9030A1AC295C16536E4E924181CD8F68D6326A2F0F8D4 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 0AEC1B4DE82A2C40589F277751950A5BF7B172A77A012F6BDD4F4DB45C297AE1CBB54CD8911303 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B76B1EC9C91A779E35270AF748501D4A23ECA97037626857A0FB6786E21EF8A1F7397DF8AD8CFF - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0EE0F8DA7AE3035E32613827843D821CE786036A389A13518904183E7BCB8034D51D72D8F0B347 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = CF0450871F93B92592C56783081FC72665E8232ACDD20E68EBBF549F8AF59A95EE233681D55789 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FCD241EA4270F6BB2D4D7E4F107D064D7C1BA2BC3D502146F1884DB766947F3FFCC93F2590932E - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 977171F2583078D10C62FFADFED83EFAF4FAE9C82D20A674983ECD7EDF90C2D856043B2DE51545 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 71A6AFC98216B4373FD486047BEF72F14846DD1FD471A21994AAA57BB06B290B4F5A83AE9B3818 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F4DCD183B1AC3023BF1FACBB9D4B9031FCCDEDAEBC460C69EE747A9A2C6D9B422F907030CE5348 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 32990B59C5E6A60FAF34F8D4C2F76EC024AFC648ED8C792690A4060D129FAF6479C5A5B41A7738 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = BBED36565FB21419D44AF5BD1D4196E13C7E0BF7F2B1A954B30CECD729CF966B859242F70501BEF2 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = D02265CA65394C81C4EA3B0196E188CD97847489BA0A2E516E4093ECD69EBC393CC32C3602915FCF - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 4FB5B4493424097284C98C9E480CA0E231C7116D9092AE7C585588CC2D9F38CCD9991EA2A0BBBEE4 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 8BD0AEF3CDC9403B90EC193051D853DA21097BEDEE1A7D4ED7F3DC0F56EE718C1BB1E14185398385 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 593D99A27AA9AA005C801EE5B51850895E52D196CCFC8893E973B03C02B70E661E5500EAE99DDF27 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 7EC65C7786235C8110D098971043656D62775E094410805255A3F75910128FCC38225409EDB1E3DF - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = E5DD87BD6C3E6AB888F9306C93690F010DEC86D79080426CEED291BDE100FFD8EBAEB2CEB4811C7B - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = B9DFF546BA861DADE2ADA631A32CDA641639196383F2A9E64AA93594F00B8D6F9515878059921772 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 0134B264009FCC9C95E8611B61CDA1FC086842998F9673EC657F8367F4ED7C4C59BE9E52D693D927 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = EAFA877C3CCB0844DE2035BD0BB4F90E7EAEE0A2A881A3D0DD0B94D798B7566502DEBB886FFC2579 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = FFEB29FDB200C1F2DC0FBF02DEFCA3C2F3CABFEEFE3AAB2CB2A4652D3D084454F3A1F354A726010E - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 1C941D2578CDC9E2A2FE93A7D1219AF33B83384F61F5569CDDC21982AA7A25C948CFF0A75D0B9A90 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 8C208CEBB7D9C17E0FF9586CEFEBEA18EF79AE63401F01BDB7D9E69C7940A56B799CA53F460BA59A - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 2DCC1D7092309E1D84666B2C09ED17B08105DF0E1DE16D31134CEB4B78DB878B120222C27E3082ED - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = A5538A401ECE748EB53730547B7C0EB54C46A505E14343241617CC9FAEA541D4C6B15AC84B78E88A - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 3E622A7DB6828AE4A47473D7D17CEEAC841B3CA71DF72FDF5DEF9311B74BBE729A7A26CC913B4DEA - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 147C521935014AE03C86098A81F581484989546E5B53D4B4F082E05DCE9B50AC72CC5D7F97CEB568 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 568D6FEF09465EA135B307A562A0422309240B9065A3CB2C1061C8C009080E8D9F64AD5FC9C2E8C2 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 539BCC87F58848CC475AA43FB674817B6C5511BA744F71184A33CC50725405E089BD1A4461663350 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = B9389527BDF9042C82BCA8EC9891617F4603E3DE65A7242D4EB833AB30646090FA740685608463C9 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 6BAC714B43C564296D4EB9DFCB94DDCA34FE3CBD6EC4282780E9818C9008BD9A10BFFE2530EC8E30 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 2164F8BE69F2A8E7615805DBF91116C8AB5E7A5E5655BCF565E114003CBA0413F4E5457A7FB7515D - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 16B5040BD362D3F816AD892B8C9A1621F0E0D89358D120960E202D106EC709C56F7429A8946A1B07 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = DFD959C2A11D981181571A1D9AC7C4727FF73D3F1F69960877559AFA1CC2D09E1DDC6518C47451DD - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CE418C3ECC5858CADA2D1FC96B3205560372D3A1607E8C117CBE09A9E6D74BB16BD1EA7A633E8290 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = ECC97503825E8E600FEBEE3FBD76FA614059B726609BA9A2C42FE6D8D416BB7FA0C786E3D4F57D69 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 111399E561EF3471C65D48EDCD30780BD1C2C32D24CCB76BB0786C52FA6DBED33DF9830B42A37F47 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BBF2763ABC17D6454DB3BE3A46126C69AA3DC587C3EACBCC4ACFDC52779897BB94AFDF7D723FAE0C - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 94CE4A36D478C4A08643E9C1B56096CE8F92BF03BADB4DDD83DED88334282E9D70840ACDEE5260F5 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 1240B07C77CD65F5893BCCA816D909F470A83974A8ABBB5370813EC5FC7F2BF9D35A987F9C49C43D - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01E02E80A6D2C6F7BDFFF63AAB46FE7B9DEEC7D84733057C4A034B28F22EBECF5154115786C518FA - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 17AD7239C8736369BCA2E2B1B52D6EF966E613B8B553FDA717AA122911D9FEE4A0642D4E891AFC5A - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 7B8EA576A021F7849F0FFBAD95B785257B9D642778D8F103BCD37E5F61B192564EA96950CA9401CE - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = EDC6101DAFD80953BC8F95F993027EA345BA4BD5E8FF26ED2D6EBA1046765239AE839DB2D1740D8AFF - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 6E8A9C5348728DC592CC3F58F73F96658119402F7E4504014186EF8002D26231D5874FE37A9AFA2313 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = 1C256370B8CAE6DD9EE8B732ABE6AECCBABB876E392A42CFC956AFA46A21A4613B657951E446941920 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 43AC5AAFC00EBADC2D5234C251818888D9AA63A6FA16ACBCB5AFB7ADB2C2FE2F245BD77F4994246549 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = D4E50759EEF9ECE78C9F27D8981F32855255F284EEDC1C6BD5A74DA63053B8DCF5182506CDCD8F69C6 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 813F745D70EBC8C0D17B7904E33D7ADDAF15A30764C8B23C389F5A3EF859BB51063234C0DBCA0CB2E4 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = BDCAB37F106065A3319588A42FCB41439C02E06F4C83A9583F76729C478DCDA54F79B638FAE845BFF5 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = A3ED8795EB4DB7796ACADC49D6BB59184F06AE5D8A3B29CCDC436A68F62D2A1B09E411B958E8C29DDD - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 704984B64D554BF80B0A383CA8C46AEF4B94F581D53CA0912A41EADF04ED95838FB5E3F42C1220810A - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = EE109B91832F4BF040C015962A34A5D6847E62A0209429B90F0401DB5B30A3648D9CCEA71B6133FFEB - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = FEBC1AE5D92D2F571A405ED5A6CBAF84DAD9EAC07BA59B6162E92B848C2987BDF1B369E7BA516ACB27 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 582D0566943E1EE80EF684DCD76D2AC378BFE213C26BED590FAEDBD2ADD081AEF5B4FFE23CA92CDB93 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 1DE450F5BF76B588F6181AA1F3BB722F518B066E1ED174AE4B9714335B698BF327035D1174450A84A2 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 653D991BC5FB2A083B40AF4AB41438B8640F5EA7BC3290E2CBEBC1815B9BCCDC16486A012651F5BC31 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 2900E814A4D67C5CED6916CF4BCDF54C0AAB225F38A5142C46382A4713E3CC8043810769EBB1D3D68B - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = A7766E8511DBBE35BE868FD62BB58414F2EE5E2C1558A7BABE45484104A42881FC834CC56E26D15FEB - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 9F1F769F80AA675630AE9F5FCED9CAEF9E7D5E6FF51CCABC135EC17D94805C89D0AF366FC83F5C9EB4 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 16384072681731B9780A8930770BB06E5BC601A9B81FE0EB9BEFBC76A068F82A1002000A475131F522 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7F79FD52D40687DD3BF2134BC661AC777856ECA833193832A512562085A4265F33291C223ED372611A - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 181B17149059DD82CEB7F8D31E569084161BB8D6BBF3A66812E469FBDBDF6017D68A541C39671420DF - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4CF5932EF3D2339577B39C415CD326529FFC6A920C621C069E333C4DD4518D3069A9860FA6E94DD6E3 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 52BA65E030E8AFF9433EA37467F8CC732616F2335DF870905B1A1AF9E674CF3BA75700DEB31B12DE85 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = B678656BEFAEC72FEEBC4E425464C48831523A47C0FA7E97CCA7B7EB9B29D1AAF3F8A0A9548279167E - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 819589AF5AE6DF84AAD85A80063C32D3A5A2150604806CF4509553BA6329FF4C01559ADB3D56C3269B - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 36D80A75EFD1E09EDE2FDFADCFD65B9C925C35FB94759A67030FD2A6D5F42514543EFBAF89D9324B44 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A64F2609052D05FD9279EB9A60A02592CC8CA4F685BAFE0DB71C6A6FE9F858AD5252F674BAF77CF34A - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 167DEC1AC8CF6E8E952288E863395E927F43B934D72B9EAF52755A5011B7BA681D679EA5AEDFED571B - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 54D44FD56E1B0FCB8FE4231AD037DE7E0C046BB60265C7076C43848E0A5EAD0E1A8663328386736A47 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 0EAD3AF655936C4CDB97C73530F001049B7C5049C43BD8443009D971E28F2DED9397A67954CA39DEB7 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C95BCD76C839F0B2DF1DB3C7566F609135C317CA81BA573C8CA1CA2EAA18BD1451815FB65933CF9066 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F18F205D5DFA24605B6DC7AE9259A19BDDBFE5556A0CD891341D43C35E570144B02C858B1CF52FB608 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2E3DD32824474D8312E11464B5C537A5E07BE37B28BE5AC096ABF1DE56FD8A765FAF6D159E09AE68AB - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 40FFEE56CBFF6743DF331717031152417A41D463C87CA1A2AFB09F596B00A6EBE3858A2FCD1DA6A349 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 81F5F4C4A453899BD1B7ADC8EE2FD0AA2200603AFB4273FD6F27BE68BDDC9F9205C6CAF752FB8972E807 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 6695C0B85C665904A08B780DDDD17853F3267EA9BCB6BEA3A022A64CD314C5E88C4EE9A1E1AF2BDD3B68 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = AB0373817C0A608B73BADBA3C5B913495E89AF49110D466988A5EE5219B81A0927278B0506C203D9BDBF - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 9BAFCAA01E664612049734D67BB0FC98162075966089421B8E547D90D5AD8AC219D8B39DF98662BF779A - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = DF11AEA5195DC43156B2DEBF9C2E8B7FCB8FEDBF1500D072BF8B7FB0A39495B13262DBB1FDAB968D132F - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = DA653CAB5CBC5C562A246CDCF00E8761E7BFA694C1F660FB61F3FD0754A9A79218369F7139E536445C33 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = B9BE7C405E46AA8DDD6EF515F2DE1C520920298F501A1C40AB42BFF2E30BDD808525496117E30B6EC73D - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 0B1BB3A7BC5ECAD8F8928DFFB4DB968F629C6AF115CE84596DF195208303066A26D32C25E3B68E052A4E - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 03F9B336D2B8B4B8BD5A454D67CF9C58CB735C50E2972EA8BD8C87DA4E5377F4AC4DC6E052FA8588632A - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 5CE6E68F3BEAEDE45F5EA178EE86BD52E6A148885A04F8A37D945A28DEA04707054AA939E02BDE53E674 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = E17EB9C1C4A3B6A107C4202E14F7BEABE6C0DB7E844C706151DC1E8748F9859BB76EDB9AA2E039773444 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 80A1435403AABD5D3D74034FD5AADDAFCE211FFB5BFE577A27FAEFA97FAC1FDE3E15BD837CECB2C6771A - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 8006E5B932B42C069E2CF3E7F5B1D7278AB9F7377812600049AAC3A838062C5F337574EACE53C2379E06 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = DEC516D4C7A49FBC547165347E9B35720C695E0F3A01FFF85814E6E40678FA1021173B40A13E2173BAA2 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = EE4937F71527ACF5F79FA7C628B42F1EB59B4FE976A8E9C1219195611EF5A5B79053D99DCB4F792B1E74 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 40651B5549F00E4AA600EBDC084DBFE22D44702F1C088BA3A673091060E2C8B853091A8CACA7928CDA44 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 7F8449D09C57C805461724FB90FAAAE56E5270C3632DE11677296714568747BFDFEF4C4FA35580181EC8 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = B2B9FC09D0E7E440E0734735713F5D8DBA1C0D54737A57C775B5670ACE753117D19AB1E23E37FA17377F - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 73B1F70AF74939536C8DACE5B5EABC2D1E182D84072361831AA9C9845F7C7F68785A6D594D6851B504FE - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 0DCBC196343A258086A3F1900562C8235BFDEB46D789C56EAB5746BFDF3DD919219E4426D9EDFDFEDEBE - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B499B54225D61583556FB5BC24EF6A726CF050F31CB32F2490CC505CA6ADEAD1635CE07764887D1C55C8 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 694B1AF30B2B0E7B23E11902E72CFCA9DBFBF2F39534A1CE0BF736DAE509CCE019707E8A7F3089EFC6EF - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = CF5B5B7C6E96C30828FDFF9A739E974D30D127FDE75B8DAED52290D263615A9E63AA581DA45B8E1CACD6 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C81F22A79A34B484AA37BB6DCDD38BF9A139B1A20C97E1F9EDCF77ACA5D809723A0F3381A56E291D7732 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = AF42B782E11C8113288DF8A23117C2E3292B814478C61E7DC4E120A72580C4793746C9AC4359812D5C7C - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = E5BDA8B42F736D07A2264CB4D147B78B1C0FA5CDC0893B8FF2D49017D4A7CAC70F2D64091D71106E5354 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 8EB71C6483E1EB796AE2F53874D1E77A7B8A45D02C25D694F79C190C8D527BD48A7CDC2C1F9BB9F43842 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 80FC07C47C5DD07C28475E55241881CA5C7D7182A4467393315F9FC13CF4B41F18E16784B18BB1BBB9FC - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 7CFA4B3F9266C6A2598EE4684275EE2DB259B1FFE16C8F727B4BE30B6D2E44B4A30C3055D277780B7C4E - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = DA0353C1742B56818403DB4DCD83B1CD3FC0EBC0ACBCD36C253114CE0408A02F7F35D0F3EEE0E0536C12 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D09D2CD6155924C3B7DF2BE65DDE2546B2049E4FA816129DBC5104F057774861C6D59E029DC43CBA8DA2 - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 7A239EA0F1AE132C1B58FD65077B39698FB821FD0ECDBDF5FF4D257CA18F8B75BC534736A8A83DDE42FA - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A9E84087C2C91608D5FF1B91690D707A3C6BE4E39DB10D1B05B35578D5BF48EF89BC03C909A378773EA3 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 05F4E3F6CCB665BAF3843AD2F5069936164B843C8F1A517FE7521FA789975C729929CDCE3667FBF8F35C3C - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = EF05411BA67A2E7455089E87FCD3EECFD6749F6E342E5027EE11383FCFAC4DCCA45D74983AC1C55A8A3D13 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = 01DCCB18AC84E5ADDA78CC797927BD7ADC7C1A65929A7729D7D863EDBC08ED9F0F24544C6105D4F87037F2 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = DDAA64DC9A1410CE44ECD4399E223BA7B8D70333FC4B5D3A94ACC069C272BC2D17ED8DD1A14E05DE1B9121 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 051D69BAF8E6FC1CBEE5AAD21EDE772EB0F4DA01449BE495139A684657BC16F35CAAC29913A4F13F3B5B90 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 90599C68C93505A6D2FB797EF68FA0F267A9CEE47FF32EEF8E24F301DC3853B5392B7A77F8BAEE4F4DE498 - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 17A8ED855D5C43A2B9901F0A5DCF3B1DD2FB2434E71E4427031CE76CB8B92F815C1BF24F1CA577CAFE6A4A - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 5E55479EC3B8904E71D70C171135C4E6076456D15C63727622B4D2492BC872D3BA622028DC8A14C4A00DEA - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 5B0C9D1F42F812EA8ED7A49154A054483515E0713CB55FF68CD1BB42BF0FDB428C86729C199244F36F88B4 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = D179B029A9C4F3DE62A461E8BAB3EB5D0B24F8A74096462505340018B67FB93441FFC96CC1359C79ADC088 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = D8B4457516347D704083913375000C21F6D68FBD9DEA230AD1A328C0322E73BA9713A1C4A03B024C936C64 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = BBD44836F4A418032D052E7529F3A9DD61AF6CE149C6E5CC2093D554217B752FF10B618EFA7DE502DFB1BA - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 79438D46012BC7C87385C8D15B7221CDE706865A2D90A651F771A566CFBD22A16501A82A7723AC8A9FF47E - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = D894F978BCF780570468CF1A8A14AFC4A414EED960C5DA99F4E485C6046F8B323591084147DA7F0C5448E2 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = D93FBA2B18CF0E820C9542C9C4DBD9E3FCCC92200094B169BA8F4D6A05AC92BDAA8DE8E009982D2E938226 - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = 9A9FF7175E5C467D0F018EF37A9074AAB27E2B250A6886BFE9F3006775AB8B0AC03372D22834C0DE0AC692 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 4017E20B0B665FFC4734752C8699C3DCDB5DA5FA29440E37CF2D8AB7C8D912FEB258696AE8CD57F4F9159A - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C79FDBFBEE4B79341168B55E8E61E4FEE1AF10F358B26E6C720E813F72CFBE81CEF8D78F6E3BCE8F1F0BCE - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 7C26DF33CE8AB573DAB843142D5A8BE79E9D93986EFCBC019ED9E3987690F556FF7B6AC2623094D7CA68E6 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = BBAC6B110BE8662F943A0141B43350659C200655BC97020C6BB043D7C8CCF07EFE898E13821D97D49EBBD1 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C3A096093BE34E0C5EFD4EC7ED94665A2CDEF6BD06BD71CFB3CE00CF38DC9C7FCAF16F3C5B369BF3D505A1 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 311811EDA33084D328063065EABF83885A5DCB4CB9FFA478043431F608C31F431B2C23C70EE3E6AA7B5740 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E62E4CD339DA8BA3CC3F994BEBE41D9101470CA6FABF66707BB4C1FA607B9E7ADA790393776D81C1AF1B5F - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 1F4DE86F00101203D3F056A0A96E66C3253CA98DBB9938B8AE33A2F886317CED26A6615D92B3219647CBD1 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 08808095035D463D2EF3942C077F638C3A69C0A07B47C6DE4D86C16EDF33654FA8990926298CCD779BB16E - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FF3D60E162E9674AD52A202E9FCF7B43172D3DE62A0F6C0194EFBD43F669DECD191A1B785EDF7F6047E182 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 5B002DD4A100F92794E1AC7556D4444F5E46647B2C77FF9EAC7DDE7E14619CB7B820920E5733AED8AE576F - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DE211C9D8E74C108EDB7698C44CE54779B77A000304F25D52646524F949E11E9F4D74AC5EE6F503EE2FD66 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 6FC3F24FB680B31BE436CBE21DFC15E284F3C26DFAD414058E236558EFEEB79B77324C4296F50842988A70 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3BB2BF72F42879B8D7390A2DEFC066C3A27CF355E9FE8ACA0D555E2D6EB53CB15D1D3CC8F2B5E9C8EE1FF3 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F127DAAFDF8954A416862754DE0CBFE92850A6D2DDAA921F9C0D778BB4F64D1766F6673008C3CA897661B4 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E5E5981CD94AFA5B9834A5C277CB625E951869FEDE6A91A9F32EA3D4440D46B987BEA984C599A6B8A8AF2A - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8DD1DBAB0060FD994A3C90030419017A51F59D647403B50765411B6F0F97AB0FA1BB716FF65CF0A7FC94AE - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = DF6466461750F74DFD9782C77209AC60609B985D81581B0521DE503BE2BAE0F18EB2D6BFE979F27EF6D5CBCC - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = B95E6B427CAB953FB6BFB613608AC22BF3A425F01E6A1F1FAB21928908AD1684E47C316530AAE2A4D7C87731 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = CF8A8CC01B6453545E057C5FBDFBB14539341325050C2DE3431C0AF1C578C358FCB7CCD36E2EBEE292FE28B5 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = F2AEDBBA2DC854CC0CF42D0D15ECD4B80DAD78FB4D9F46C4319672F566D6469566B0BB45EBA98DBEEF813049 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 60877069322844C1039843C4BEBB3BD1D16A0E95B2673ABD8E47C42625886AF9F129BD8A195C125056A1A82E - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 9657FF61EE932B877F108FDC03E3543F7C65702148F4EA4EB84C7CF238F5069E43D760F1999AA701A8FB4401 - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = A91FBA8DC667753202248FA136B8962503AD09D5399D105666F9CF9DB5959A0126849D08468A2026F5AC0331 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = E921D615C10DC29B9B082C3693AEA2E4D6CA6CBDE0563490E67E414632EEFE90E7FD1C2B49D666993D0240E1 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = C1933E76E12F778C68FB816E8431E20BC06FABB52874A179F88127BB9EF15486A4E0D6FB116D73A33B9CCAF4 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 1C0258B530257DBABB9EFEAF67FB544BD967FC366C8944C88937E040A7C883B3ABFDC62B9324CAE315BD662D - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 5CC2D6058C87A4ADFD957F884884C8F5BB0AEA97EB995AC44B3E8D8AC3E21CA41EB74211573E8AAD1D72A7F3 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 6879A2AA05E96D9B9566D7B4348B4718A6AEE8A3D3A3F6D43CF8BC8D0CAEFABBDC9DBBD6D9B541082DEA3050 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 31778534C8FC769C272D01BFC2FFBBBD179E2DAC566F5DFE8750098971EA34A04700C33A81D32756EB9A8384 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 7E20F7F302CB55D957378088DDC435B31534D5209AF08FA64AEBC373D95C65833667284EFFD3C72DB14F4A12 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 5344DEEA770F53161BACEC4EE804A8C5AAB795C0E57995A08AD4D14DA8679F2267CDCB04452263ACFC931B52 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = D03BA1949CC9276887DD4DD6B64B1F6DF48BAA2AC6F587B019A87CBDB2BEC08EBBE413B23679A4036A25A002 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = C229E9D0C7DA772029DC0C0F4A9257B9017FC5D0D4C45C0E769B20EB1B744AA21B4C4D80A48115A2CFD734EF - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 08F3F21A902D28E1C3837EB629EF69BDBF256E9F9AFAA04E7AF3A79738A3A13C835E44CFB74A303C576396B4 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = D7A8D02511D1920153E48E65B7E234D7C5C0E4D2C99EDE86D89C2530F0CBECD902A4397BDA12A6D4EE45E235 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A2BD0B27A64FE1BD1E3C30FCF6CCDD2E99BEEE8238F869E7DBD2E69F3EA8D71173AF169AF1C13E1155C89893 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D9A91A1B30828D8B915DCB9E9351DA3CB79CDD8637D420D38924942FE25EAB8E346ECABCDB265006DE5BD96A - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 4134B2515C0F31E1DF0AFF00BF86989FB1FA9140074C1219349431EC15F9659504C400B74100E8DCF93FDDA5 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 81AB398D120D8E490F37935C34E40EC442E2597EBE3346E8A70BF5683522F30A80F2E313DC4CC1027523C1F7 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 126BC1C5151CA7F67F31AC5C15E4E3B2285F28A2387826DA5F3E26B32BAF0063DB4BDF4AE57D046024A08FC7 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = D0551F9592C076D4BC8F450B4163F35727A59D52A307E2D4D9BF37AC67BCD2097749BC247C74415DD71BDEF1 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = BACE8658B20184C2535D8F989840BEB1E85394E06A8F23724F97E072EA2BDFF8D1D67D60689FB161F9465E6F - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 219D8C32E0BB96A5B35C254D6A3AC4CFBF030352AC5B1A59EE6091332DF42E324D7970BC08DDCA37887FA0E9 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 72AC930BB3C3E030236FEBA78185D334434EA7B912A658E9B81376BB7E2DC4D357CD809441791D8CB4AB94A2 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D02D887B22765805537E1760CFC56EEB3B23765D25FC7D9981405BA2AE141D2AE6B2FF32CA280D3DD2B0A197 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = BAEDA17A297F86ECEE55DE00DB20005E5FA1720F9D57F7787F610F90095E5D85BF04868EC98A6C493E863EE3 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = BEE00AA93935B6DCC4E54F60B080773E74DB6D32E99CC9809FF39E15917C63ECFC4E4EB00DBD9539F9365887 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 13C62EE6A96D6FDBF70FDB9533949D9F9E9517F0711157C2BCAC23143D797474C20097EB93CD01A50E51CFCC - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B7BBD46473178BC1598AF95E49671C5A7D28F87101F7767D564568A6AB683848E607F01D9A79048A467DCAAA - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 4FBCB9BD14BEFF24DD2FA755D50F8F2DF80DF49983531FE3FC150237F63648E07EB5B4447A7E38FA20F8D4F879 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 86A20414960776AAB9FA1D31B3F749DAA5619A5B30A24A3B95EAFD1A762B3D219075F888390EA2F47DF9743EE7 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 47654FE7978EA3E84182B69EAE92BBDC85D2909B97505BF2A238010251EF8293DDFCB5273FB4426694D10C7C52 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 26011F8CE709DAF6FBBA3A43A0F750B9F5EF137101E20025868D0C652CA759643C1A737D2606A8F8B8A5A3ADFB - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 2F20080EADB02BC9116C509C7FD0F32DE279F133BA23EC7A927BFD208A5B9EFBEA12F8BAF6199E0A822340011E - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 8EE87761C6782BD7CA776E72C173E880D47D1FB0736DC98B06C7F7F80571AA252549EF3924F27422C7E9AB89D4 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = CC48D7D1917532682B522E35BDB43805537802921C1DEDAABDC6B1F99E424F980A06689B0B516EFB29919A1F5E - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 847E5ABE716D49B4263C1D8FCFA7EFF82B637A4CACEF74EFF67D0E33D8388062ABB9D30EAB7BBBE5CEE3EBEDEC - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = A92550FC3C601AF9A81DF47CF42B3557BECF5AD81AC0ACD862A8FB5F751A1736C6C7DC243BFA96AC4478CC6F1A - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 2BAB268C7EE4616A58508ECADF51876D7A543AF80CD2732F2B08AE5CD9A931934A1BED54C8002B96D71B72DED3 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = FE1AA94FDF279F379114CECDC14655EA1B67983D4FEEAF70EDE87872FFFBA304888F8B2E793F5DB525BC0F3A65 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 1055E8B6110A0E6C91704B203D692F08FCDDB4E3D42DC4E51537B5DF1D9FED2BC906DFAC99F3BC2CCFCE014F8F - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = F3553F9320586E4237945A9626C6CA7659B8650B7592C0F2587FA9B42D6D648A8539F4E7430640B264B73E82DE - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 3FE9A53397DD37D5B606165E47837718E1E6CD18610968DEBE10D9BC2ABE272189C1B22D2C1674C0577E090BBB - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 5E304F032DCF2523CF64D991F64E0258BEBD7DB7DAFDBC68624BCA6EC6A1F5D2EF612E213F569E653C2B72F9CD - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = 906712C6357A76A01F2F8A6FCA05881538C8ACBE9A9A9C5E18FE016E55B404AB1ACA2311A0F8D2458F323703BD - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = EFCAF427C6C3BC5A40C836790195994F224405F8F4B8AFB51EDB732E8724A13D8FA28F60FBFD0E4D0AD4CC92F0 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = AE35127AFC6BFE75DFCA1FFB8EC88667093E361042D43AC6B75A4739E5DDB4DAC61F8089DE15A04652F9B240B8 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A081C0DAFFA043D4592DC0BA150F86B40B13705DF287814F13266F1CCFFEFFB781362B73CB0EC74B7BFB4033D2 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 609DBFCA8C2DEEE0E3C6E754D8FC9383833C02D322038134185C917C6B3159B1E93C51C81F6292243CB2D2EEFD - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 14F7EA1074B74E28F10523D6850CBEC5D52E967410707F88E2E4A4A75B9952FB9E38A5F7A4BC44B7D7CE0683BB - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 61CA06337C634FFDADE00F89B34CC817E7B970A749EE61E936C95CB5793B69C7477FAB08B8C9888EDD868BAE5C - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 173B7A932F68247353E5E953E2540123F0CB7D008FB5C6C521AC28E018E33368E737DAFCF27BE6D3E170B657FF - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9ED2E8A6DCE64925A9D7A6A133E755DB3C2C15695C544E254C48B01E20AF8DDD064A39059E66BE2F86292355DC - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 6A363EEBECEF98C88E056564F5F0403686C5369D81CCFBD3A52A75794949912C070F6CAFBB31B0276CFF43A770 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 66A53774634446E00393110B4E8BED574DE406FB203323157DF3322F668B13255381A69FE53C9C8CFD79EB3442 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C77A6191C16E81C75D4CAC41B7F56278D3FBAB63856D8DD397A4F2AB1AA7ED7286660A4E48ED2E4C83363EAB34 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = EFAFA35D8B3F88E3A9505038F31154FDF8DDAB5ACE792263326D147F1E375344DED18AD372FC1EEE119B60478C - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = DE6BD6378FE95E7378C84B8D1AA23AB520684DA0BB89B5AE9E4C2587E0440ECD7F94E4E5FC453E11DD80F2807E - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 58A229A7387324C714659FF3564AC1F3EE80714583CA2C6ECEDCEA3176C16186D1BF61837C5955ECAD02D0A450 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = F031E2AFFAE2B95BE598977BA0673B7E900A4729D0E6F70B41298E8ACB65498F421E97D39E3BCC7CAE1EAFE31A - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 7D1230E3FCC5C4C467898F23C63183E92E4FA8C61F187DAA7A5D2257D6CFAEB049BAD5A6928C7A48D1E7465D92 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = C61885163BDF7731CB5D35F548C00A3D16AA7332655EE2D6F18726727B99A09639D5D6110A2AE7499D260D243B - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 51F2D4A1833F6DB28ADB483425770D171871F224619F871F619D07CDB868C7892A9C8157358F8D070E7417CE6D94 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = A654B900AD8C4AAEC839D25085603EC71D383553279B0504C53323CE6FB1E0E6B8D7BFE336402185D895477C2FA2 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 404D50EE73E5466D11265F658201C63A4D9AB5066438B741E91B24228F6C1B7D95E89FF07B55576D7C8148ED25E2 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = A951BB13C588FD79087BB9C84AF93F7268AFB2021B767670916C7AE8862F91C56F7D19A79B697AE458ABDFB41404 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = ADB1A2AE1C3998E777D1D0FDF4789F3872CA08E644F478CF3283E94E1AE3C4B9931FF7145FBBF6650DFA3B65EAB5 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = DE2A4FA444AD20F43273302F70F07BFD41E7E56E3903991739BEB8590DDE9C5004A93DBD0BE1B3A1A65A22F78D4A - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = B17D7E9B4A2FE3FA474D900C8ADBDDBABE8985B911E1580137FB541F525154DC32172ADAAE35F103F94174070F9D - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 689271679E4BC4E41964FC17F9E00B9082FB42CA3937D9B3F75A263EB5699BDC984E73441AEC149B1234E5581C0E - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = DF98D778D38C8BBACA7BD596B7762315D15C200FC6E9611D3F64DA30D396BC1648B0274B00A3C8DA7B97D6B13F67 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 2149D68E424B8C6C1EB8D9CDED3FC3DC728711976DB04F9DECFDC221606306658B45FD4E9CF594B011AD3B0578C6 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 62EB80586170A73F0A440B03CD61DDA7B3AC0604038158F16F0926E73B058EE58E69924BFB22B7EDDD82B62F3902 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 9BA62E608F82D27C37E62ADB8D610B00D0AFA9434143DE866C9E52671DE9740A35286363504CB431917871C87FFB - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 0B31D9BC0C575562F5A5A89E45C53F1819B69B34A325050641CC0DBF780B2163B6208ADE968E0CC55BBAF1447249 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 1CBC2B9AC054C1E88829321BF5F6D31A0E4E6BE577584E4A0ACB63B6BD9D178073EAEA40BC5A360A671B0525A895 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 9DF66C673D76625127E9AEBD82AB013409856D182E51E25D7D3DD812F4AAE4420D99FD543914CDC44A2CA5331890 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = 2118E7FE1B4387675F0479636850316EB8C7A9A1886112E0D8C482DCF1C7B19ECA5200E2952638D17E2C817B90CB - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 21C34DA22BA44F0D47762C220C03DF7D6384BF3D42D13C68B08518198268F76FF0AF90011FEE6AA496E7680BF278 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 60E01C596E0DB486FE9536E6948E0424B7A1F408A7595BD843BB0A6548D3C8E7882A80762F9558DB303C9569AEF2 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 06AC984D5174501ED431ABC6A4C5BA069D16EADB80978FA23F2A2983F6A0562B6545AFA9564669CFACEB44D2B1EF - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2BD10B5E808BA6343FDCA7699046E493BF6CD063F9A10D6C93C57E4774B970CB460DC25958F0551DA95FF7F0828D - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = E524DCB91A2460DA6B663C08590C5EE857DD18C1FF82DD44DD090B2CBF1615BC1E08C3FEC10EA570B286713C2FF6 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 570CF9837BDD660D6D7D5D80013E120D2AA5474C563D8F2BE3A3462DC0B53A3A176ECCB1A75E4A7A66795FF312D0 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6B8FB311EC5FF4C7D875D82B79BE3606A06B4E5ABDCA2D03C3FA01E4B1243542D050EAF1BD42B9E9CD0D26EBA1DA - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = EBF85FB14E180EF602F6FB10B7BB9117A98CF7BDB4B6B3AD40F921B3706E631526D69702F21E88B2D2E2A0023B77 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 80641D078A25C68979DE27378258F13048ED1ED0B79684B525D7DC25768F6BA276E2E5CC84D294C05A65B631C196 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 766171856BDB401536179120E91D63FD63A4A92BBF4A28CDAA346D63349A9DC6D405942FE2132B74D23D6AC91CED - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ECFB9908EFB8B36F48F5E53C1CE20FBFEE0ECFD48AA603C715A029910511EB1E3FC514EC8324B26FB123684DE3A6 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = A9280475A07B70E0225932E818116011EDF1BE192CBB87F6D6194206E7610A6BE040797DE46F553B1A7FB02E4582 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 485279BFF3AF11933AD571C8779FCF886B7D406827D971769524004CF62A4C3DEC6390C4FBA05CB310C0182B5617 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 607D49812DED10925D460CB3F876C92A45A6EC56201FD8770A27DF9BF320BF1BFC0C103398189EEFF43914201386 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D6378D14869DAE9275829D767881E7B85AFD7B40865CF0E2D158810E0F6467FDDF50063BEC5F8B8B893690F41884 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A96BAF0958F0AAB33A88E49FA31C6A1E65F958BBE5794D07A6E16AFCFC7D293D68596AF2EC0974A6EA47D2388E41 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 362C887DC0294C1AB9A61AC6159A460F9717D6B3843C87C465AD982A0CBA810DC64A14CCCC376DF1729CF73C9D1C - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 21CA6F37BB154D7E026D906ABBC087040B0B397D5370C947C992EFC1129A2416B03A46FC45D80A770E68CD787A26EB - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 68A6ED4B17F9B3AADBC2793F64940F1FDAA2A4268ADC530C00D0BF9A92A1B175C528CB949FFD846A85399ED6F439DC - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = AEEB0323FEBF2957096CD6EEFBE51DD791C2226B6166D8E5BA96452AADDCCB01DDAFBA3DBD482E1FAFD5C1907653E8 - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 0B78AB33D8B79CF1B3B159AF07F92AF3110D26A1F581DF92D893CE6F9028438FDC5BA205084794F2A0491FF91D0396 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = B945525A7C05CE22E72337B93D299038D8B78F3ED2BB9B92E4E0734F610BA716B2506C00127BC589A08E22235986FB - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 576F137D98007679D7BC363102A5CABA783A05B0959A6F141647340A99F5C8CE902B7E0DEC280CA87E5B6A6E19A076 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 71556EE5E93BEAE81A59373A60BE143A323E8638728196B3F9009E40E4FD823DBC6E05588AF298AA1A80D92C61D1D8 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 4925148ABB8ED25ABFCE68A650753538E82629401938D76D66AF429DD3E2AA4A9FD17C6E94EAE06DD095ECDA932857 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 1C4A2E31025727D7667E08890542ECBE7BD0140AF96581020691F462228118CF89C9EB41CD5B625F8E0FF537D86992 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 626311BA7656065064B5CC72711D51DAD8CF88484FCA0DD7DF7981007118EEB2DF91A9DB5A9D14FA34B592FA7A4A84 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 03DC988E1689BF89DF08585DDDC45997BC6CEB760DF69D74EAD73573A88825AC52B970CE3F6C7143A84DBF6B29EFA0 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 3E9C01A34E4A3D8C34864E5070C681F62E309B46610E98C3108C073D66315F002929670232B5EA4412B562AA9B0473 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = D177F79543B35217B3D9CDF3F9035DA8D331AE4D56BA6E8F2F90F764E163BC3940FDAD2CE19F2D7C5F967BFE277249 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = A2FF008898B8B6374B03C568E5E9F7EB7949068A31E5B6B2E0161E133037ED927BF30DD19D858C89901A049F791F26 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = D15A167870C586C0448F2971D951DF7618D26361EB6E4F05BBB653BF3F045859443FA80C5C4F2603E22620714AEC7C - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 9E279D789E13F5308C068FE5370F29A58A49B20D626FC7EFE1B4EFAF1AE659DA4D3769BC273ACE43028CE693A58DD1 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = C1FC616EE2E0A81CF28D5CDA6819421802A21BFDA53BB69332D6850FB024840FCA7602ED4647A5E18A29A3DF3CBBEB - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 8AFC99A8113A13281FF65171526F3E41FA81E14E9DF199F81E833A3CBE0F36DE7B043CB4763F6ED995D32E93110B04 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 34E4AD0F2E9F7CA8105B2AC84D30D2475B3BBE677DA4805F9E3045EC322A67B49038093245DE79F925DEF78AE48565 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 9D30F6D39F4A574C118BB6AAAF211EEE17358D42CAA1F272F8ECCE3C1D605B2576539F6025956409A63A7BCE6C69FB - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 8029BA300627DB6CCF0D476EF80DA7C1CAE3D4A540D42FDFB2BDFE181173E24EB232916918C468E77D8CDF5A355BC8 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 6B11ED467E765372422494A17F2B2CA5EED4D27074FCB4E8F0945BEE1A1A8CA2923C9C770E58EB7F0948ACC95CF2B8 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 76CE040045F63D39E4F5542895166D0628B6BC78C7954C49682FF169AF9E8CC6C7274889799D20A58744140BABDF5F - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9C09A5EDE71B70B3152F0602F380123B672547493BC8505C5EF887B784F64DC9ADA170B6D09119A0314FDA9B5683BE - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 44581FCB81AA304414F3F0367064D4953EEEA0C1CDDC1ECF10D50E5D30BB4B27EDDAE19B8DE0973ABE233B15BCD5E8 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1430E3C2297A26D8D01A15A4051BADF7E8EC558BE90E94D70D3832DCC8A4AF19531C567FE9B0C1A3C4543D0C4EF08B - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 12C946F3200ECA70616B998BDB02956FC00BC6E343BF86154E672D9C05D160911B8BB856A06BC6DBBF6EFA06070EE7 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 26BF6BE335B926B61F27A8158E76022586FC9400F01BE884B3F9AFCDF6FD84D78C586941AFE1FB0BB744732436EA0F - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 52FF5C7AF6E8694398E92AFDC006C7D6D2BEEF4F68F5F3937346DFF368C4D0BFCD04F24F1374BA3D0F094899308FB7 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3FD11441EF0BD043159B47481DB7F27A8AEC1B87940653019573F572BFB2C877B1B505BFDB296360AB63ECB0C25E3E - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = DAE9F800ABEEB3E031B1A59E2835DD8CF503793CC52836EBBB02B2BAE0944662C378E65D30B0856284F75EF95ADA22 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = EEFCE4606D171C259CDB03050D7B65A506765F7C8270CD617A10D5660AAEF90FBC848B80E8B80F136AD4E5C7F0F907 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = DDADE35C4F491EA5211AC89B9A0F7AFD26384210AC75EB12D68C1F81BBEA0598FA9EB289D5433AE798F033ADF54C7B - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 269B387698DB3AEB5834F3F2C1DE83454C8238DD576CD9DEA705E28241B351B28827ED9F467C9991AEEE03ECB6A2C3CB - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = EAD315B2D324E289677485C3F6A6D0405FCAD88588E516F49B0FE47DE31946F127937378DE7808C7432F85A0CEDB9273 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 725C83FF5515FB4D0756E6C1C7CBAE365BDDE798ECA7D873928851B5A30DE736F2FCC3DD4036510F44DF47D6C8A27ABB - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = D0C5E2C34726C0D2201C5FA8FBF705F3C7370CF90DAC7FEDF4EC7FF7D1CA8EE0FC9E70D68DAC5315CDE9573CFBDA9679 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 14047544BAE9F828BCC91D6AFDB312E8589D510AC09F0CBD0A6BCBF9430FE1B6BB7635E97AB5FC9DDB196FE54D471C81 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 64B1026D7E185953040681A1EDB8A806F9EBAA02668C532A470A8F6494B16193AEB4288A03446B5CC99FE9B9E21B9DE8 - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 99853FBF13858B144AE6C5E3BEC088E007A836519C9B1E2389F642F647E1C7E6D774C917DE166F8AFD43B1A0F80017EE - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = DFB799E528ADA443887430A7922D5B6CD9D4F9F3FAD3261943E761530D22F460DA6D09B6013D34E69373045CE7A5671B - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 90045D07C1D022972AD3147C4B52789608D2A18D8F76FC17848F1B53F4E6331E56C220307758107A0C9A3961DA5624F7 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = A4AB228F2C6788CD355511B9B388F869B67FF58BA7E9B9DC1EEBFE4EAE423FB188A59BD86240B425B3EC4FE3647D7E5D - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 02AC4C07305B0EFAC86B381CEFE3AF7E760688C9DAE907C3B00E528F751020A86188D3EEC8F867D068224710AA194A18 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 78D575CAF392C46F3C47DE4416DC6A7E55CCAF4A3B2B8C6A3F1D500C63AC8149D257D6CFCED108D03AC6A30AA472F6A2 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 790F73238262A96E988F62844074E7C410D040716C8D98F5549CE81BC52BB5224D3ECB5FF819E9C3BE8E4990D15BF0AC - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = BBF77C26F4E8E065DB866CE0FF36EFCA5B04550AC5B53E63561FD80844A9E429FDDA22FFB3EFB2512E5DCFEB786B2ADA - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 980B8AB60388A16A3A69CFA998690145E1AE8A923651FFC054B04111A59EAFC77091C25D7568311901533CF0267CCB92 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 7EA219FC1EC690ECF114946BCEB829CBA906AECB31844E8378590D9A5AACFCAACA4CB50EB8009BC5C390DB5C228C64C6 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 8593CCC4BC7A9D46ABB39FC65E106EF9BDD5A563E6C5A87D80CB2B6E5B27EC31D46456633AA2747564DAACA38C1CE77E - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = EF0984578B94C5ECD2FA775E16B40FE6B639550C1230D9B76EEA09BAE01F911BC6DB0D71EB49673D4BFF772C45AF69A8 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 8840664F43D56B1DF962FED7AF42A2BB99FF055E785A962AD102F044E89048D3BABFC8792839AA8988A4810A80F11647 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 28AD9854D6EAA221DCF44B4201E9177D40EBA2B43FFECD1BC9D3043A019060C2A98663C3C7C8FA91F0561DCA092BFD9B - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 210B7B5A3F3FD0DF07754678DA7D5CF22C006C1D26A22FB09CC7DA37FEB4B91503A7B1F73E32FCCA923CCBD758A6039C - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 7591ABC77C77AAAE3BB7F5F17B5BAC7FC880A8FD7E4BF37DAB8AC2542694D07C36A0CA9090F64799333CE58FBD72A0B9 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A7C94AE4873A8E9A6E0FE4984B530D28CF23B852060748E815C41492F9E3141B8D3B22E2788E0ABD4EA1E233D8F5D10A - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 928B502448B50B36EDB144B354C8936B28773726EE7BA8ACB825413A24D2377203546EC998D0E08391E1C70EAB316944 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 26B55733177CDF2AD3D1947790DE280AAB1F308FDF3B142D65693F9A6528D05AE4621097C2568F29CC4FE258B1B72D73 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = BC208995AFB0B32ABEA38E4FBDC5BA3540BAE235A81AC71FD8D70D76437CD703BAEE85E73C1C522C3E73D7D3533B1014 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 25BFD80B0E4B2756EE80AC9D92CE2D65135190432A6DC9CF287699811B360717967F3F57D159AA1850B35A0D17D52E91 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 2795204CE2873268B293EB399D512C6041143B7D934CC402827E07FD4C635AAE3F520EF0C441AC7BA154CEA01598EACB - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 2CFADB46345316C111A9240F1560FAB118A0AC50728E4B2E82F821B249CA7B33EFE89A6C66CA165131745FFDF0478675 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 996D03D3DD3044B7D62E25B9D260B7C3F21D55AEFA6A03429971DD8536FDAE9DE35FCC2AB35F0916805911F88AA91CC1 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = EBB40147A90815385DE13786933ADD34E3FD2B2B47CFBCE2C3339958E25D1EC1C2085E1E47F0B52246F411C8D542C2F1 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 43B9AD80477CC9B330478EA3B68B6856374818F1BBBAEA0D0A921705A9C5DAE7C789D78086F8AF354A6BB3CD10E31709 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B4167368927AA01AEDF0AA814B8EFD8C06BEE7C5123EF3D300CF1C92D1408911769FD5F550EB784583D5F651558A46E9 - diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/encrypt.c deleted file mode 100644 index 520d992..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m2_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m2_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm2v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusm3/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusm3/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusm3/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusm3/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusm3/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/LWC_AEAD_KAT_128_96.txt b/romulus/Implementations/crypto_aead/romulusm3v1/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index 7c944f8..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = 9DAE2C6FA9692264572727DB77EED616 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = A06E348183FC4424F39C7359C872D5F2 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 853595C5F1146335F1533C1E9FEDDBF7 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 631FB25C9858EA7E1058A99F65D67A83 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 9706DC71E0EB2EBA01605DE182CEE866 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 8C932E997586A6A482D49C020ADE682A - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 0C4C06C0544D93643BA6E061FFF3792A - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = 640C7F03930E936A72851F0E65C34E71 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 27BFC46153983D96BB20270BF85A043C - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = F11E3A88F2D803694922E7C5B97426E7 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = 85E528C3862E2E5CCDF3CACD4A610D24 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = A719212753B6755E2EAFB439941246D8 - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 7010AF8B5B14902E79D4A3F80AF98E7A - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = B6E32DF9F0DDC5A9548244F3A4AFAA14 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = 62200A699245B363D8F56DC61D923287 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 640929AFC7783CF9F3D4D79F714AEECE - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 5525969682EE541F49011737AB329FAC - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C9330E2E5DDE1603C7F199F33B98C4F5 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = AC17C68945855CA0541DE37C29C22FE9 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C2B453F4D5344F55CD3C8A0548B0D272 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4DA0583AFB112C50DD6A88C5054A0A13 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FE606D882105430284146FBAB687CA1C - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 92789620B1D87C753A7760A0CFDBB42B - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D134B52B8BE21A8E1ECE39EA35D07B94 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 1DFABD385749878DDD4640DD81786500 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 92517ECE8DD15C1B4FCF3B1BEFA5C2B4 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 70BF37A6E98661B1B2D586367B1233C5 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 80D3EF637138502EF9F0390539A092A2 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 5767F28E17459EB8254ACBFBEE567A71 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 7747DD162E32EFE24755F9D70BA5A265 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 1BD9F61955FE9CB202374F81ED901C6B - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = EE624B23394A250E6208038803324F98 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 4A5843CF6314CA97CD9F234C80DDDE14 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = 90F142D9783BEACFEEB4AD9A809FB869FB - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = A4B6A330DE9994C77C146ED259102A5612 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = A14942AD2A8AD0782D6A84FC23CF131A82 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = 906EB8F0EF2CF9FE61FFBC8FA2DDFCE4D5 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = B6A099B675A171441E8F37B2AB832E0426 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = BCE3E8D86A83DB55A3F8AEB07F0F4E8A84 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = 7F2B052BE3176B830D227904237BE426C8 - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 015D56DAF5D486BF8BD969A59FEB77B1C9 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = 96C630D064579136193B3ED1D96F2AD560 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = E8DE3BB3A22CBA30931448AE4EF077C660 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = F042BBA9E94D4FC721DD328C3616689ADA - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = 6A30693792C1F9030D682E2BCF46D27F1E - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = 035AF96E21FE4AFC35987007F32ECF286F - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = 2F0AB16E05D23F0E3725CF6578383A80D8 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 4F30E6CFA3AF5F4C750A86393BD7D46A43 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = 3CECEC3F6BB58BA0B1741841DAE88AF1B1 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = A2472A7ABCDB339B2DB832AD750A8341DD - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 24D13FC368618F830DE21DCAB079DE4E53 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 495C599D24D7FCA42D703B073BA0D24C45 - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 5ADA4FD8535F0F93A1564D7D67E1DA7639 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 058DD23B24D52E3BF8236F16507E1031AE - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 858AFD01AD94FD2D159E6F9A65A1452BE2 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 80F1B42E8D8A94CAB726ED9B5A05E1A53D - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = A502007C9CD3B7D81E19106C8461903C67 - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E6CA0D820FA1AFE2F0D5D4D389581ED7A2 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 60248073F3048665B84A7D5E3CE043AA8D - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BF7DA59153AA8C984A37A4691CED44F475 - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = ACD1F4ED90041533653261D9C0DDD08977 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B4D0E44DD79D1B9D25A292F30D927DA8E0 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3D5CD41EFE5576D83583E21A90E8564823 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = C3DFB1B98F0F0FFB03979F0B20A0F072E5 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 0F8A8B25A9522BD6A8502B880CF8FE054A - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 68A7C8774A5F2642C682DAFF94ED1A227F - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = 49002F0FF647B434EFD57D3044246F21E89B - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = 015EE799144BA2BA239FF717CCB5D1EBDD43 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = 702913B7CB11CECE85F2682E73E87B4EAD4B - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = 1B0A7D636DBC0B079D8F072D32651A0DDFA1 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = 9C27C6B03D3CA4144853DF8AAA24BE812C8B - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = 23B2A8E23B2B5C5B9DC470EFBE569B3A72D0 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = 452BA72BA114DED56AC2A85A85018B09AA47 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 1244B70A273108961F785A62F57DBDA0B2D8 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = 628A67EF4D5BA12FD9CF95C106548718AEC1 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = B6F3E32FE8AB3DD4D95294ACD48FE75F6906 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = 15ABD399A01A45032951F303E09471998C9E - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = DB7DB444A3F6B2B9B3C40E4B46AB906BE7D1 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = CF3FB9D86D133E27C5CB96935FE426F571B2 - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = F1EEF06E1D547F5BFE7DAC470A026DC56FE7 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 44F4BA43E139A54FF49D62B5A59F1180EC0A - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = 1F838BFA36AA7070A50440C66B2AEF92B270 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 8AA3F725FF5EF7F12888FDEAE3A2A9793B58 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 7E9C85312B70152CBBAAF939E4B7964A5D3A - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C94303E80E54054D1E1D1F0C2F1FB940266D - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 76A09C0EDA30F69EAFEF52B44172626474E6 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 0F948E9EB616F8A939C3E4F2DD8DCF447F38 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 9E27022669AB8B6882C1245850AA539DDAD3 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6FBDBB881169116EF9B9B82239A484A142D4 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 4AD8DE0A0E576E58FE14756094A57597B589 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 16A1208E8EE09D4F0AA635BF47EF100378A7 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = D2649D5FBC1062E9EA8046BC352FD86A83E6 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 587F1848886272F9AE03DABB9F6271756E21 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 7832C615CDD971A9FA41552B771F05D6966E - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 17D32181DD99CCD4EAC3344D7505568241F7 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2F1245C067BAC326581CA5E690C093195ED9 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A8BFC893DBFC1349030491C7B07C5A1F05CF - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 7ED6F0CB9730944A8E2794D29D055855E377 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 0B941929903A5019432524BB053463DE3DB8 - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = E781E7B2C37301F079DC045CFB8DA88552D0B6 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = FEAAD63F9D37A3197B0A0771187EC34E4889C6 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = EBB49D13485321AB8A7286EE406F0624F9079D - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = 428B3F220513248E06A055F8E374D9C4F44E56 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = CA8FC93A039A1C1A94AEA9F4D5FC15D06CDFD0 - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = 6DDCC3790F1E561C07B2026FCBE13EADB9B9CA - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = 0A75B5CF31F94AED463A0061C6ACD19CEC8DB8 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = 517C0FA6CB59783B74F932762A24FA66B7DF35 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = EA4D04792F5C8D864F1FC2DEB915B4789919EB - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = 1F9E49D7E3CC924B08BD52D3C0F92109E235DF - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = D20E596F372047F1D9A33B1A76D98125DA5690 - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = EB4F6D2F05BBB900A3B155A0DD1A4541CF3058 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = 1E80021449F25E8F9D8BC62D044DF0C9F94B79 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = DC7385E70EB35CBFBD9D31EB08BD345A93A375 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = EB9A112DC850F239861AF4501947AFB9BBB846 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = 38A4D4D5200E973B43406CCDF97B9963C09B2F - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 8C13F8F3DA281AE309883FE4A58EB4200031F6 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 1C9D60B7FB115A3D4F1BDEB23BDBF8F58A484D - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = CDCFF45C2E7BF816C573D7EC8D4058D0CE8425 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FE44101891FB5CB00D7A5301EFEBB4C4AB3F60 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FD11E555D9FFA1FBF25BAC81ED8BAEBF648FD0 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 1AD5F2475682773C6933C6B0FBC1EA3CB86B6A - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 7DD09F80A398B514F4B735D82B6D36D5EB645E - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 75B3C0633E543C31A842186C744F609BFD67D5 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 982CBE2F1FC8629F9A4EFAFA8E4AE37445A96C - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 190CABDE7B3B0AC4184321D18DB47353315EAF - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4027F7E0C1DAB8433D6C8B50462A187D12546E - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9D1F5A5E839A693538E914962C5DAD2FD38B68 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 812C56CE4E29731F057ED3CF82785F430AB86F - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = C85F41E2F9902A3E710B5B713EA1DD80192153 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2EEF61186CEAC74270DE100495029760C6165F - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 44C55E2FF9D362F4D571CBD9027AD0CB433F41 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 9DC083372358B7EDB9ED8F037ED1739752FAAE - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = A6291976B10638423346BABF082145338C0F59EF - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = D2EDB5E66670D7D11F65068A9C67A6A49C003AC6 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = CF95AC29FF53CD5584E85D5527F0363151C41D10 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = B0E4AEFCBBAD05D831C22F16877A2034C636A766 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = C084C594518148D95549955894D2BE136995FA79 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = F7AAFBB355D985D5CB760FC5D252D85F30E83854 - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = C24E73B64302E45A4151F8C2F7ABAB442FF2B0D8 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = 829973EA76C67B06345E9824E9813A650C9BF91A - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = 40A2B61445041E07D96CE64407226FDC8859EC24 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = 2DA910B50A689F9453D6DF87AD7BF806A0726820 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = 26732F5657E4D4E0DD7F3400BD5092CFA05E5EB0 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = 58F2972A146D382F1061A161BB0D2EA28EEE6852 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = 1E5D5E34290C3DBD8F135C257B4EE52A1AEFC03B - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 1835770AD5170BD547F308AB4F8D0668E89F58C2 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 326D25FAF722BC15978C9926BE079234E06769A0 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = F9FF2E7522AA65DE6539C960145FD1A4CBBDFAEB - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 013EDA090ACF76438E68B8DDB025EB4C635AB460 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 790FE9A972F1EB93DCC6A5B1FC31B032E59D5258 - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = D4E256F38255A15743A23C168AA53C7321B3AE06 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 8588CC3CA6AC0A484436B3C4FC19F847850D1BEE - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 4AA9E91D669C1C9ECFA263E3A844FF32613BFC09 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 93BA3B23E13AC0DEFDCB0ECE6FA85EFAF0A39301 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C598C65E0A4EBC8356236C097A48F7F834625CFC - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = E3C14061E356456958836167BF7DB4195A87C983 - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 83A481A807C60BD23FDB6B7F49B7BC2B055FB8BB - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 853A202CA4EE103B38D18C09FA64956787BD813B - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = E00F2109DDB35B63132FAC9A1BD512527DFADBA7 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FABC3263F830D8EAC9FC57B6BEB8B721AA42510E - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 78C9657D2B3EA2C5D686F7F3137E23A38094EBAA - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2B1F70E34873E3812E76E5B5EDA8DE6F850CD9CC - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = BA2F556176FA1F301123416AE68760519111FB37 - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = A2C2E5DA0BC096DE595FCEF425CCD762AFD201D4 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 16AD49622450CE708C6AFDE41659FF71591589F3 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = 0D1D71DC0FF76B0D631FB97BEECDA28ABDFB8FB515 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = 05B679F542E7070E4F5C725CE7232510D1BB0A1C59 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = 660B4198CCEE838673A33F70842EBD48231EA7CAAF - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = FE2D4C46AB26D1F0B1B4DF4880420AF1A35C1A3931 - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = 6770D30B8C53798912E4907BA023E41D7F2C4CD8F0 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = E3BC83D80BBCB7133838162A5168E92D696129D649 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = C3C4010704952E3426A0E23D674C3C0B2E6DAF9207 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = 320A7EDE6195562C45140972E35367BDFAA95AACA2 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = A4ADAEA4ECE359ECFBE2782EBA4EF36C7964CC2B50 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = 053E25FCFA3C90B135EDA590D64B4022B1362D2299 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = 5DC1BF146E25ED467055B52AFB39C7DCBCFBA18078 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = A5DC676F98146F8C063FAA9F0FFD21AB404A6DCBF8 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 9C8AC31D5F6549FBE9FE5CB22540F471F443592A85 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 924C229731D932C664AB223CB8BE2453F02D7ABC84 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 4129684072F22F6DE6BEBA93F01EF80836C5DFECC8 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = 142F849B01B2E2B451A0433C757AF3C619982A9764 - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0E3CA9D9D323277376EA693B8B7F23A2D7AE76A299 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 40A735C32ECB9D7AD5423B6BA36A123E361D581EDF - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = DEC80732BFE1DD010779C49AE625AFB220D5E23B75 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 33D7A9A1186494CAB4EC73416FC2FECDC98A8723CA - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 016810DBA112802ED1BD2C56184365676FA7298DF8 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FCDD7551A8EFDADB83459789E684DC1E51C12EF5A0 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 01708BB21C0397F5DBE2D8DDAD349267EA40F9E457 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7A720F85D68924895713C6753008351E73F7639F1E - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 1213D0AFC959848581025459AC38CB373111E12E1F - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 16CA193430A8A50920FB5D7BB3ECC63C7B804104AB - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0F5D66A31DF1AF33312CC89D990F3FFDDAEE00E160 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BF51878D98C8B99A4D1E942E61FFB736E83E232E77 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = DB3C6345FD4EBD1ADD375DD8CF5AA6A716F76FF246 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = DC5A78CFF53A8AA97EAC21554B39E6BE66CD06A0FA - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 6FE173ABBA440BF8D030DF330CC186B4D4FF916658 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F051718EE4E985E8DEBDFCA86293B6EB9ECB940811 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 7D946F8CF85805772410191981B31D406946072E18 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = 37ABD57DC5B7173984990C5659CF436BC8B7C914A0DE - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = FF5751B6A9286C5E85685C03A71E308AC37CF181F5F9 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = FFD5D502785866145D8F56C42A40851D2253BDD7E35B - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = C33B18DCDABA3F1A26CEFD44FB18C731CDDB1E22A9EB - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = 17032160C7CC88B86217C06FF6E08DA46DBC0EC65D23 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = 57319683C805E997367374EB7B8450D712A3C54B921D - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = 97BF1EFE28BD23E9F6D88CE93D318B413AA14C7A53AF - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 15BAA06B81BCDE2A2D705EEDD807948E151EE07F1C08 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = C5428CDD73ED1664D8961C29A1FB541F28CEEC5B34F1 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = 1615EC1EAA4E360F3C97A8B001590D08C72536979C9F - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = 19A42219C8F236388AEDEE70A36928C7DF6DC1EE89D8 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = 1D387E53EDC7B768D5C82E2774CD7F8107D16C57E781 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 7A0AB96235760CE5CC10867435D030CEB440FACB9FDB - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = D369A22BF242FB0A88DBD02E6EFE703C18CDB880CAC9 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 7EF5B7954815AFE31466609F3CFA9F7C5B402D9661FA - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = 62E897D1977F6CE46E9A37792F67C52C463F8EF485B9 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 20FB54812BF4267355D48BC95D3D31A1016C6F24B7AA - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 95726E27F58D8E82BB1F5F2592EB01A6CC2DC68C2772 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = CF0049F113D5EAD9A6644608B5778C525E90A3A9804D - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 20203F46990500E57599FABB5BEA2DDF341CD0B873B8 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 535F42C719069DF99DC02CF310604A864B078189C830 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 267BA34E62E145559337F50D2B1D9FA8B67B2DE80E5B - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 530D6AD11B83E110463AAE94E11A97194F35B42D3F3A - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F158CAB656D19E2927512524AE7E873EFA7007157C24 - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 1DE9CB3514C38282A69F9AF3BFB61B088D71456C8286 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 1CFE0A3F18268D6FD8E90206096D0F2590C0B824B300 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = C8912FD7D03A89E5F69479B10D48C9F9DF1CC284754D - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 0FCB8E8F86E0AC114A65865451F7F77EC554BD8262A5 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = BC982F033B176D70A7D2B7FF3B8DDCDE33E548749AD9 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8B851BEB8CC2D26B5340F21FB5AC6109221CACADBC2C - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D1C9EDABCB9EA93573EFB31D988B500D6DFD8A7227A0 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 59B237DAD4776F03818A6F5FEDFBC500738211854DC3 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = D2E83DC105E803D5FDD63DD57D23592D91BC1758C692 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = CFC258CD4A6292D25713E9C5BE9438D11B5E34CF8843AD - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = 49423949D76A614166005CD0909C791C33345CD09831CC - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = 9BB1BF0755DF33D1FD5D6B139A56179D04F9F474A67315 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = F76BEC9465B823F64AF77D6B6560979C08C10AAF407D29 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = 1743A38155066991602B0214E3AB9DAF1D5EFD1D733F16 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = 04847475A12C002ECBD48CEE5C0FFF03F259B5F238464F - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = A286D5534A560F3BA1F751A72E3224C4E19C2BB608EA78 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 0D49EE39F3B45086AF188804A9C3A2E0F639EC2F1D4436 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = 34F5ACFF568BA384A817CB0911CED2C13BA4BA6B10ED08 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = 5B006EC95585D66ABB47D71F3ACA326DE9532380635F5D - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = C1CB8EAC1ADC2886F097C0FFEC9B40BCDFF490FEDDFC1C - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = 91B0A6E97E30B762D626C79A1C037A9636EC4761A89CBC - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = A919710FEAF1ADAF4E87258CA1A2E6ADF3FEA4F1AA2614 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 41A6E93856D7543C2ED826AB206E7EF315FBE185E571B3 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = CFD47C7B52B81CE4D0CCF1A47660D45A7B4B57EB440C7F - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = D1B6699ADCB178367B16C836DD6F4622DC37DC20ED7AE3 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 5EB7AED4A67D2A9A6E66D641C54370BAD1B83D2A517C8C - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 6872F193E19E0271CF05E225DEFF950229EEACBB76DE30 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = E6F0F64820540677E14C640A5F16D5084FCD83373826B0 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 314D093712646EEE248BDF6B14F9C5E859221214655A8C - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = CDCDBB8860541B2848592127BE7D5205EDFD1C44F606FB - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FE3969ABFFF2D1812186A1ABE3F6F6C578D32E558007E1 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 763C00132241CC365DAC9353D0403C933B125D9B91D614 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = CC80B39648F61CD89980020B4FC3F4D30211AFEF3CBEF7 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 57E556D686BB938ABA4AB5E89A12071F75255C265C4AA2 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 3AEF04DB0D7889DB98296DCD7A8DF5946DDF689ED5383E - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A3656265CBA8808E19B94DEFA315CD00F586F842437DA2 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6AB97232B7B100930B800EC1C53C6D3D09F85E99A5123D - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 0333705A6EEF7088FF3899F98CD0B3E9EC47B0C36C484B - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = F23F8D8D0B14156A4B4163E79690E44AB951207A61D912 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 774AC03D6639A9CDCBCF28BB18337745AA2F6454C84431 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 88AAC4CB1A924E5A97BCA7CE12543A65A6584352F0D7F9 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 9641DAE6F8B33436FC804388F5CAA8B3F2616851E95CD8 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = 11F338C84870385D2D453DD8E77AA69462A7FE6E863D98EE - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = E08156A86850B204985F84D0AE75ECF01B63B44D0CFE15D5 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = 352D9B19D5E7803435056C7FDBA625FFBD80FB7783F59B6E - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = 6BDA5C2A0620D411F1BCCE05B0CED24171F76514E93090AE - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = FFDF2C1B622593CF9F0FF153AB3DD2DFE975A120ABF26EC0 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = 9BEEF6E409796871BDEC69D9A3792BE9AA94176938E3E582 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = E06FAF0DB86B8A5F4C45172206F4A6F7E49946FE70855093 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = 36ED9EAAC290D5C573234D3D1D6A552F8B84639A1DC7CE92 - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = 2661C08F8D488CBF804E74E493348411889CD989B8AB82D4 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = 1A6390D4B67D130F5AF8C569A9C5D9E15B715495DFD651DC - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 70EF12D29DD47F31F3C46071CA0373427A143AABA1A0FA13 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = FF388197F4CB125515744C6F4312C89B53620357D2705BA2 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = E434B4ADD75ABC98E26986B7C383C9BB7A3959751A6E20E4 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = B64A9DFC7C3ADF700D9E8AB443A5F389E82E5A3A8F3BF596 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 94FDC76D2361318FBAFBD82BFA280C2B26F2330B46C2EF91 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = 86F825BC2059D5F62937A74D84651C34676DAC821C679870 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0AD84AB663C4034704EC156A3A6BCD2451F6ED419B662925 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A0168CDB66913FA9425CAB9DB424D93D0A3E700440FCCDB2 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6F0B7A200865B26B384A34ED919393CDFFB26BBE0337CAFE - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 2D3F0C04AFC60207BEC835AA5DAC33F480C11816486275D5 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = D809E2970FF7FEC167A08873B041E9DF826BA211649E5C57 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 45199ABDBF8FC882DF7EA2E9C4D862A86A5417EE3DF134D1 - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E5DB2EDF5CBBEE50C50F78206CF9E78738E9E151E8C87C3D - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = DDEC1ED3DC2B8DBE88F5574AB7F4E90AE9624A36A4DFA226 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 4C772DCF54CEAAA46795F117FD04BB7D03116B26BC7054F1 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = DD73598B65F23E16143D6DAE3D9C36FAFAEC5ACAFD0EA8A7 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = D1ED9F38E2372B3FA2E631618ADB6F90DCCF57E1FBE0581B - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C09AEF667B4A0541CFDEB793AEF77E133D5D3F350A570004 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8545EE2906BC8D99D1E1053EC95C18E3088A20759E5CB2ED - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 49FA4D3438717EC3309CC9B01C23095AA514A37535A1E2C6 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 366CC2537EAB871A08429A076BEBF20B9CE885AFE3ACB45D - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 15797050A0401139743802B9758FB83DB869DFCF179BAADB - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 14E83F4B55FD8CD30DC86CBCF5103F56E090786D2800134E - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = C9314C5ED98A3120F2A790806CF99D0B60B01145FFFC4D12D5 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = C4123FF27EE987BE955820871C1CFF1883BE7A95840E0ECDED - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = 89B28009F1C1CBA4072CC42504E7E8554E08FAE26E937DE4AF - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = 56180391A85E8779A4E7B58D27E307F92C4C2DDADA9A29FBBF - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = B857CE646ADA138921EEF8800B41A2F59778749CFB650AD57D - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = 454D9CD5EA71CABAF2E605779C53F6D3976314558E39071B2F - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = 547E82E6AB7A66B924542775ED0D49056D742178D6C22DB0C1 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = 64F3C8519D5A9DB68201D7C0FA1C059DA663994C8D4FC15317 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = BC6C4A10A99EB5D4FE82434DF0C1C8D99ED22EAD3D809E2020 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = 05EA001E4AD1FF8002E922E92E897837F0B754B1C9EE9629B8 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = BEEEECAF065A2ED134B917055FC3CEBF50D8EFBF63122B8B1C - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 27FC0C49811D420159EB45DC0967F8A37CD223FF6205BAB3E0 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 161151F618B596A175C6F136AF1B5ED4E7B45984E6ABD6CA01 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = D3BD51D425BF839D5835993B285E096676E1C580F0A4515584 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 11662B1262E9B62F7A0EB13F8C1BEDF63169EF6B9A75588786 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = AAC5ED11E6EE0128CA1C95E8A05CB82A2A0305BC13D0EA5F6F - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 3483A38386DB009B2A2259ACA218DC6C7324836AB87E00FE32 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = CABE889B0A630EB3E306DC484F1078D61DDD24F62D99C4E463 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3373D5CE8A1C6310F0C8E4678A710617519968BF6F404C2320 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 1B769B51807AF8EFF7DC035FF3BDF2E9385F09A78F3835C0CA - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 5857A519FC523347EE818FDB8AB445FA68E176D9C6FC318DC3 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 95F6827CD1472158F41B789D59624C49835F896AF32DFD49C2 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E9209816404D309D1D141C804689D07A36CBC60337B610F8A9 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9257BD54ACB13648BCB574C22B4243E63E7D8BE016130D9FBB - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A57F1C404ADB06DEDF5865434138A17E30463435474C50D748 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FF478EDE3CD23C4BAB59C8188F25DB531E60160BCB5613B523 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 5CC80F31575457AE2B505EB3765CB539EB00FAEF2E2761D943 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = F6A86E8965A4224776C334FFC7E86D44FA03ACB7BB2BC70B9E - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A627D4B1046A2E0593D89B6DF2734A215FC0FD992E94D44D6B - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 91964FC5EB2E5F61526F1F488C0414510CA65B11F9A53AA399 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = ADFDA3CFE847C332F20FCBBDF3E5390A71E5A0B2DB3F33AE1D - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = EF4E2BDE17A0F1395469279D0DB37BA0E3EA28732F8F7F6646 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 5C2CE3811B7259EA279E228559B2AF55CB5B5F380CDB133F11 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = 445FEBB943EC3E0EFAE2D6146FAECF4C614F2D06F26040968FF1 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = 50626005ACEC908F8E7463D45C034BDFCCEBB86BFACB9982F2D7 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = 81A54F8D3C1839D16DFD06052E66900D2B69AF9F6850B7B4CB83 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = 764218A15DB05308D1544621E8F980A6A87814A7E4587D208DFA - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = 285CDAEE4B905086A0BB5B4543D8FB930200DD5E3E6D7F7F8AED - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = 0B2513874CD481BDADAA069F0548854E9DA68F425D70BA65F1A1 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = 2A0932DAD1133EB8477FC3E0E9A207A7C2C2D124792B95AE9962 - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = 64E68A5AC40D14C00E909FF4C16537B4BD796FAA6B7634FA6581 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 64A3D493607B3081190B37226C28FF8E240880D2B351BEE4E809 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 64CD61A101A78D43F47BC74E3D4D7A6B74F152649FC32AD36B19 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 42C30422C8D88100C880F062E4FBBD1E1E06CD6E730880B0C14C - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = BB0E5F6CD865EA5415DD3A90B5FA744D37F0D3D62E8A100E8227 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 3B8D37F581CA9C9B22ADB0CC012AA80580335281D5D231F038C8 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 4271E70502D40773296B0771637040CB5E336BC6A1F74AC78C4F - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 33EF0086DB51F2CF3ECD5D739390D1E44D36EFD6C6A0AB0D2C8E - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = 08C95734D86657FCC2EA49120D490F317D9C31D978CE5CA22A94 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 14463678AE38C87D3E73E812154DAFB7F417B9437A355524BC47 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F823F5CC03A8AF96705D8037AB26D29414A353738B55BB262AA8 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A255459EC6E3C5384BD4A6FCA55CE6C577451D59F59F11A79280 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 3FE8AB588A91D22E8687B9DA56D2AD4A7578BC30475CD7653A70 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 55EEE17310B2F232DA925B6A07F26B2B3836D0166CF4CDBBC7EB - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = BECFD73E9E2A23227B76F3680DA9DAF9E822447101E8D0B8F75B - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 279253263081C78C2F09F726476AFA6F347A2A401A4202DB2E8A - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F4DA8B3C7D8EE2FEC7B71F099CE58B8E809F260E6F42F3FE5F14 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 2C388249EE7E061433E95E806BF12B4A58281F705D810C6FB869 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 15E6D5ACC35A668FD0337BD2C50844F1452C4A35551A8A21AE87 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ABBA3A2AFACCA7774CF8BBB308E8831CDB9C66EBBACBD011F6FF - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 45DAB9BE131FEB88C87FABB05415B6643356A588F2E791ECB32F - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 5FE7B6D98CE5D7736EB987BF4876D1274E507BA74F1BD2CA1293 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3B95EFC341A522F634CDAAAC25A6896A5A8C77FEFC812229C5E4 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = EA0B152372F8CD1D48ADC8CE5A3611332AA58B413D85F9143B29 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 32BC2968487C5B93D0B23E66A2C1184CB6C42DD177C017DFC594 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = A5A6ECDCBBFE9CB144AAE15FBE2BC4304A6777D5EDEEBDEF532D - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = 43D32E9D6C70FAB350CF25C9979D914A42000AF1BF752A01A21731 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = 65AEFE2E93AFBA1262247C0A04E40BE69C245A2E71AAD3A48E95F5 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = B3CE217D534EA670F36E01027C40E01D872E0F445B3772924DE0ED - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = 542405EAE94211E2B675312152A4B535646597C99670B402DB8C03 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = F4C7A38B6CD89C79E0407FCAB35E140C14077AEE093AD9D8DEF64E - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = B3D7D1D68483A5C958A1ACB4999820403DF32ECD97B6340F51A1D3 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = B63B345110B87712D7E39F6FCDF7454EDE9A39C2A19CEB1B86C602 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = 768DB3077EC0D51837ECAE3289EC234E1DC3FCC62112BB154564F7 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 2009207BD724CF4971C73A30A43D1E9359E0C7302B87330B455110 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = C8F8DB56A8E300AA70084FFE0F2CE8553DE818F273300332AAD3B2 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 140E47DFBFF3017946F9059D68BE5225592D24E237BF799EC5B175 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 5DEC3E376FF18BA003682F757C85E80B39515A22B692FE82E01147 - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 4659B52BE189B74F4AE2312E8942F64FDE8D2540B69958DAEF9948 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 6ACF7171FFCE60E495842BD7E837014436229807358018A0DCD919 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 08F56B5375EA28918A3E63F12B0DB2AD8BC10B2CD29718A102ED8F - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = 73B7FED0065BB9BA65CA91C0A268CE182C59A2892014777733F3AC - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 56713BE24E92499A838509252243622D0DF541FE683B896433AE51 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 812893DD77C92D981D87412C429124BCC9E41573DFA0A39D4ADD89 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A411B898DC89A575F685B3AC4BE0752BC21C5BFDFA29F2B0F93C7A - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 78E6BBDF3C6CA3C24BFA44F35E2C5AC677F18927946F4C78145954 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 5554FCA49A5BC15DE9BB2E62BB465C11687F464FBF49012CA6F0CE - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 6A46714A9AD2139B8179A8B6D4D0B7720793EDA81D681AE9F7CF41 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 97D207A02E2D2C5F534F3C102C7080874FE24F6F1AF0EAB91A398F - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 71932047747EAC7E83DE17E034FB1EC0D0C0842782E6C2750FDDB6 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 6C0C41CA5048399E91EB94B883904951555E140EC885AE035555F6 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 83BB6BC3D77078C2AFCCBAE933264231556700F49B7CBE71840F5E - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 10F2279367AF28EA859BD6F9344D11DE25740C9A7E07C317C323C8 - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 8D983D2EE91346E5EEB6BF4C8178D49C651BA9BA9CA9AD54BF88B7 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C562E5E21CC667CB67C59E0B1FD9FF5F62683E8A37686932B2E88D - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = DC38FE235019E0BB4F2CB6935429C4B626C456AB684E53282CDB96 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = D127DA13F5D5F58AA731FEA54A937A0DA71E0514DD57B6C1382079 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 8845971D89A9D74B4174AB7CFAB8186EC81C4B26BA8C92968C1ED5 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = B3BBAF32D9F6B69B47CFAA10E51A9D84C80FA2BF265B5E77D1C4F8 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = 9D0CEEC13406C356F50380FE980E0DF5D073EA7F3AB56C1811CDBB5D - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = 36ED875E89C8A5B91AE81A74F3D61C4F2B4B7E5C65EAC7555872DA5D - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = 7DC831E08AD58E5CEA8634B0C905305934C8199A849376D958A9A3BD - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = 2AE41949706F4D9ED42AB684F4CD8494FB0A6ACA2DDF3B7E6518335B - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = CA05C5FAB4941D7E4C3CE94045B126E1C5FD40C87C84E3BABBD79A42 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = D5418E614CF46000B2EAFC29FAE4C9A4B648B325AA66D4C9381AB674 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = A25B3B41EDB7B3A87B4760CDFA64E86CE795DE4ADCB1CE674E382598 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = BF2A5AB66C1C4009D93231034DE194F13B61EEA6BEC3CF1ADD1D7AE7 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = D9E1487A0D2DFFF70CFD166C9A644DC853C47E5601A93F209DA128CD - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 32CAA223B65652536E70D850311C5F446C61FE00D825E20725C360D5 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 7D55869CF6F4203DAF237CE140995FE6D8D7394388CC2A72225FFE28 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 625D3EAB2E28004042CC5FC8C4366260F2E79469F7BB325F831EFF96 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 69DE63E6F26EAA03DAD599774B1A98F94EEB8037371A457135D19FAE - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = D0317C43BD0ADD654C4CFA1529C6827B54CBCECDAAD29CE08214764D - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 1D96E78B7AD258A04C57111C714A6E4611F4932DA1E657A332D7801E - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = A85C86B49C0F4C2CE6971055989B701742B2D7E6CB1017C89DFB9ABB - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = C1FC005BD2896A18BCD75B9362CC3111C54D12D598798080BBD6075D - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 4F5E2892A3A4C5A676FBFF9E7ED0D5A56F602CFD709633DCBEFE07AD - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 444387A0036B882834A350D13776DAE0073295ECE64ABB25537891C6 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 4BD79A60EAB3241C25F7D493DF97EFF8D6FE5A3C4F31B5993C1E853D - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 010D01B5A34C493DE57CDB0007C568ACF6F71CF35B3AA1E1467D04E4 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = A0AEE0821E869AEBD35F59F4F247A5EB2BA974E3EB16CB40E85C6D01 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 235CCB8A6435C4540686ACF25A251744AEC9BF13B8A67C5B35AA18DB - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 586F42D014865E1EC4E394E945A4D4642632BD9578C0259C07255B31 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 48D86FB12452DA728B8222F0297D9EB34D8E95FA9375FB0A35E5EAB5 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5A85B43079AFF537ABC734F8A4FA9886872DC8E3CC10CF5499F80E4 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = E2C53E51788A5E54B00365AAF91C24787226026FC5A78237865068FA - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 87B92B613F105568E65A10BEA7AC2248A433B4CB873C4979A5B1FDFC - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 18C6C277CD6EFBDF0A52762F262361C1A4B4BEAD063B174F73064756 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B4E5CCA764337054AF632BD57D383C9167CC64BF1070636F77D1F915 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 73FF668D6E73166E250A864A4AE6AFAB1D5C78C06FA387CC1CB76264 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = CF54A5A361D7BB9AD104AE4EB7CFBD5DB1B93F55B7C6FD0AC931E56F - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 20286A1C951BD296EE1805EA870094E89E1AF4F41FF1A6C1E0513F17 - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = 6AD3150B71383CAFF63770FB2C6504D1FA04B4B8C96D51BDF32F7078D7 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = 5C88C2155D78CBAEC9C88D69C4EDE6998B680223869052012FA7BE5656 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = 874945FF65B0D065BBFD838AD72F4E800C49A8E4315F4C8C4CFE9C9B9C - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 65A94377170C1218118BDFFB1A68F5C4CC2010D6ADDEE1E539BA0A718C - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 7393E4A10919CED6B84250A008B01F1DE4785B55C9168FB761DD505E97 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 90BE76207633141BB1F682DD14F7FCE44DEE4E5952367CCEA177CB64C7 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = C0B1210506F33A71B6AE6FF889EE8B2F9D7EFC4FB54AACA4345C4F0144 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = A712D3F692F59A50F7D34C393B7D2F13FC22BE07BBB1BF06D0B13A4C1F - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 4DAFF41B2380F1F326B3E4B6F93CCB3583AEDE3FABE3BE7AAAD59A3445 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = FCBD144A8DA9671C0F86F45B378C3559798BD11D0463CBED8AD26C65DA - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 1631A52AC4AE19D595B799FFD4168555EA22B9C0457EE52B6C12644E5D - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 17DB1EA945136E3BB4C6E0FA3A3F89101D84860FF11C8AA3605FC56AE5 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = EACB449C2765E0CB151851FA3FA66F56F3D1075A4AB834173D8589AC0E - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 836AFA9E640D0FDC7651AA92EBCF20225F2740099A52229C58E209FFA0 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = B9E610722FD2BE2FE785A91D383387E49D5F30F8C0079CAEBCF83E5493 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = 1664C39B76942028F14D6F09013C44E6193866319DA599B498BF06B107 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 1BD6864114319781DA7C4CBA2C7664B93AC4F554731620433803C32CE6 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = BD32967F4A7DFD9F2381A364F5C709108AA12496CEEA918E1BA79C6EA4 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6DA2491F3B24A0F32A2A679CBC5253A1097416FF51E36D5DB748A145A4 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 655CDB39BCE93BAE2055D2FC1005FF3601F65E31FCF36A36DED48E2792 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 41530597052F7A11CC6E30C1E42D406C2DF32418C594542FA59657C069 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = D054C43BB2CA1969253C891E1CA300C3E4CB0AD6CA9AFA7873D891B075 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = DDF13556626CB7AAD21009DBD3F7E27C8AF7C853B285A7DBE0073FC96A - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2818D6DF1F08C3F2F9B66636A93F8E87F9F0B9B5CC0EF82A0B08A6BFB1 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = F22239ABC1990EC8972EEC881E0F610C997AE1BDA5BC38F35A3826FB37 - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 51D1DF3C7424093E12D752A75E3C2D7734DB8EE230504F24BF8A800070 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AF9C3F39A86343F09C4AE1E8A8E93C6386709AF4C990E419E6A65BDC61 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 8E79900656248FB17AA3580DA0B1394870F7A3BA6E3DAEB27A2D828439 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = EC02921A00DB8BB7A8D95F7B05FB7D679B2608221EFEEE14C4998804DA - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 06DE08E4A8395E185D5A2A3EFFD1D24AE846C386BF020ADC9261091579 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = DD68C51177F302D63443F101EB19BE7866B65FC80DA09133099BBD2146 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E348DCBE314019BC2437FC9CA6DD0B92A272BC9697444C2764E7923B70 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = D6D507470EFDBA64844CD7B00154EA81EA39C27F33133D21B551568FAD - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = 8CA54B346754141BF686D62AC9E76D4AAD739C6646DA3417FD4C5B991702 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = FFA6B156DDA78A2B1D3AA98A31AA771EB7E2EE0FA1660580694482772AC1 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = 63EF01E05EE1F2258E0986EC63E65207DC3A8A1F2C09F956B79892E493C0 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = FB2E3E6257F1AC72FAE4C6F0F1AE4F74EA554F85586C20BDFFBC652FC566 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 4F27EB3B58CB13E3E79F9E2985747E8AB38C3583E809ED94B9DCB3F16B9F - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 6B7DB53DB1122BEC5B6A1F2CFA87E3FED6ACFDD820F8E6AB0FFF4EB346FE - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = B1733F53E9927C16044D97DED1C24FC7A7171FA96F81D4D58BF3BAABDE3E - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 3488F8A572B9BB8590B134E749E2573AB7DC98E41C07A29D8EAB3B88D779 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = B4BD42F934C29848DA4E11C9631B6202C7D645765C89FBCBB549A738A6A7 - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 2CB23B198BA6634534ED44ED61724F85ADEFC5069DB593E6BDB1DB866B83 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 0B5FF587C59795E09F0A7E517C2519C71F7BA6ABD4C28E36A6C0A7612E42 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 8F1FCC1A8CF19455BF476FED73948C61205B402C08923E7F1B5FBDED6AFF - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = FDC8B0825C961C6F965452B1E999586ACB071022043B3F1E2CFF5C3BF14B - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = CDB7D9187C600639C803ED870906711357A9A125F0FFBDCED9227CB82C2C - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = F1E49520289CC5028D149B25FB889AE36036BBE43A8D661672C397EC12AD - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = 6C13802F6057390E18D0A7CF1FF0E439B19419F40F0A433143950584A46B - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 89BAC3B8AEDAE1C8799547D69666509DC4D942002F67952D678326AD1963 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 56B99D148658B1B23E00617132A296203B13F4629F124E6BD34768A7C78F - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6DA9269F2BC5B4F68FE4CC057926C26B2B4448B969CEBE2CF23E8DB96CD7 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 48B8BD1BD13F686BE6B45834434BC6619BB892AF7FD6979AC4F28B8B8A25 - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 6017344C7C77A296DF639B7FBEEF15CC4F9F35426F97ED7DB7173A2B900A - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 680F6D98017DA0BF865B00114F6F077D28872CE168B84A3485FDFF4BC8FF - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = C2D898930023C31173F562E2DBA277C213645E95FBF76EA5073F645A5765 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 3864A2690A70BE80773BDE100ED984943EE5522BF4A5EC6DAEB841C04182 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 14EF418CDA37432D0B7452C12CF7D956163587A40FB8D9503D30DD1757E3 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = F3C4BB3D7A372AB8648F4AB86F5BCFCEA6720C0CDDD2294C00A852CFB55A - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = F08FFF2B4E7C6457D95CB879A8757178109C2121B493529665410E992955 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 20291EE6011F4FE090963BE5E16346818B2DD45E580BA9DBCAD8A3F831EF - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A414BB4A2A8A071A583B5B8B96AB5EEA4936F64FCCB47C16F8214E2059FA - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = E10C81858386E75E72A5195F66097AD257A0546C738003DA43A22A139A73 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B6E3A1C4ABD320F7925667F6029478CEE2CB83CD94EAFA26928D6E6C5873 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 65D22EADEAC9F4B0B34CCD5EA80A473FE6B15BDC5CDE0976E132F8A4FBBE - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 2EA73498D15D7C8CDB909C9327886BD353D0FDCC616E9C9126B81BB91D27 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = B5E1B53FFF5F82F1EF95973B136A28B68AF94645C6858E30467AE3C78FDE06 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 5D5FC44C728861A97D07E0A94207DA58733D5DC9F7ED4855CA6819EDD5602E - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = E796C6A2B6F66F21C68CDB70F6CDE57BCC6B37EA00AD7E8CE3AEF4C483949A - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 4D9A13FCA43B34BAE719E660D26453D5F93949B3CD37AC70E456899DB913DA - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 20C3F796BEAD6E14D7490996D20FEE7DE304B8E67763F619134B3A74B8C90E - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 4B749A9C90CC006C9D68CB16613A5120F880A169FF2B2727FD9403046927D3 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = F79BFBC80BB49088857944BAC53189FF457077272E0A2837E1E5733B07C4AE - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 9E7CDE2A89B2E0A4EBCAA919379A5336907AE2226633A63CCB7B71044BAB4B - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 4C3C3D37BC198B6FFD9E3BF9930AF11A4CD75DB63AD456C7948E0EC0ADEA0F - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 800BFEFCCDA5D5A4BDA45CCDA0BF94F1ABB90E0B7E3F2E336164907B83BA3A - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 336FE0B60816611F375B82C024CACD5DF611196A032594E6258C05C82843D6 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 83D7AF4FBA37AC8F7E2B727A297169A90DE8648A5DE118F8FCE0B9192ED5CD - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 34C6994D315E7A7F6C8CE487364F154A5CDEDFE17E706993E73C8CAC5B66A4 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 2F00819B05636C4B312662564F5B6ACA674EDE5E5068642F17624B780B197F - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 60AFE8B885C89782AD4760C71408B87A72CE955E959BC9E5134777456A0562 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = 4593461252AC43058F963494DF78405D0576CA3D67656935EB614680D75C70 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = D6D888EFFEB6359C71E48E36A36D087D155D9B7AFA3C77C39A959D6DC9D00F - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = D1B616E3122AB8DBDC1AD071C84BB934EC1E8397D96891CF87F27DC6B01FB9 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 89B6F26D326C7256B18BB42E6A21F8A8BE2E844332374D9B9E7E9C042282BA - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = D8AB9DEDB9C43635DD0ED855E5778BC64E9D59F91CB043AF0818F1DE1DE587 - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 30860F65715B0A084637517E5F001F3AA2785531F8E066D9280C5B8F8FBBFC - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 75ECA72E7DFEF898D866CECFB18AE96130C0143D4CE2860C45E484EBFADA98 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 259A5A81B97821E7CEC148D02CB6BBF033B9728CB4B2AE2060609412CBD8F6 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 97A8198AC25714FF73FFFC04F033E775C5995542693F01E5D344BB2CAF1A3D - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = AED703975776BC29CADC177E2D0767FFDAA8577E82CDC524BD34BED4685399 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 443EA386F41D181058A60A133E12592211E01014BE0CDB1B59D7E9527A813E - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A21C9B862D7EB4F519D53233CCDC387AF784EC27A5FCBDB9375DD177477242 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6F90FA2C0273859B4EE7D5ECA8CAE4D28023B2B70959BFA82791D640577EF5 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D1D4E3D53AA5E4DDC54E524ACA063356EE22E7A5716E94CD1FC57DB367FC32 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 0D70D7F414ABAC4A770981AA1EFB753A5AA7690CD892DFDCE80B3E4D1253B8 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 38A0791BB61BCE50A3EDE9B8006D8BBC484ABA2692F70495171112CA405BC6 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 57B32943F51A3FD568BF43AE92B94EF5E6C35CCD2BCAB624E8C5C5D6B549A4 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = CEC94028569DFB3445E0A73B688F5B6A85DACF742C49365C46727687D79424 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = E9F8E9D6034A7C34390EFA1F9E314C4509B92149373C4B72DDCD78130E5D98A4 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 0F9A2CB9EE4F09435D471FEEC940EDA1BA299B971DFCA456DC5837EABF7A3F3E - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = F7DB3980F03424F5B85C66425936F58683BDF7EE623C6F3F482DC208949787DC - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = EB14A4AB7F2C12008E6943FAD32ADB6657DAC4EAC34327D64FC7C443C86E9AAF - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = FC0C525C32745F88419538F4D7679CE3DF58F366014685492CBEC5D359F405A3 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 8013C91B00246308F863519575613C7CB030133490DEFF04F3FB038A8DFF2034 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 574EC37765DF3635DD3667AD9F91C431CFA67258FD47C023336852A436D11581 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 48F85EFEC5099ABC25ED6011CDBA87FB1C7A6FDA806E71FFBEAC731FEBED8395 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 6C3DDB0960E36FDA25A968674BD9C0D8C2E2C4FE731F32C6F29F1302D307BF6A - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = B40D6B7FBFA47BA35F670A34D48E9B3A5CF609B211946A495A9117F74E02F22B - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 945FB77A39D360C7142AB534558691E81B587EE19D62AC2E7B4988C404439A6B - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 1400DFE73EFC28CEE39956FF594536FA77C6B4F15DBACF11ADD8972151C57B48 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 933C250CAD994F3D6EB15119184F2FEE3E856FFEDA7BC32EFECFBCF58121A5A1 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 1459DE801D6352CFFC35942A57F0A879E578786E9367721C529314466D76123A - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 2EBD05C23790DE78E42CBDC57D780C02B816B1FD8F3BC0EB52A5268C39075AE5 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = C6E8E6D8ADEC510529C25B3682B2F4EE821A4C3E3A9C267549ADACA9C2D9B596 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 79E59B12BE4A420ACC321531135CC80192973A29E9B4AB433638D03C335392E7 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A4E0E91874D13E64F4B0395F7D54037DE6D3C4E60861C555B753C7AAECF49B7C - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 99D99F0BD7047FE9C1AB3901598950CAA0331260414C3A3D9536DD7D2F84148C - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FACDE81B6CBF86533A849B60DD35D8DD85D4319301409F3CA92261AA7B0BA3AF - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 550CAFABA2F8B2B0BB504D20EA08E1EAB19CC9165E57BB9F66EF6ED59C5A9229 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 429E836D19811ED3723D109CCFD75B39E2340DF53841E0845C212AB402866E13 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 39B1039ADDF2E6677DF80997558171645DE6D125E4DF77C26A1876DEDD45899D - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C2923582DE7D8889107363B8EDC744DE81F039685DF75E9A37A25CA14E6F5F91 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = D6697F831BCD65268AE1723CF8F8356A757086EEFDDEC4AD7DBC2A820B235DA0 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = EDFD492CD48A28D6A52403971D97436B620CD071EBBB75997F8BD9480525B28B - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 7B3BC38401EFCC849FF439AE7C16742AD8CD61E0C759E9101177862EBFD76D44 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = CE6708970C3C5677A4E51B73E58FC190D58046605666408E8AF862248E3CFCAF - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = A4E6F13C612625B3088ABB4C89E4338F41DD616609E12696135C5FA34A061B32 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = FDAD2714A4246638B73318D75A2D1C39B1C286F555394CA12D6B5D4877375F0D - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 010765F4D671DBAAE2F6B2437616181D87BC3C50218455D3035FFF3863B9D611 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 28439C1AA1858FFE1095024548BC932AB6F7D03CD8E8D8857634B6188CEBB510 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 48784EE91FF696FD1E83709E8E4CBB91632B0D4B2DCFD2FC8A31705E9AE977AF - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 15D4B331DE79229CFE8E1EADDA5F3743354952658C0ED40B8E84CC4DA206C0A90A - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = A266873942F57FD9A2C7DF672593C5561DDD307F8444F258FDA222BE13DA60265D - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = 95C1BEAFCCEB9527659EEF58C1B2796F2DFE1189ECD45A296CAE8A6196B14BE21A - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = D548AC1383B3586DD28ED9D6386BA1AAF93FC5012692B1C18D10C998588E9BEE08 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 96F979F78A06D1D6DAF142E6C45F5214A1034938B9A05D4E35360B7B7D7D0A6A5A - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = E7AD0C1AEEAC0E8C1641144E792DE6F6E60AAFBB58A20D6893FE253F302711A335 - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 51F34DA56EA19135A32215058A424BBECFA074D5C9F0348F0376F6A720DC83EAA2 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = AD233A410A19ED4D05B0AB59B9B57EB61DB89D059A98AABBD46E1D1366F303C4AD - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 17B0CB6629579C7A71976629F97249D17782121AE19B5FE785DEB6CFC33AF9FCAA - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 6926FEC8BFA5D68EEE1A1E65A438447F5B2467BDE4BA30C26125DF20DA82A418A7 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 447FBC7243DCC2429CFD9D4E24D19A66D7C3C1C7A73B8BAA3A48D058A037D2EF36 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 5E0459A5DC00DA3A369149B5AE9FDDB327810524FAB4AF12FE5BF7CA2AF47CFF5B - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 99996613C4EDD52F668E0591861C0799A7D862C4AD7E30D7B567E47633D6A2F290 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = AC6108477EDB1B76EE284932598433E8E5C04E8C95100E90E2FF832A93016E3BDD - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 322B22DA781ED9989637192E57244C48E6E07ECB323D5955AC9894EBA6E0907BD4 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = E8C2E5708F294006ECB7C22667D420A7419236FFF0B35F897B776E8F426D44AC0F - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 2511481CAF78A0322D111C81B0D998DC771B9488B3A3997E61235D33CC48BF0FBB - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F1EA186F442F114BA11B0E27A55FA964BB2042BCD5E0024D5CD4CB3535E9EE94DA - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = AE95D0BBFB9C40FB038F513B05C728FC831888BACB2454176A693BF04C0F4E9814 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = D1890451A52D6568DE2CC0AA684F2B61F9C9669A5904C39E2A5FDA29F4995A4FC7 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9E5C3BCB03D0AD88D71BCDB548DECDDA15A51679496C53053A2726C13E4F0AB33F - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 0353605629BD840554D633B3A5FE10A2EA5C1719D249A6180320D69DC7543E9053 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 10F975392E3585C093358F5A7EE90C57636DFC110F37719C316B5FFCAC399EF747 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 2C30C16066FDF2BDB4FF71517DF8FC7694244A49E44377C79A78FF6661DD2A1201 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 4292BA4BEBB9F5F24CE70CF1E2AB5D13325FD0791F09200DFF07EEEBA2C4C2C23F - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = DBF185464B34DC7C81140AF67AEF6635411C87BE115A23A13C31BB03E0748485EE - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A0E02BC7961C6DD6F0CC5F1D6F5E88E0CA5DDFAB20218348096748815329DF3F1B - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 053218417482CE224ADC17BE8FE669D9400188D0B69408C599170937A93EF74C88 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D6E51173741A53FCE20E72DE5FE53D302804D624CEBE0FCD8F7EAC6F90D5BE1C66 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = E0004CF59643D318AA55469A22199B319E1B39A77D5CF17254F1C36339E0D08C89 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B0B4BFCAE13704264574804687B7F62685BB18DCCB67B4FDE46ECB31E8F539936E - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 1D5DD853660E4EBED0F2E39DCB53A23276E8F1DA77C410790FF335C0C996A6FDAB - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F1A7AA3D43439191C095B174450CCECAD40C9111454C3AE5F8422C3D907F3CD3EE - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 887FFD7591441AB022D99E75A91477D061E9E3A1D7E4591BB1B0C4C6B96044D7F53C - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 04E7DD6D1519093D79DAB8180D0FF05FF53674E610073654C193833F5D7ED248C2A3 - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = 899D6BE319D9B8DBA8B4453E505720A53BFD8096E8EA8F1B147AC08DE55B37770095 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = D74A776BBE8B29F9937AFBBA9DC58CC3D4A783A16910F53F49B090164A822E68C902 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = F18EE69B54DFFB967CB4D05CB5C165AEB534A2B4B82A9CB7880A1084B7CCC08CD89F - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 5F198DA533C77578F20AB706C800A602B8FB4EB30261F64F8224D70D6096A4C22C33 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 0F99B1763159CABD0B1FE0453FA5387DDEEA68AF3EB0C99546F8ABE9D5C1B894D76C - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = DFFA9C7BC55D9BB119A40BD76A7FA88FB4189071AEE119A976C5EFB4583F287CA145 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 4A218CC7C8F9FFE507619D730F26015EA6AAD6D3237D54582B6CA320D51A55B6EF28 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = EE8BB1952E56F56CECDDAC9C766668BC5FAE66736B0479AB3F3F8FBC6D10FAB632D9 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = CFC33078BE0E432A29347B279B78B0C74C0F773ECBF8456316353D448870B5042A17 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 758CACF99CA48FC9C813CCF2AF113FC59B7119DC0C6A2B55C9288279519C78FA9E29 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 745A28AAA6F09EF8824F3880CA287D18A83839D7EC81D2D8F1A34DDE13A88FF7426F - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = A0DC42D37267E2E3535378718F472FDFF86FC22501D88D07D6C3870CCD107CA7CF0D - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 6E2A72DA2927F8CD240A727C03FF9270A503F7D661AA8F3828AB68859350EF8B1B4E - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = 1893FF7BCF0D2050F3F9E5923437F0DA26C893376815E9D327756F007308A6E2A7C1 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = F52DF6874C6362F5CEE22BCEC93D9662991875AE6A7FFC57AB66068B0807A0BF8147 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 2E630262344FE74F3A0EA03B2146B8237B39FC9FA10C4EDEC993F5D2C1AFABC536AF - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = F38BB1D47BCA9698E4FCA36EDBF18738FF9E937A2D7A7D07F35E8B8BDBBC10CD95E6 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = AC7D0F0BEA88235DDB1249C5EE6622AD8FAC28645DEB9A95319EF29AA0734CA884BC - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = AE83462892BDA12BDAA125DC6EE8FD63B0E959AFB8D56D0F471D776758F28A4D92AC - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 286F3215B36622302171A9D5819DA57C48BC5A2AD05AE5C8AFA0CEC3ACD92C00810D - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = DFD1F44223EDE331799F1DE2C1833F8E8F2F2F68E13B68C9287E824F52A85C91BF70 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = A340D06C938C54F86F3B47C2F334D9DE82AA46BFE675B3E1227696E8A6EEE052B912 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = F052189D60631FC5DE352E8FF45201EEAB40CE5C2F89FD91AC890DA66DEABE13E0FB - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A70A3CDD8C3999B8DE175C82FF40D1B29CA72C603636AF015465911DEAB4A1D957C6 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 0996DF9EF7E98167CA442B4FA93289E9B0C2EDC28EDD46C5122B1F74E289EC5E216A - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 7A631486DE8DFB64D23EF566F77B0D00595E8ADD31A2949A22ADBAB2A06E9CA826DE - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 196673EDB1A92405D4777E7AE6D0C7DFED8D93935BD284515B1D242D216F5C0F62D6 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D6C2FA683BA9ECADF92F67776AB6980D625BA827EAA4DB62FBBBF05B8F11F55C89FB - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = ED896303F8CF912C9EE8DF43A757FEAF69F49ACC3F1835250F52B75A5321C404BE7E - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = F1B9A1D4BC992E4F546BE1D90B278E0A8B1C1CFFBBCA69EBEB76B1B88F703DA12015 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 593F73328CE9288A760F47DA959DFDAFD37685C75C2DB31E2FAF5CA0AC40682B720D - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = B817175DAE917B8F812C92D4F54415110635C519665295CEA769A396900AC6D48D474C - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 77BF222A4F65967C5D3F0F76D3A8B0814E8EEE7BBC89A308E977B6B92A044767A20DB0 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = 2641361057B9C51E291E4D5710165826FC319B6AF8A59D9826E8489F2E6BAED3BBD737 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = AE5FBA16D8925A56097653D342E94281C4ACD9DC13757039CDC5719E1B62594185EEF4 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 25DBBB462E70BDB8C37488640A7DA267571EB8ADDDF57851CAB9AE23BEA107BFB6D682 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 1FF2AD20B6E3C61325A181B7D8EF00ACB4EDCBE6B5CAF9EDD11B8F7E58A2E12939D3EC - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 0548EAD0BA5F1B07BB1728AB0E704CE5FF19DE48EB6A691CC8B6F07D1C95F23C20C09C - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = C160BFDF80A17F37B11A4E853F09E8A97CAD40E97A2059A1C08ED4EDC5A3FB6DFADE0D - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 8266D9547A8FF920DDFA0480CBE6FB109AA31107B821F668F5D7F2C0A8D653726FA936 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 356E0D6CE0E78C18BEA00C67A7804C0FDA3079C674AF887E428FB62AFA9F493F4C131E - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = F24AEF136411CB8AFC36A7A0FFBDA1E806C0568061AC58ADA29FC10791DD5BE860B6D2 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 2346DD465655CDD11BBAC84DA5E106CF09BBC6C437AB6EBA83603307D65E8B854BEAD5 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = E042BB74B37919446DD28AD8AE534E2FEA8D614CA05879555AC2AC8908E49EF14A546F - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = AC7181327343DC7D650A128C9C487D53B16A0CE0FB92EE23A7BE1807A17F285BA6C58E - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = EE98FCCB6C1D1AA8B423EFFAE18C5BEBD6A368F7B668EE96D6F890F3B6D63568F3ADE0 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = FFBA46FC4B72161A6BDEFE4362B6D6899336BDD71F9305FFDBE934B743B46B0EA60E2B - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 59BC165B17DACE57FC0D808E76AD79B16FD1E23CE7E12D0B175E79ED0D0F23C3D9A55C - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 3491B29513A61025ED17B4A126338B3F277C39512FCB813644D6AE9323D9E422CB5DE0 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A7334068425EAD54654D358D5727D9E6D9284085DCECED016EC68A07649D5D95D3C229 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = DB768D643D8C207BE16986A1A50BB6C4C6F83C33FC6299B40A68F32D61F3922F619AEB - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = A2B583401DF0D7A0DB8AD109060DD5D62A58F2489F8E38BC549B70DC5A12C67B9FBA1A - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CA32FE3EE6F86F48321F7045120551AFC8815A4E4C2BFD8B53CE60BB6A647D609CE6EF - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 77F3F9CB1C3207A4DF1C921CE6755B4002CBD4600F19BEBA6D8187ABB33686854B5D45 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B9CCE8F0D24F9A47ACF087140D5299EBCD4DF3EB5A1CC4661D21FA773CAA29E502DB58 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = B6D17DE84C13E9FD3745E032344C5B90BF716457C93A7B70BD6EBD742F36300DD29625 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 412D4E0E2BF45F8F5847F6DF4144032DBC982A1F1E32ECA15DF9B04F25723C7A48600D - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 745315418686A21A61CE076B530CF8BC8E23CA9565BA2CADC6F596F9FE11ADC3634026 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 7EE2975FF6F42B1F0ABC78EF46DB13DCC142AACFBB2C2306998DE328FC4153477962A6 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = EBBFDBA5461FB02DF7002827683562D122C6BB03ADBD6B9D868BAAF8AB2AB53F11DEBD - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 15426D6F61A88814A1BD1184149E8CA096901E4ED26AEC46E178C0525BE52F99A2DB94 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2B38E7EB3E3D937D26F7A6C3985A8DD2CD941B7E1336A185E968737B372BE5B93D15EE - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 4FB5FC71D05685CB3DF6F153FB599B96BF1624960E7FAFC13B371013091B3A245E84D4 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 03969607B238B46EA06446CCB141A8D5B2C696B2CC7D7391A6C05BF6AD6FF0618AEC7C - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = C7FB15C00E59D59178FCDF46896B994C3252F15A3E266812AD2EADD02DE07AAF8ACD669F - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 3A432D124324807E875015578FF1CB4F6B84CD88CC7FB8804D566A342633C11D9C0269D8 - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = 848AE290562DC7E02FDA2ACA91531BFD0B0AD25676280DB325EB52D8B6A432D1B08C9C04 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 1EF7B5558A13343E43FEC87A5EE749E418B42B02B2ED1A2DC56098EF2FD095BE2FF110F9 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 13A0565EC3B0C998482B4E9B8EC4513A54F46CB5DB811EFCA813EDC766E4457C2722944F - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 7D681430870B76757268C1902D9C9B0141C7E8B38BACC61D9C61B74D32003AE87635FD18 - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 0111D66232F0C2ADD6C5A9685B0E132845DC881CB2DB0FDC316EEA687C9B25338240088E - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 0697C73D6243AC703E5CCFDB218D9B057727D91918BDC891D3AE9FCCE37FE599BD4034F1 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 60B9A6956618FB8453C00DE22B65A109F43A342AF29C42EEF0444F5E0AAFE2C2AB73C01D - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 6F58E447FE7839308F5DB79C15DB4452B2469B60D8E30BBCF1ABFDE5608714E23FC15B88 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = CF8813204F117F3CD6821992E6CCF463821130BF905B30509D6A3646C0D1D0012554D1A4 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 8B083E2C05E7A01C73DA5A7B3BA2217C8C0D2AC072950840F427D69A6A730AD3168F89C5 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = E02E2A7AE61BDFA9770A74E9EB01381AA14856A8784ADD26AAA7D578403C7D5962018F3A - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 235ABC9682503F7E9743F94DDBF7301C6A5F4B56C11BF18DFF13DEB99A987808E2E7FEE1 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 0BA6E2C592333E162B5663AA7184457BB38817A8BC6B3C6616C8B68FEF712432AC1C1D11 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = 837F5E508EC6160C905BD229BDB2B6C3DC876071A43B0FBC4F9A245CCDCE91581DA87B8D - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 3DD3A285B5C00ADA716E0616529A147A4600ED6350E208C441344813DF7F2953150E386C - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 0B4C7751FAF347F7BF65C1BF2506F1A6AD3FD5E4BA7CA6692598D04CCAA5D762DCADA108 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = DD174CA4A4E34DF6D28BC55FE4934A719297696556D169904183140B12E7907FC87F3E5D - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = FF8EF4B5AC12A1C119EE6EBA7BA7DE144EE32F9E4CD2DBB128BB155BEC02A281E7655F8C - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 18C012BDB1910D4C2060463D5BB1E4060FCAB03FFD9E1A96D52B70C95852F3159D440BCC - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C4A1CC7F28D45A4F2D3C47CF4D3C57B2CA4D90E4090128235BEB1AE59FBBAFCFD69863AC - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 9915E87ED662E1E5A9354F51B6B449F629DD51971C2C07ABB375AA8DF38E6FEC823E00EE - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 311DA43531B506DF848AFA6A3EE366518816CD788CFF342F85FCD78F371E9E383E57A9C0 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = DBDD2B38DDBE7B78866C1932B82F82EB849287D9AA7043D34B1B1AD7F9189F1581557044 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = B07403D78BE197D0BB723513F9AC56EBD8B262812D497DDA8DFB9C7ADD0A81D2418E2C35 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = CEB39EE134825CD1B8E0C6BF2FC5ACB2E4FF6ADCF167AC3A3B06304F7B6749DC35FF7F4C - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 8F00F0CFEDB709C6673F9B6827F2D374E44B1406491A7052239D7C0CFFD30BEA3BA295A1 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 3EFCE56DB357906005FE07ACA729BF182EE1D53ED087420EC18FE5B4F6D81D9505D425EB - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 5BED1BEB41AB5E63FFB59C052D6C3DB37F1013BEFFB8266ED3A84235C9D5848B75C22D27 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 854EB4466F929BB3D08B4E77BE0E94033386FE52DE0952D2DD892584DB8896C084EC71CA - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2C55D8886CB52507412A8A5187272259DF7437E1F9DEB199C103D845B2ABD8EC74384F19 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 97EDD36C3AF5F607682B0CA589E23972B41B37B7C737E629063F9FCAF00B315C6F9A49B0 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 84D0F10D2A89EFDD6BEB965BF1CB9EF861B1171062E5BA91F3FDD74F9F2CFDD5370A6CC1F8 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = BE78DD7DE6C9331220510881947E9BA025F43E9657CB6AE4E162B6ACBFFBEF717637F321EC - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = 64DE8CF5F1B38C57445F4239ED933C0D5108F5EE30A4654279C53E80CE5EEF1CB099156C49 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = F4BE23592B91CAC1920A88C752BA26EA6FAF99AB560F0BC434E3D49D23C455D0AF7B22566E - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = DCC7521459EB91926B8FC0EFD10A4DDB7401925CB45641F3E906A92ED16E2A94037A2195BF - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = A808B9AAB794847CE471687723EF9F4CAEDCD51D503EE27B662620088A25EDF610FB8EA7D3 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = A532CE6C5DA0579DF9094FF2FF627DD3422D748A0C81EAFFDC71B16597C854ECB7AC3621E4 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 7CB1FA7307CF5E043C6AEF8C380CEB97510839FC50A75C09ABBC4A7EC9294EE494A1E49041 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = C36788F9C218FEF1C6E5DAB7324088849884C5835F5FF715A372A99F2A9C98245F2067FFD3 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 6C88996E3DA37CFAC080E95AB755E4E340EB8CB839207D3D0A6F7DC37AFF643BB7DFA23B72 - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 777CBEAF32087BDEE133FC760C0AD6CD1A830A92AFA7A54003F6E432EF4A7839A9B3E90E91 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 9020CB499103BEBBDA0A4FEFEEB76588991394E56CAEDB141DA3888F5084CD22B53BE45B37 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 151834BCC5B55BB154358E0C3D6C66B487292318620848974C52B65887F838DEBCE9CF5A49 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 539FB25DD8792415B80DD780B36F2528B9676D5E1CA6DA3DFC269D0A6001753FEACA58508C - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 356C62EDF6282F1B838EB4FC506E7C72E9D2B638CA06A0857CD92AAD227CD2A49215DC9C44 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = 42F28F2FF5FF8FE010249DC8DC6C44A33C849D23710A23939A518EBC56E3C0BE1F9821D864 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 4336F4C9A2AEF8E0A23A64A87D6A48A78459CD3FBFA93E4CD258F5034C2425A3F7348C968E - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 84CE5CB2DD8D45684A0BF4658CDA62248DF8485923C57E721D09D9D017417D909FA1DD842C - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 42CB49902B9B78C8E5EB20FD265D51A96EEECAF997027D1AEEE47F7E94C1BACDDCD3C0E042 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = CCF8783B5ACCBDFEB19E2D33775A46BF53E62D4B484CD26884247A002155E4564FB1123529 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 3543FB1E0E65F0426304F9F4FF0D400A2672584025A8EC09734240BF8C8025ED4D39F44A17 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 4CE43AE4B3EA439E1195181D94F78AAEA90E2B1511D77C957FD556ECEFB94366D3B2A2D41F - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 53C1899741EF2B2A6607E4581E231F5B30B0E51225D4628B5DE42073D77B15072960561503 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 8794C1A81088C8ADB17B0BF0AF95CCF941471706084849737B80618386A47D54369EDF051B - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 8CA2906FD97BDA2D076A55A2B5E5EEE3BDD5B4256A0F0FEEFED830B2113BEC7D5BAF13208D - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = CE15E3901FB3CD454DB747F998642688678F74D760A5824A2049A8F236D29DBEEF9030ACAC - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 8F6F0E9309469C746EEB8D0CCB87FA53F29446C9FCC7769F01A4152FE2A43F621570CEE406 - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DCFDE6A951C0AEC212EEF7683D0699EFB6F160A52A664BD8788F7FF3B7DB5649221443955D - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 910E38872318F398A84E1769FF5036BC359391071B4462DCFC917AB313E007777423A296E6 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = A40E601E7697BEE8D0200C365C2F78D25D2DE646A89D6A78D531FE7B5FC283786F1F1F3947 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 686C068F9FCF52F28E7E7A6805B94539F31066D514994CDA9221EF7689D4D742DF135D387D - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 9C6CD0F96564D48AB4119EB20FA6B7DBEA9CBC7BEC048731875F8A3F4EF5B048ACBF089925 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 03856237512F662F9B0C6F53C170A4976EA80B6703F1CD14927D14E51AB93DB53A7B036A0C - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 13BBC75D48D38D12769DA25C5A51C82244D4A2E7C187A3475D225374198B6E2974132E9DB858 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 5526DFFDD6073A1DA80568C9BB0445820C262D6EFEA8CE36A96471036D542451B6D65FE305E7 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = 6CE8273CF3AA48AC9F38AA05084F4DDF0FE9820797A9285D93289B5D1DD5C0BE6A097CA94682 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = B7BF9BA8EE2A3B007E01D6DE277C735796079DECF55AE0EBD8C30007F702876C2A8D6DD6615A - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 499D7FBCDB2C66247A5DC0C01B9DCDA4FE8D84EBADB39AE64CE9F63844CE9BF524C6FBDD8821 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = C8C2E85D96BC4F2470B563800858D0FDD18CBF391DC01ABE86556D83EC053C70D24BDCD8E81D - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = EDEDA45B72AD8BE89DABDF04AFC42AD3DDBBB29E561EE3A69DA93C53BD161EA61F531E9528EF - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 154FE1E90DE2EA34EEB2C30310B9C65F5EC79D44A50BBDD35193DF94E3BEF5F6BB746095D3D2 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 9832269C2DCA2E941B9D9D033ACD8182DB43DEC284C34A3D79290713398ACBFC0C5AC9FB615C - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = FC31A5AB73A1FC0F64C85EED76FFBB0F49E9C61DD253FF639BAE2417CA9D68CD26F294DFFDA5 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = E24285C42C3FBF4F2B3D80E88E005B874C551232B18D899854CB64652770327BD5339C25B19F - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = DFDEDD1ACCE937ADFCA6C5C3CE7B91EF5DA6AE6937797E6D1B144B232821CE7836C26EAD8DDF - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 1EA21409F510E02D95E31893C009CCFBCC0CBC1356F19985EEEEF9EC3D72CA539EBA67C7DA6F - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 13522F8B5BBA5F1CB441B851BCD9473C92BA8D9BE5242BEFCE2A94EC51048E31706E6AD29483 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = C8BB8C5DEB893FFEC83A8C6E6C9F53F625B7418C36FE8C8E09F6543B0047A24EFACE58088F2C - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = E3122CAE8D644672BE92F55E73AB4902B339FCCD42828976D43332DBE68545C915C3DBE58186 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = D3F9EF07E28A97ECFB2D104C4240F5A8D29E01DAC37EBE13B06387D71A8D2D00375659C5CF56 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 6B7F7702DBB4937082FA301F59BFA5A41A70CEE2E5AEE70EB17D30F35EE80EAC89D3F14F973E - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 92292F301F803274182894050B88A5E0025529B1F3C32C5F2583CA2045920673AE2935FBF249 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C4DDF1D7E7E97C34B53FC35B45DE6184E426D9E1917A973C6345A672E7866467A75CB4ABC211 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 7E3CEBE48CD5BF84CA9CD319FACDC19E71776D8D78A28316D77B8F9FA666C4F13BFD460F9219 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 8E3024C9DDAE251FC47EBED04EED22B086D0BB9EAC6673D7D180275E24FCAFFF36005B3DE31D - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 1133B8C2248BF411F6E8F5321B87868F3D54C810ACFBBD11A07AA3A72DEF014C9A464F603416 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 13AB093B1944F61C8F8EB73433CD2AEE10025D5E6ED5C4D869D08672A607F36D76C35944B38A - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 48DEA3A97063BDABA778D311EED5CCFE946C875F8A991D5ABD2E512E94F10C1577E3FC9CCC83 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = FD5221142D5382782F88D1767D72971D601004BA70A3C401AA364A8956B20E7279949DC5FBFB - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = F287050865E8F49AF7ABC227A9643CC9EFCEF36ECED0A162920713A41C5F2CA4D68383DA0D26 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C98C9937BA667C1BCE88222DC115FB50B489EA5E297AEB829E44AC3ED183F8CB22F8C8FD6F0B - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 08E65C9DE8A42DEC873FE31BE62043DBD75D7B88C51F5EA2B05D6F3EE390AD2F43946E917462 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 070C71AAF4AD80DBA3D2C1A8794B155E180043460FD7FCC0A489A1C871E0420799871C1F2DB8 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 0E6E27CAC8F9049A9845351D666658D80C547F85AE15587850DB5C4D0C2F55F6EEF1673E4E7D - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 844872FB7C4B1308C440F6A954C3C258C33C25E13A92ABD6810A2F4199CC92773CFCDBBD3B9E - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 7B01FAA3C371A20C08DE6025CF1F0B798581B0331776AE222B0B007B3EED575A12EE4249E52F - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = F20546FC5F3862F784536BE0258518A76766C3FEA448AA29DDE544BFDF2E538A6F4B512F15822A - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = CB7B36A210FD15574672FE73AABADB6AF6D548DC18AA3AEB6D81A556DFD37DF9055AA316B63F0C - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = F63A25FBB6D5213CAAA47CCA36F17FB50F7E5CEE330A9FCF7BA1ADB115CDB308405CD74BDAED5F - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 2975C505D463BD6F806D1050F92D4AF64AFD53D397703592102D762B5ADF685ED46DB990878FCD - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 051D24836AF59D34E580964A19629180D2B32C245E0956937E1E737096B7781B020CF890D49495 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = FE8D68C295F294DF93A3D1D35623C87DDCC28893EB5A65F84B9B678E9778474C120A01B129C86C - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = FE69A77FA91484DF8B9E1F960FA78B8F7F0ECF3314C711EDD5DC268967C0106C52B6D97CB7E511 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 4468AF42A92023A9BE0C580798E79DD4B862DD2A11BD01809F8DAE728AD2942C5939A0871DC5D7 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 2D9988FA519D835071084AD89FAE9308BAFFDC652A8052E62F170F9D4890469CC68B3A9D2E53B6 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = D520961508C345354D33695F95582B992BFBA25C61A17847591D771579FB71F7BD0923E06E0A91 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 6EE3242BD9F45F78B496447D41D237E812201A7B2A6BE4074804CC675FA8498C232A31F2271FCC - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 06C54492721688130CEC64FF58132C6314B32B589F2608088987C314730EC6F4EDEF908A0A2F16 - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = E8B5CFDB0497DAEDF0C1741E15EDAE65EE7BDE3454C4C5E8B2535F2977032CD21756814B037E05 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = DA5B038693107370C2BA34809DF9FB69B100293BEA88405C28E9CF59D70EC3E894CC8CBAF53BED - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 7FD13B0C560EF3CB2AFA2A2A6E60186858C4BC4DFF2BDA9DA757654993A664663C6D18D03D857B - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = B5375CB7E4FEA281E579BCED5A98F6D6201A7C99CD71AF11C12E1717E9426740860FBC0E8A022E - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = CE2B614820B032CE9E861546BA029B37E472E06C0C4479D711E6D24F07C4DC678335F07FF33E4D - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 772E6AE7B38478D40827C144288B6C5BA447C94DEFBB9EF14CAFF132ACDEBC7BE2D361F2D8FD6F - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 5F33C5A6809000C9B51CA5C8DAB0463BBCBC29C131FB6012D7B3688D351C2B8499D2088409D7C8 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 65B70479103A9EE1D9B80EFB44E52A58C763DB42A3DEBD66F71B42C6E680E6366B1C6ADACD3592 - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 82083BEEBC77A45A668B8AC73D2AFBCF321C6074EB38163981F10DAD91DFF886EDF94C23D99C5D - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 93C81A24D4F70C0840684ECB8B0A9409143446EC2BD9D1433149EB480DA32147FA29A21BE4AF90 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6A46719F5CAF7B3E0E5233D9D01E2055AF8F571A7BE043C170E3F4C574169718A7602869DF0FDF - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = A692FDA06FB95D57B67108BE24503780CFD6ACACF13B080A3C39D21589F0DBF5BE786C92625FC8 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 38F92310177523CD0FFCBFB2B90F417D0DB78049CB5BDAA85D8B9712847D3622332E00D81B938C - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5323640CF8E5303546B16A98DBC93C24462A4B8C72E9633D759F11CEA6151572DD6967EC46B7C7 - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 918C3FDE053F91A53ABA08A7014362E912C8C15A4CA58A7C9810E5CC8548398952F04C7542F21D - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = DAD64511A817C8211B316AA0DC6EE1811A1434D07B198B99BABBDD80B916D5425A106D574ECC67 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = C56E29FD706694334B47E7FB1ACB759C73702713FEF1881CFC09FE8526FE9A2A48DD531C3B121B - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2E1A047F0BCF2C80FF5463E7C7C15A3AD16DAF0093087E2F6C322334FAAC5ECA19AFE263D556C4 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 452C24B6D1F23ED0D896A636BEA86D29830D83CD87640B9706C66144CF22279D06062BF9858CB3 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = FC93BC579F12095A2AA3459B5EC04A6FA2AE339E3622DFD86DFE5268D01C0FB4FD1554C2595FB0 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6E6C0AFAE083FF981D96681450B30FF8DABDA3723A2E2A09DC8FF50BB544E2900D9FC287B552F4 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 06DDF6C1C256CDFBC86C6D7F8BD104A24AC1DF158C8109BD52250C352EE5C1954DBAF6BF1B6BBB3B - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = BBA317D05DF7E8117DFC415211257F332C58D55177146B1A319FC4BA6D5EDA37E45838C1D48A1A3C - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = 59DDECD3B2D65A8C6C26B04274E69D7E91AC457AE37D6D2D02F6E8349F50F71D0D5BB618DEF35CB8 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 9EA4C9F9D2CA10D380AA63C81C0880A32DBCB82C9D8C7542ED377AB6744495D970D1708319AAED78 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 8474901E6B868F86BB1292440CF2B1C4841BBA8E39E322CF62402186D578F7151EF749B1A8C2E0C2 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 895A94210C0FB93F4A5594CE600A423A8157522FBC546D313AE0DFC4EDD60173BE6DC58CE0A9082A - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 7FE34072FC5BFE860D4500D7D9DA82D661FE5DC3F10FCB2AECFB48E49ECBADFEEADD5C5A12FB5A48 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 3A4F3FC0FE31340C9C8AA6BF6D981858B8502783C8564FA0B5A947924FEFC9DF0DB59E8580B4C6C3 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 95DD37BD13835C96256279D46EA42F77CFBECABD8E9CF281427A61C044E1A0591415EAF803A1A0D4 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 60E94CF26D2A79B93222AAB019CA127C25B0EB7D41D4CD27D410D5E8592838BDCAF62F8ACFCD0A91 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = C519DAB0B85EFD4C3862BA02B8A5270F38D5AFD5FE2AC8B4A0348D540EA790B21ADEC56E338BDC83 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 2030CA1D3E318E0C840378B1599DCD9DE80515DB91F1654136CBDC662FF07F524C417D8B370FE234 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 1A67A160DBC9D165E1EBAA20D6FFE93FDF1C08A12BF5F85E0FF8E7D4B6AD9FEDAB4F5D2F7C4D60DC - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 3DE6741F8963F7A8CF050E802ED1A8F72915B39732BD429DF2CE6FBB15FDC2D488E63E0AD5D0D243 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = D457EF025ECA77933D78DCC6423CE07AED617CFA794EFE3BA6B8995540BA5DB51CD59E214F1AC795 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = 8A25607D464E1F0B6E14AE1E603BD2AD329775AD053CDFE56E3D61E19BDC857F713BC6CD499FD0F8 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 8F1817BABBB093AF3DC215551F22718ABE1E6A73AA6C21323270DC5655C3C8EF00BF146F142D89CF - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 0BB8E1F321B98AD80122286A98789EEDF6054DA1C0F25657CF2D93E97F1F4733CCEA940F9DC7F01C - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = EEFAE789886CC2B7EB9653BB730170757C624D00FA6747754899885C9932C24F65FB3D9D98EF870A - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 22039A8822545603056FFA75BA464F86FAE7C057E359C5A8470DF43C00514E2A4EFAB9EAAE289806 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 634CD8B431FB6F78D2510CAA1B644D126B5461B7E9CA5B3765F3697B91B4E6307A899697EC211981 - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 0E0AFDFF5E5B1538CDC2EEDE984FEDB158D0C591D58FFABCFD0B4335821A8120524A17E5EA582ECD - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = ACD0AFB7A405BB77C86F5E4A6DD707621B9EA77290F0F5EE10EE16E70660C9D6BCDB0674FB1A1850 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = B0A4C71E1F38C276541CB301507F915279BAB1E7B84E7EEFB0BBAD8BF65373DD3F7485CC27C31681 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 71A7E6A49E9264534F22FEF9D6C67B7A3674FC411A8896815AC36090923B51D0740C6E5BE1740EEA - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = D84CEA9E627CDF8F8EAF91DAA38E2D2A2ABE5C43D5EC431D0909257CC0973A55939C16A13F1D23E1 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = E0E63D0272E3B9A44BD6FC1DE00F0D7027ACAB71D5DF32A609E9F1C205D5099066DCC3DB7F88953C - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6227D8A2454BD8718AFEECF0B48EEE3C23EA53CE88219098FE923C59E1F67F492AAB511D97AA18FC - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = D686D18B6184DAE4175D34FE449433EDAEBE266291510580F69B6F927A7FCA6FC068CA0B90926983 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 1929CF898EE6BC20F08E94980515E586A9AFB9884DDF61ACF504F844FD3CC9B72972E57154E8B29C - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = AE75C1FE069ED2323B5DF3243AD2D22274D2694D11106C1E6A483DF74C842B9C2525A6B22EA8211C - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C08C85B780FC1E6DC737341A244BF4E95AC05ED5B86992E1FEDC2A0E1AC59E7D582454073E4D4B49 - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 258B2C198B4033A2E453529CD53F980E04564D5A25E02B5B9E41D9E09175D8467825A2998A50B759 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 0AE886F14EFBA5C366C3A081096E40F250D1119C3AD446482002513DEFEE64E35C458C60327E51ADDA - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 989CDF54DF5289C091A603ECB5FF1057B0FB27D0C73A92D24D816DD1ECBD742F7B724C49AFDBA4B0C3 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = B1A8C43D6410679A12805177CC5F891F5ABB7F962AADFD7D2536DFCF65EA17076A9C6910EB862B28A4 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 24946106F880A1073B1D76D577E8155CBF274A8CBDF36C987C0B015694B8DEABB6F2827F3153AB9577 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 423F6B481B21483CB174F904F598E461BABE0A63ABFA6A010CB1BA45912A3F4F06D32C3806E428E4A9 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 12CB51ECDE6D4E0E27166DA1D6305713A0608BD50B0785BAAF8205CBF3D3981C6B862FA1C088346338 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 9131CD54AAC92E560738C394E2BC075DCC56861437864E1C88155F36BA2AC6D317C6E0CFD9CEFD888F - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = D18B8337ABA7F131B27CA8499C8B357D5627E093CA0E07EF43A126FD8F7B273E6A6CE0C400DFC70502 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 5AE5F80AF7088B658C262F6E6617EF383BF13B4FB277DD9BDBDA954492474525F97FC37DF056274D4C - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 3AEDEC3D86DAE0B481FF60C9BAFDBCCC5A27D426B06F424BFB5281C1D38B0A7C013FA6A2394950181C - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 0EA8C9B0E80BC0E4D928A74DB93417F5B3DE1CFE2E7213E1E4D06CAEC44F24AB4E3534CDA68A7518CE - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 92B18A6F0C68EFD7C09B7A52CF29E128CDCC644455D285783A78700EFB0679ABF8495AE45CCF3E8BF1 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = C737CA6C10F022BF286D847F8D0BCDDFC85A1818B93479C95EFEFA7DF99DE30DEC10AD2988D120E8B9 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 2C8997D705C7798D7534CEF870F89F2DCB7F1A56B7888318A66019EF373ECF12E7C7F7BA19928A8EC9 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = A8DEFB524E5A172216B0DE3114069A929415E1A82C22C0398987EF155C7CDABB3A5AD1752BE8CBB56B - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = 36A206B2C8BDB119E39347716B0769A402D540196E2E4FCA5E7DCFD7D94CF5212217A3781E21E2BDF6 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0A4F111AFA2745185155FB592D4A96F73A9300120E2FC8E3E57E606E836309810E236DC730E50BF737 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = F774E93C178A8BF62EDBECFDFE8923BB82D699C5499D427DFA5111CC309519A3F09ED8705B8828B8E0 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0FF0F1826DBBF1DE9510761E8E45DFA54D1CE89ED96263D1D6606F06646D5775C84D90A0AAF048E744 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = F4BA9F0158D2C8333D7B8B7CF09BF39856BFF07358610168C510084B65E300EBE16D087D9FCE6B8879 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = BE2C5801A779A3BCC61D684D276425208D89CC50A077E5424B60DF74831FC8A18DEFE94B2879954EF9 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 970F4E3921CCF6C774DF47086AB29AD5939C019C3EA5093002A36DA7EB36916C03B7EE590D8A7384A2 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 39184FD87B277ECB6132FB6CA9345E62A3447BE92E6EBD1D34A8ADDFCBF53287284AFE5E09606C4458 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = F979EA9C729184C39333BCBF4FBBE26BB0BC70D67B17590FE843DD91CE3332D6822D5A62349FB520FE - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 0EC1E63E5D32A8C9B1BC057C8F4BCF97C037A6C0E7D3DFA3C618F3DC064A8805CB6EB512AAB7533A3C - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = E2C17380C5F90E53D7A7BEA2A674481D7051191410F5AFA69BA9908C902DE64964C5E32F50CEC5BB0B - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = ADA9738AEB7426C692EAD4EE4ED8795042A53D0FF32F59958E11AAF027ABF721205776F69F0CD5F87E - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = FE3FEC0AEB013C810D86EDFB2BDB6BEB5AA88FEEB4009EF1BFC298F2384EF879B92871477ECCC10680 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 0BB35ED95DC19A559258311675AB40832E403D4F982C3EA8E24CD9DAAE47653621736FBFCED7BA8CAB - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = D74177CFA5E79D0E262879EFB920BAC6E575BEB8C4331E556794BC62E01B4FD94F6D1AB36C5E240497 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = DCAF4E946021F59B842DB39AD26FDB226E53B660689861E9845A8493B659BCEDDA8D8E996ABD4D959B - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 17069B1AC4377B2461383489CC719F29BD481A55085D2065A65027FBBC0C0AAE7FC766D3A7F5EE64B2 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = F798273A7DFA98F62784B2F345DFCE6BE843D51CE71480125BF5B37BF08958FC085BC05D82F434C889 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = CD8D165C336A8CDA8AE1598538E6DF9D8264873E26EA7657FD6CCF791E6704AB85C955B97BD075E87DB5 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 3EF903350821D879A66C731015201B110F7D4B39124321C450A220C29AFA7703DA87C459C2967FD5AF4E - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = D67FB814FBAAA49D4D6A5ACAB00297C2234C1E8253000D16BC91A00CFA46700BA595B866DB8359A201F9 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 2848D8C973313EE41B1A5C65E5F04578C5D44CD95D7C2F4B07A8FA21FC49B1555CEFE128FABB4F82BF0B - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 8C27B019909DCC4BFECC54C0AF091FEC5FCD02740B078319AD6C3915A7325CED689673E2572322EE86F4 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 9D4FA78533F81348A004269E3AEB87EAFCF7FE1E888F612D969B5E693404091A577E489722C120D6AB21 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 9CA84410F08B5571EBAAE8B16867147686A2FF482480977749179BF2464CEFF423ADA0B93A7C3B23ACF1 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = E1A3E34842DDBC2A3CFDF4B7383DA466B8C0E6E67EC771CA3263483B85BC4B6961FC344A249369B00363 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = B0BF9A231A075412DB69F93311AD678A926B4B24493103A1E78104DA48EA2595D388A1F3F167F5CC33B2 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = F85F1D8375BF2766D006BDC708A3142CBD4FB7D8F38F567F13410444FBC5ACE67D80052F521C607967AF - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 1DA81D2FB6C010EF953BC6EC3143398F5DD5EEB6317CF6D329131BCFA944402B92777CBB6EE450FACD61 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 18EF9648BFE9FBD8B29D5706F3474546D5585F67AE3312C1593CD9770F3E0B6846641B9E817328578D7F - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = A6068F5C60973934DED379D318114294CDCAFCC914CF28DB85F1C5DD8698BF4FC45850D68B8CCD454119 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 9956ACFB61D4B10F54CDD1135C5464B1CF78E4E62977D142EFEC261A732CDAE520AE60E77F33BFAC1288 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 88CBC40D6F3819BFF5F0B2C9DFBAA37FABEC0AB5CD8DC2DAC1311E51AB2A26506263DE4B601AAE079963 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = 259BCAEC78253EA3BC22FACBA3F2645B3A97A94F39CCF1A771705C1E8B3D574F43D680022A4239066585 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 813493B084329E06EE69260EC39803A26C19DC89C4EB3FB2D36DF29E0CE8488D5F49AAD7CBD82BF87998 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 26FB2DAD8AE2C7AA5F7A20D42C68283D99A0B2B9C927B2178204B867DBF6A65BD2FC17460966B54FBA6C - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = FCE65B3DA22523519E079741004AAA64A279C0AAC81C6F8B38DF684C56F85450E3BEC9972A8805D948B2 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = D56BFC13F17C20B6CFDF219CAFA2B8E49871AC62E5A7241846CA3549B1024977FE52C37202C46BBB401F - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ACF7579E62177D7F7B9C27BC85BA527771521087B9010F8458D14BD69237FFD474A9110C50408224CFEE - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 1EF8AE3FDB938837A36004F8A2842EED759B23EDF2E78278BD51E86CA8A350B79E20D56E7A7456309F98 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4A43599A322FCD8991CC37CD80E42F5B7670E37883E7B13B6807B7AB939CE7E2F1A507C89E9DEC1631F6 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C753367A830C4CF28141B8CE0B4811D851BC00ED727A84A01B578AC93921B59B479BA1B08DF92079F6CD - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 7C2F561F89AE40F1F1EABC6490E1A0B0EFF837B28D67F94C7B66E726C305DE320A2643AAA87D2B492713 - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 4F44FCED5B08294D1CC897843DD44E19DAC84CFF08D3A10C058F344F0E438086AB2D923151836B9917FA - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 448354BA65EC78D3AB8144A73E4A716E708D6FBAC28C5383A37136B4C6454EF1A405A49D1AA0880BDC18 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = D12A34B232FB3DF5D6DCFD545E7A5DCD3B33BF96FAE09C263405FBFD4E30A219F068B77D1F7F4467A611 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = BB798778A2D61940975D4999EAB993FA3C3D957681F4296CFA7A0D204FE58EFF9B7292431293E9C95EEA - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 5EFFCE8FF2498B1B5983A667EF5D1B21741E98B5A8F8824029A4FBCE3F2367CCE83A50C22E1A2646B446 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 7F41A4B9E3E5361B4C07740A9975E78A96E25A5049C0EF3A88984A5ECB86DAA126865D9B95CB38227867 - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C13D8198366CCA4E3CCFF632012FC5C5DD163DAA1D734E0DA54E8C79F1BAF9678BCC430F37BB73C6AC1A - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 5DC45671FB51A96E396E09CC65894B812B8CBFAA2CD2BF9BADDC48C49647FF0A12332016140EC9A4223A - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 3F4E917FE60C00634ED3E5878B0319F1DCB67EBA962D45A2599A9351AEDE7B1C29C2F230BE0E5FE2442EC9 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 16FBDD61F62734F0D237C432FD653DDB1E6385F81CE1704684D873333C938EA4CA4680462FE0F306F8A760 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = E9D15E11164C8656FBE2A9F3B389A0FCF57C7C761391FD51C5BEC6F103DB576FAD18D914384F260E1FDDBF - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = CFFAF7415285BD3CA494477B0D6DBF4F76AD5AFC5568B258DD5D01E128D218F1B54979DC472BE250FA8502 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = C86399A2F30C10CABD42CD7FACEB859C73C8D66E9131C821CA741A332CB72BF026BFB4872079CA04564536 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = BBC9AF190A4C9DBCA7FCE43998009A7598F27D219C0523265BBBE8984EA1696C1EC0B33AF1DF4E30914949 - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 2A920B8390F8EC2FFA374DF621720A542F9E59951A3E7890B563B7A1478EED66FC64A6EB29F7275FCA3D9B - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = AF6E2DFA2BCD2C705F2C182ED4A9433E1AAA30E98AD31A0A01BBC578F959C270D608AC251BC0FEB62883FE - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 7F51A2C105D41B2AB8E75855EB01C27FBECF1BD1EF28FE294E2DCDB68116FFBE361C855EEB5D6AD3039E83 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 5371F86679AF23494441B7B37794A131F0A74927E93590BEF2AFAE981FB439E80A7DF02593B590B258CFBE - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 441AE0867C080EF66DFEFF9D534977F13C727D76018A7682482F1C26CAC4EA544846C7BB50E4CB53AA14BF - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 2198ABA8533DE5A929B8B656154E143218C7B24D631EE8EED2DC9C2BAA9FC146570F39060B1DC2058F736A - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 590C4D8B74AB3CCD6F0004877C3758C6ED2EC54F1F21A0F3F485C3F617C76D05E95AB8AAB67D1BCC8E6477 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = ADF8A54271FEC3C40D980BDEAA9D134075E7646276F12300965C121A4E87DCCF1CB72D263CEE9646AB66B6 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 7C7C2E06952FA9A9DB37712D0FFC9D66E54F640E8884DB52D10DEDDFB3345C16D8471D575464380156E57A - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = C1067C221ACD7FC831A158C3F75E503C55E243CCE0D85DC5D804F013CB137779496C87C060181307A9A472 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = A701BA5B1BBEB19F03B11D75689C146A714276368B40493037693855BC45F8065FE9E45F530009F5F1B837 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 98879CA255A433074924B98A1DE56142CD31393B6CB16C550D3F128BF610AB273F2558737C2F4842C02B07 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = C4BD098BAAA9F2323A847B8ADEE759E4976B3449FAAE10E18A0AAA0A5DC8CF1CEAD263465A65685EAE31C4 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = E1F11DE0552C9BCB55F12605FFD0584B3A33F72A4838FA2D51DF9F94FEA780C873F3EB486736BDCD07C813 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = FA35CAFED8CCD075D3A077BB0FC9A6D7220E7BBE9810E473BD145BB553A030FF9FAFFC0F6FE1D79D5772AC - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = CD12AE6C8C3BE721D9FD2C178DFF2CE4479E3BB01D6464A56427D24584471F86EE4B46B1D5BEFD3E0FCB45 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 6C40F2C29848F66761286C7EFE2F45AD2C85BD2242388A8DBDF01B9F6DBB65418BB896D07E89284522FA3C - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D1E66CF8933DF266295A09105E8A4B3EE22C282688C47597F0BA9DAAEED5640EE8F435ED84A7AB345FB36A - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 1A9C8C3E262D7C5DF967606089BEB665A00618CA3CD0E9DD3A49770A44E121ACC9B2A86C92888D752E139F - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 624AAB7E63EF74152607871AC6EBF97C5CB9E614A865B9A96DEC795DD3FEA662C98D86D38DD0441EC5DFE6 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AB142DCCE952CD685BDD41DEDB5D36A17D7904F9C936CC7F6A5A2D8C98B335182ECEA00B45BBC24ED32947 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 1E36EB4B3CE575863086E3502E05028D630DA46A8AC6980EB534E51EC53B4CA501EC06ACFD8418F5DEDD8A - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = DB0D9EE72709798D512B623B8F7EA466D1EF647C1928B216198502F423FA9C7F2CA3C952B9156141C3C57B - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 967302BE454D6D121081534C0DF6499212D2C176E8E0CE691C1F186E962F990E6CB5B40C546BE1B9A25648 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 01BCC2FCA36E2E07D45CED3CADC4CAE65DEC0C143A73EF5E0FCFE2C67ED2CCDD18A8EF27923AA35EAC3B57 - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 5F85BCC6DC75CB1BB5E09B816525DBFFC637FB6B037EABA7EBA1434E2A189B61945301BF6B0DD537333F7B - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = D5A89187E3C278654405F8EA1D4E713C88D829785C70F4B04D398DA74DC6F21FEEFFA3D218FC28B657A454 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 3B7C471ED1113868D40798A42C0CDEF5BA40466C2C6081F17E3775C119966F1A64AA197F427EB008E32B17E7 - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 31A77758769E1ABD6F21C99F7DC3EEBBB550E1BF7F022FB8A167608722EB35A93F8D442A5E0CEE562DA61628 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = C6D5A8C140CA18CABADC7467788D3EAEA585A3AB35A986F6540FE4FEABD7180115AA384E8426B6CDD245C29C - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = DBE1F1A6689524A606F8C41B30D274B6CDB8C66E6C6BFAB95A75FAB7AAB7DC31DC6C5EEB267D33231B97D1D3 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = B42DC87D3CE70FC91D5BB8D183FE7A24FEFFE0DBACEBECEAB3AE0F0B6A069CA21B0142C9459CD458E4AEC8AE - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = BCEAE6B2910ABF03A30175255C7111C357CD6AD09F2BD14792C3DFB5AACB89BDA0E86EAD062ADD7968AD004A - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = C6296E71FF2DD9902EB4F505C08CDE8BD9ED766C618605C91C88B10245BEA5ECA16C5E52B4148F08F20173F4 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = CA3CD8FF10FAF1249E5DBDE5DCA7C5BEE02ED904CDE42B7334C819E353A937C58667C5A1C7A7C6977795A2B9 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 9705D62216A72ABC58475D18F5BE79692C98088FC79421967D15CAD06FE8720DFB60341E81550D319DDF6F53 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 90A042EC42226184E748ADDCD93778B3CB99DE87436616B2912A2D2947E964FB91E12C11BC987657F41DB9F5 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = B80412059211015505D72A18F7016BF6167B6B26C6EB528900145844F874247FD7C1D4E5475978BD8FC72F9E - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 5506984785F1A29BA184E60E9B6C36785F631C7D3E3A1BC21459876AFF2F595F363A128B607A9992B7F501A6 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = CD40D58ECE1AD2130ED09302D335577DA23E24A0ECFF4636B8C30573F19DE53C48DBD7FABA98BCAFF5EF6F29 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 49F260821DE6CA6789F59DBBD3861BAAB4BA10554F81B9954C96B7EF1AD7D71BE25A131D91649383382EA00C - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = A6A3D27345F96BC412966EFF699029B1B61C83F0FD6BD9ED73155D9289B4C3E4FC5E6FBF1FF2321E85E1438F - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = 9FC8546C52B8BAA2E3CB11B8C3A13AAC9FCCB9C31D31576D7260EA8C215002DD00B0DDC20395F7E09448B587 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = A9F36A892FAF4F0105D82AB9EC42EFE976005412205F8B36E60939AE1580AEAC3CE29CFF19D11055354CE6B4 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = AECAF1C811FE0B813C26A689FDB731009E118312FC759DA7A1EE3B1FA9FADE9809C973E8B3669EE2ED66B1DA - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 731B5CEAAEBB7D181BD03A1F7F151C7C2EDE82B350CD17E18D5EFE68A2D159C1111307A05696E32F9916C3A4 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 5EEA5E356FA4A7F893BDA4D2811505F89EE3D0FEFFA6BF031D666F533ABE640E4BBF16D202C17A2EEE4A32C3 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = F0A6D5950ADD60A937646BE3E4265C4899D8841787AA33B5F18A7AF8951555C3D72A83E67B2A4BE1FC9C6E54 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = F77E732E38417185D786943E6DBCB9782285996B333491F068C8363411CA9CD1B4F029466474A536DD9BF8C6 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 834B7AC0EA5A55BF41E56020B15059B086D63EA89131BC19C2B7A2FDAAF383A702D616008116A2CA4EC7B8B3 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 9FB530D0658F0B52C01D0BFD7532493C74A0585408864D3F8A346EB262E5C0BD4975FF0BC54F63A66471DC0B - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E1682CB058E5A6D4EAC77EB98C8BD1833F6BBF7DCFA500390E873880AEE99A5B5582291EE7FC7B3289D10F56 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7A41FE17C46147071BD8D76EFE6DC816E5685FC68908CE4F6B15CAED64C153DB8B8880A49868A603BB4397FC - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = EF00DD1D5E35B05994FAAFA5552568E16B6C41087AEBACACCBEDA461C2C7B619CDDE8DDCA24BD95C7565BEED - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 4B152EA862A71E3622777D256D65228875820D12DD821BF7AAC73BBDB9A36C8BDB52EDF5F975F68C987F3969 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 62884357B4278B51070EAB79C2F578B3A8DEAE498B6185D9F246A17A148F0739107046BF84D019A505283071 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 4319E93C1360B66B6F9FECEACC03F3A36B6F1D2E680AB1687680C39E1B4109F0B51DFDF80407467BF764FAB8 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 1CD8DE2E2C17C767F2892CB0BFC4C521862F82119D51019E2518F3495B1AA4F0DE5778AB757DD55996F4272F - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = CDAC4F8B28F40C3C3C260332306A1E5BD0B91ADFD228029EE388A8F77DE42C25E94ADADCFD5C66294C285D71 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 95B812FD1447DE7CD07B016C2FD238C5F744DAFC6DE89B535880FE1D82FBFAA801578B98EC2E84108688ACFD - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = ABE67F59D1343F4DF90089B9046E5CCB37B997A4574987E0DC9EB9588CC297DE47E94187E690F137B681B6D4AB - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 02BCE0A645ECFC99C8BDB87B8DB2818905E80C2BA2319E4736034EE86C48A1D1DF071253DE1DC2BB3A484D20A3 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = 917E8E497499965702E8CD2D8BBC2BDABB7677FAA88987E85049BBF9E77C49A6DE5959A0998D10AD9D8EA2A3FA - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = C0F37433B96C8636B65DBD025816B76F50904EB09505CC0F57EE72810DA93B6ADF1DD6AD71E185A9CE83E9B5B4 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 3C8E6B499B81DDF01552B570A244ACC14D635E14B5B4FD1B55D1ACB9B64C8BD5C7AA47C9B7DA5F07A8F6E2FB17 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 6E52EB94B2BBE0C9291AC579599B641E744894A6924EA2E3CAFDB46A3C4D1E915F50F6C0D862A334103E7D1221 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 2B7F5EAE4C36B192A08050190B987765A2F0FB1FAC037E3ECDD3AB72AEC10C83062EBA1D85540ACD64E7B4ED6F - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 5FB3AC7BD67A227FB34E1F283AB727882CAD766E32B43A1FBDF9B123322DE6240C3294308635D95891788DC578 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 5D086B6BFDD7420353C1C29A0D6D142A0A39985F73E0AF43FA1D5D435967DFEC026697E9C4B309B8A2D8036E68 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 68394EAF77477CC2D91578AA5B59DC5E1D0BB492E2D5731EE803432E785D587B42D0720C2F9C83D1B0758A7ED2 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 5104A6B4888377E7CB1E7206F742FF8815C942CDAF65B4352CF9EBEE3D3D6719B2A7507ACED32B2D4107C40537 - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 4E7D9E49284B70EDA9AE5F80B9D2B07716AB619F389399A668F8ABE720AF07D71DD9DE88744818B663104FA58A - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = BB7F56CD3067FC4B537F5631D61E082ADC7210BCB1EB349634D4464EEDFD3FAA761890A5657DC34CDED854D4B7 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 36E7DAE3B7E31D8A3D1931089B455FD63FDBD5E74EE128FF0E51ED34863EE4CE0D1BB538E4524C2ACA7FBD4B5E - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 1EB7B51E4EA85965D085A4B7301C2DACE7E2A4B4DCA14199FC530BF4AAF57398400FC5EAF740175E576063007D - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = C2C1C152091C6352929B31831B19F3AE25939DBE320589876C1E240280C346FA347DA71A47A60EBA8524BED936 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 1D4F57008C85D875C3F7C7BA832957652932313FD8FD2AB6AC921842ED1BF85CB0D2D33A0DAE8674F4D042DDD5 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 24D17A4515CE447BDFCE95B9AB297FC0C4BEEA75FE2BD7E4F9337D2824E68E93241B3C8B44C060D98EA257156B - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 1B438B1515F252D09B9260367DEDBE4302FCA4B95D0E905DEF4DE9E0F447C4E60456DD509D78C71C0850A03207 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 99393216CB8006F762ABEE93A1AEDF31BDAB5755F616410290F2D18E2043C50DE348218562349FB0162CCC17C2 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01BAB3A0B9BCC0D4391BABD662CB00B3B8CF9DB4E0F208389D1C5B389355C1C07039FCF29F2C7DC03D43CDCC8F - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 32079A24DA821DEC5668D33AE152CE4C0BE7E7100D61011477BB0323DFC279A184A32B86F84774A066515FE0E4 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = F8B8753D7418962AA44C3D746D4B56C68F19D3DA9AC8F581282B7323F5E1E9BB096B4469F3248938D3DA87FF06 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = C36CBACA72F486B579A7894927C6AC269B018BA127FB3329E7E2D9373015E50680016C11EC45F3D4A6EC191D45 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = EDB280D3E3A5AB0F4A52DF0FDB3DAC25C12495410C0252C7AC6F43C906ECB6BAC6CFC1A11AB85C32412CC20310 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = EE29DEB13056AFD449AD1E470ECCD614968D3C7920468EE5367739DB3015616DD12227F7B076F5737E6FDBEE46 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 636F1D69CBF6AD880D826873526F7E51362821AEE1B0C1637E424A63E53606E3B80E48B1E8AF69FE4DEE0BE3EA - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = D29182D978ECAFFB10EB2B1B803E96A8553D395D6B8D23A8623BAB71074A803607888E263286D31B047BB6EEF3 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = FDCC21ECE528917CA48EF01249154327582D8784AE94A65604757BFA1A6D3C85EF96B04AA97613CDC27285DFA5 - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 328D76A1A94355BF212867C4A551E7B56E945545DB5B9F11FA97482A7A8C66AE3F34E5DA115CE14287327DDB17 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 878A91514C2209CF3594D617B928790DAE92C7E88E96A5C537E6B97790516821FF096910D52635051EEBDD1CF0 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = E1646201F9EBCCD5EB89409350302C84D89378EBE913525E3260668D8F05B4FEFA6E21BD4AC9ECB7074F1E32C6 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 8E4A2B76BC6864D00746249C2513DE78524612AE9BA618EEBB06BB836AC2DBE453958C4368FDF16577DEBE16A7 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 8512E744DA43C460401B6AD55B2CFC10B623A9F18C091E1545F6DC4800B4AD02569DE85BBFA99748886733280A03 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 709FF930654586ABECA72CA683C4D8B39799A1892090B5B36897B4123631A42C21B40DD1A6FD84F514103AF1CC11 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = 8B145690450B9C577D4930E678C3E1D95B621A88F4A9C5417D83057499CA74F2EA1E6AB11183FCD52A8496C8E3FD - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = FC2A67563982AAA28C4281DF436F833A6D09B60996942CADFBF028E839DC0EABE7FE70718DA1F2A5A414F0B11A2F - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 00FA428C0645528E8D6695343E0F2A05EBDF7B756EAD334D4804D1E5C7DD40E39656B05B16D400358C508F97CD98 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 45B926732DC82A8DFF53936608AF53CCCD5D783A4D70303F30F7E8B2CFCB6F5EA34B8F8B739EBC3E35F72425CF84 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = C212720A1C06FB0D5815F1CACEBC664824CEE0EBF9E68529FFB9DD9EADBFDCF53FF995E1613FF265D25470783BD8 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 20BCE1D78DD9D8B5DFD0C222BEE2BEA64A1FDDA6FAD416DA49C9FCC7BE7DBF6BC416B500888A4B86A07E12C5655A - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 37EDA73BBD6D857BD0BF08ABDF11B854FFE70F4A46E08550FEE7F47689DC84FEB3FA4964E98787106E57D77C08DF - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 04115FAE61C8197D9C2A40D42A45FA32A7BF59EF2B264209D03228A016E87F19DC463CD557483E5BC5FE320CBBD4 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 27E4144F3E9D79E2D17CF9012FAE25AE079798F5313C03742A84C9FE363800CB834934910A97F2071D8BF3E07557 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 37D28F328EDAC22D99B5625FC6C36CB16A941B318B9C33FF29C62722B5A787BC754E3DF55C782EE13CF4044BB3C1 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = E5BA2067755C5922B1A08D141F0BC3EA05B36E4DA1543690324E3E4B3406D09C9CA6334E865F884B28E046FEEE00 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 5FE1A97EFB52C999F1F477D4AAC4FFC7CE2927EF0C1EC2AA0C827C3BCB7AF5712BEF9FDF936B9EE148D722148B0C - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 70CBBA0CC718C9AA9D2D1917974388A9E29E35DA866C47036D99AAF3FA138F5A77BE683AE7EEB2179F3247D74C0D - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = F5DE344F005CDA5280942A502C9F3CBA202056700D1C87C4249CAA0CCC2681500431FD366845F203BA554909FE46 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = E03B7019A79FCFE9C1094DEE927294D5C3E298D395EC3F5CD5B73DA0911167D69C6E9F7E779DBD2A93A28E03D159 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 9AE6D76F64C22DDA56F576CE6722998F76974CC1E0FF507746763DF03340166FEA1C093A5C0B91F0C6E783E65531 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = B5ECBD6C2D3490012FB27F59A5643C10BBC6F0B30E4D27280A6DAEFB04D38FFBBAC29856B3C9F67C257653244BAF - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 51749744DE84F6DA3B4F7F272D95B31B36C2AC97523D08A1C6BB0BBDBB00E41B521878BFE90FD837A08EB262BFC9 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C9BD345CBE254E85DC5E07FAC4853D3974BEB59BDB27177B4C80C9DAEABDBED43105522B5C1A7067A4EFB57EEC68 - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 74D99F75C242DAB5A4ACAB2FA85A247667FA8679C96386D9110E1FAD2022D61647719AD59B03BB1DE9BCE4C0DE9C - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = E66C1EDF99DD781B3D758F0804E5CFD956E04E128B943653106D3946BBF60DF96314BC76D2DC6C55B5EB02177773 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 746E27FF25D342BA34D128A23EBC7D4383D4F241441CD2905C63DADACFB29EB700CAFA9CB3E8F090C7631E58A764 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A50A548E25E69E957FFFD41D354B6C7F9F4C7E5CE5BA3F821540F50FFC0236254CA7EDDF8A4D8CFE8691E415750B - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 4CF575B21955F7ECDD3B7E1DCB8DA3EBA5EDF22208BE829B2050FCD57D8F5E19BD030DDAF043FAF3FF986B341C42 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AD38FAFDA5EFC0EE25B39E5FE684AE528BAE02CF4D8743A09858BBE7CF27D26D5F7A75561BDF53A7A29FA004C845 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 863D9268E12EAA71DBC2E6AD1374D87A489176CE034429C99A58F47F1E84EA75FB586EFC612EFD147EFD767F6BD8 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 4F5E3A759DD4F8F8AC1A84BC8402A8124E5096F79DD7D2820BF7F1F5A65175E2AA06CBCD9A5CDEE4A283025B6641 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B05566C3EB26B52B86AB7D150F66CD9E81477CB9E1B2AB3455DA94AEB37A422B957FF06B6DEF954D68F8109F5CD2 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 34BC47B2309F615FD351F32AA86371930D5D6DC12599E441442279E024CB4EACACFAB9C6DE9C9A2966BE9E76F048 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 42851ACE43D49B23EA11A945F6FB32C21AA8072AE96EA9C54B7D12CA35B3C5C2FAA5BEBECB0976442106F162595F - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 81FC35D9FF60C3A9AF2AFC1A901CF27FBAAA2FA6C13FD6F64C83D357AA396C9D5AEF95ED089E1A042938DA6B0810 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 153BED1C06B6349D1277FFE7BD64D9C0D4E79AA07382E47D3007B1B4334489A5772692E4934DA9228BABE067C27227 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = EA59E5CCA20CD09949EA3F9A90907E2245B8CFB453FF85571A40C901A97CB25A51A413A2081665D63DFC0970021DA6 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = A37E9E4CF3832B62738A26815179B70A3CC35897D3342E5EF46E598DB7128985BA262DFEB62DF4A5E2C44F451BC63A - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 4BC7F5F4259B88A9B9A79F349E3388C8209DFA7522B6BD8B778CBED95C75921821437C5ECA7A66FCF03AD31784057E - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = A828BF292AC722F5880E6BE98EA636333B6754943D2BEA2DF940CF925DFE98EC8206B261424D09B9E06ECCD869F739 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 911A6EFEF96BC8826B4E56D487BD16FF9484AC417ACBA2B36A1717367CA6EAC9314E8FA0017D0A60E762ECF6926E18 - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = ADD0AF191BED7C35FD85755B58F871676C9B6818B7FB5D3366EBBE70EBC332871FAEB3C6311D03D97DA8800AC3E31C - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = BE2F283566022D6FA9130063748189B46A39B7E8A9854017C8AEFB87BFDDF5082BD266348B56B29854417D2DDBE824 - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 9E2981695CAFAEF5B4614DDE90BB0B4D23929E4F3D61F93F7BEC52CED40B230E736CCECDA6B2C7F9177182B231D64B - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 20BEF2A9F3E89EBBF4E86B964DB946EAA50E0F3DF58722EE8561C33BA074FB3A55619D089C733A84A332DEF5FC88B1 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = EA049D88084A63EBEDBCFD2FF5614EBCA259A7A4871CBDA0E2BAE6FC5FF791709221A0725C33E2597AB27C258FACB8 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 7F394A475F79D92CE6D843500B7E58D03FD61650A54B05C7613DD01ED5DF615D149E00F187F3121C55600CC7B6AD76 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 976CE421D4A63CF19633DDB11429ADF983C5FD19F26ECAA767C8018027887C651958C0412C07D24A30BD266F706403 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 53CBB7A3D31710294C2344612EFCA80DF94B4F684AE75627439E16CA8FB7BB2EE688061EF2986521922B5E208DA10B - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 4C5D090D6A411761447F66F2C76F44682C3A943DCD87E538D62971BE9DA9CD2C642021227A808D7ECF31B1573A5655 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = 4B11516E933EE1676E692909B9FBE4B59BA60C85E859895777F3DC2DC44754D5EF1ADEA430A6CF661126AE2E87992E - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = E09ECC66AE09CFD60C6525796FAB160C4E52924E4C893953F1B25EF05146F21B892FEC7FE07713EC9E9C0E9D7037F2 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 50DC667B5532ACDF4A0503BCD626792C719A09E95641F9AFAAEDC2C69988EF42755E6BA6A6155AEE4B2E5D4BDDBF2C - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 597C64A50A84DF2224CB14DED431EE86D04E7CED37A482C9E0D1DCECAD0D956106ADB74AC0BA0EF27E121598321DFF - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 237FB3640786CC3980DAB177CF432A0965402D2A702006166C957B09619F3B122E2718441EE47EE5E702BDC0486EE6 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 9FC8E2DFBFEAF392ADC1721637DB9D4B8AC250892AEEF18195B6F050A5462FCC955480DA75795CF36E54DDBB437EB8 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 68C479F2D3B6E4B55E5546E1D0384CC56F4BB5E6DAAB675F82EA6799101C7B50EFCF889456A9FF8F223397D9F5AA87 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = FF85762EE4015292F2AFBC180653CA328F7B48E6642C0154CB9C91F6FF8B42B306CF42E30FD3AFE819DA916ACB5BC2 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 495F73ECABB6379D0DF3C2EA1872F996B6BF48856451105ABB7D8F15A2F46A90AE3ACC0504483139FD871AFE3AF2FF - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CD82714C41267A8EC1F38E32163743704C170CFC70EBF28F6AB1B6085C4F874A1E9C5B4AAC0AE52903324188DC1E91 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 5BD9F9E46F31B5710E9CAD9B4FCB700A79CA6CC9E3485606B424173783236B0774524BAD627510103BD121372FF06E - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = EA4F800E850471D8FEFE91E80D8F8F12DEB7EC8B6ED4F7934495DA7D70ECB06E744835CB42FF64B7C27D3748A2C6ED - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 9F342EC8A473151F9AAE44C2E9C837A036817091CF9CBF0261DE54328098FD26CCC85138D9CA1F2CCF2EB07FC6E6B7 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = E87115C629EB550C5386B0B7C9C7A0D23A9D2D5E290392116F1B46A547A01C84AFC8ECA646B9C0B287AA97C4C671B8 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 3D20B05FE53BA142E5D4B309151FC0E7E356A4C821FF0AAD9E69C3F6BC7C07BCBE817F0059B572C848DC05DF67F77D - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 6996F78CE412A88B4ECC56BAF9679FD4F06FB4866BEEFB04353BC399866B61A10520B706BB036D5921E2790B130E5D - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 2679D780DB4A7FA562B8D1CA824B66AD3ED8902B2C1EC7997A5E433C34B99E3B088FE2FE3FCD54FA0BAF649208ED2C - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 1B76DA52919A34BAD0F2C869393C29D9000F47C27C306DB72893A05F11BC66D1FA50588BCE980A1968C45F7625352D - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 2BBC24BFDC19E600FAEEF125D57E22FC2F7A534E184B1F33E277706539FC57B69C2A1A2FB07CF3BF6BAF5A3F33A427C8 - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 9A1755FBD3E79F16D2F3D3F4019928C18BA5DECEE2603020B153846056755C92FF7EA76BD8E32989FFDAE98161F10979 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = 4D98C92E79CD85FC4F32DB7F6B26B80410BE15D2D2563A27D422E7C37D4AC1E0F296C3651DF8D1745413C2921B960AE9 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = EE1581A711FDB731A2F9A2132D4763744AC17FE8572E3CC6F11598937033F69D66F5D31736C92AEEF0BAA39AED9F52C2 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = B5C3192435083231BC336DBE111D09F009E9A0C8431EF1405405B2CE1EEB4489291945D0475C208797DA8B2B3C7BC1CF - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 9A3094C681036EBC3C783D5100C63343B46B9BD778771215E5F285E56E6A49DD64B2EA5D33B80FB2EE9D4BAEE5869DBA - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 8CF8D88C6E60D0FBAB6F7DFB99F15545E63C2B0B7859D55781FB332939BD750D655919859EC9957F5C0B65A5BA982855 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 55624E07DC74DA221A1FF594C692397D72F7B12A0A8A81CD6B9FD6F21CF968797CCB3DED74EED7BB2D5EA3E5D15AAA7D - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = AC0600B25FB1B313FF4B8280D928ABDF66E1DE13C65DAD373DD8667B35A2BAB7D8EE01A1FE8637D3D09E07F9152AA2EF - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = A1F1D58DED0B274EAC0C7A0D6C79B7DD89B4EECBBD844F08077A0E48B957867DDA0093D805B7AAA8C807AAD669F8F32C - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = FC1571FBD603A31CFD8B5EDA26A1911BC3E9D2A4B73D4823D058DE88F2C5CE6A019212387CA5221CF5244DA2423410FB - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = CF1B310CE6A6E4A300D4EBF8A229C07EF69F8473F6D56C52244C1EC3712EFBC140B1976FFB933BDEB5958B6E7452DABC - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = D2146062CB4D45FFD347E0FB51860899EDBC5B1E564F8146696D8A638AFEC6BCFF120083087693BCDD219264C6C03444 - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 8D4BC02EF441E357F3A582076E80EC18AD03A34EB61D63713C0A3F62839F7FA2DC3D69C7341921FC964D5B1FF94CA2C6 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = DAA8812F4AD115FD1EE02C04BC2A97D26E028D81F7E35EBFFEDFA1C5A19D87F9D1910FE8CA28809AC9ECC9947B88C1E3 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = 27D3630BF7CF649326E71F50CFD7B6171D60BA82C942495E21FB3CE564E0E8C5CCEBF6024E5771C9A4E8FFFE59064415 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 104F7091EBF05D514F39787A0E976F1594DC9BA95A5B7079428750F57EC29D513721C0E286C8CDF9D3D0FB15FDC1F332 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 9899689EAA14A5B0D7C8191D973D27E65530B3054FAF3EFBAE3EB06A0D47747415443496A82E8EA0A4C4091F4588157B - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = BDE0C78A7E860C1CB6AE4811E8C9167004A728A8430CE3B0C5FB00C3F367F73DC4A5CD4F90C59161B157EA5645D48A4B - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = F2131F3CEFFE009B86FABB498121E59A0609E9AC4045905F9FDDB0C614689CE458FF1CCA15AFC60A8FE266AC47A400B4 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 8E55AD2E4BF0083905D339F79649461E008CCECE14034005E305F6F37FC7FB3069AA5B7894B6F40014195CDE57D740A0 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = E3643536DA55BBB014C57F8D3852702D1E157EE36C5E91011E7520354C3855734D5D58237E127C912210526E903A2DD5 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A7931EDA441E5C8432C96AD907824763D48AAA6784271D1313449DD6DED4512C9042EB8BA2C699DEED680F6BA65473C6 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 7D6DE76A4C54792997F8BF2A8BC12E12A22129298D5E9248F9DE572C0711CAA6940514B2E92B3E7028D787DE29C85703 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = E2216387A9DC367522E7D35B7527AF3A68C43AD69328F6361B6C2CECC2154ACDA77431CE9CDCD026D043F07D5142B06E - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = C6EAF51ED6E9C09F7698A4F8B07A9871C173BB3B6230639E2975EC1BC2D0A54053E6ECF9493910AF37EA985DFB586FB4 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 2C1CC49E0F99F1E4B49AD4969AD04F19D03060DD0FC81611A78B45B40841F59CCD09AB9AED4B8DFF5BE02F31CE811365 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 0E38192F718CCACBC1B1A840B49BB0837211A33A9507459CFDF554C720EAE62A05DFCCE364B5343CD6E7FF42AA4C2F29 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 7BBF1E556DEA24063D28D290C8B418F1EBDE24397E2264B6B3DBCA876FF8A3DF394818903C5E93A53DA18F4B829C276E - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CDD99ACE4050E2C3EE61999C7590C6F7FB862D7821A10F74A9B1D31424C4A8C8186822BE9FE954607AFF6172170F6B60 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 33CF5E21B86123513D4A442A3713685042CA509A934371AFE4964C5B6A9755EA65B8532E813FEB0DCF9FB2C8DD468953 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = CC730C21BF523DC7CA252E8E581730CC92311F538F9C6795073D69A60B79055C3DC1A916701A612BAC48790F0AC98223 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 91088A8AC46766AA94B94DA53C1BEA09E414BA2B8D8E38414119F1C1E2B07C75CCFE0E9C2C4DB9FDFDE0B189648D5DA4 - diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/encrypt.c deleted file mode 100644 index 7e0c676..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m3_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_m3_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusm3v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/api.h b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/api.h new file mode 100644 index 0000000..a4aa567 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/encrypt.c b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/encrypt.c new file mode 100644 index 0000000..8668d91 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/encrypt.c @@ -0,0 +1,1024 @@ +/* + * Date: 29 November 2018 + * Contact: Thomas Peyrin - thomas.peyrin@gmail.com + * Mustafa Khairallah - mustafam001@e.ntu.edu.sg + */ + +#include "crypto_aead.h" +#include "api.h" +#include "skinny.h" +#include +#include + +void pad (const unsigned char* m, unsigned char* mp, int len8) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&mp[0]) = 0; + *(uint32_t*)(&mp[4]) = 0; + *(uint32_t*)(&mp[8]) = 0; + *(uint32_t*)(&mp[12]) = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#else + + mp[0] = 0; + mp[1] = 0; + mp[2] = 0; + mp[3] = 0; + mp[4] = 0; + mp[5] = 0; + mp[6] = 0; + mp[7] = 0; + mp[8] = 0; + mp[9] = 0; + mp[10] = 0; + mp[11] = 0; + mp[12] = 0; + mp[13] = 0; + mp[14] = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#endif + +} + +void g8A (unsigned char* s, unsigned char* c) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t s0, s1, s2, s3; + uint32_t c0, c1, c2, c3; + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#ifdef ___ENABLE_WORD_CAST + +void g8A_for_Tag_Generation (unsigned char* s, unsigned char* c) { + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + // use byte access because of memory alignment. + // c is not always in word(4 byte) alignment. + c[0] = c0 &0xFF; + c[1] = (c0>>8) &0xFF; + c[2] = (c0>>16)&0xFF; + c[3] = c0>>24; + c[4] = c1 &0xFF; + c[5] = (c1>>8) &0xFF; + c[6] = (c1>>16)&0xFF; + c[7] = c1>>24; + c[8] = c2 &0xFF; + c[9] = (c2>>8) &0xFF; + c[10] = (c2>>16)&0xFF; + c[11] = c2>>24; + c[12] = c3 &0xFF; + c[13] = (c3>>8) &0xFF; + c[14] = (c3>>16)&0xFF; + c[15] = c3>>24; + +} + +#endif + +#define rho_ad_eqov16_macro(i) \ + s[i] = s[i] ^ m[i]; + +void rho_ad_eqov16 ( + const unsigned char* m, + unsigned char* s) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&m[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&m[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&m[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&m[12]); + +#else + + rho_ad_eqov16_macro(0); + rho_ad_eqov16_macro(1); + rho_ad_eqov16_macro(2); + rho_ad_eqov16_macro(3); + rho_ad_eqov16_macro(4); + rho_ad_eqov16_macro(5); + rho_ad_eqov16_macro(6); + rho_ad_eqov16_macro(7); + rho_ad_eqov16_macro(8); + rho_ad_eqov16_macro(9); + rho_ad_eqov16_macro(10); + rho_ad_eqov16_macro(11); + rho_ad_eqov16_macro(12); + rho_ad_eqov16_macro(13); + rho_ad_eqov16_macro(14); + rho_ad_eqov16_macro(15); + +#endif + +} + +#define rho_ad_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ad_ud16 ( + const unsigned char* m, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + pad(m,mp,len8); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + +#else + + rho_ad_ud16_macro(0); + rho_ad_ud16_macro(1); + rho_ad_ud16_macro(2); + rho_ad_ud16_macro(3); + rho_ad_ud16_macro(4); + rho_ad_ud16_macro(5); + rho_ad_ud16_macro(6); + rho_ad_ud16_macro(7); + rho_ad_ud16_macro(8); + rho_ad_ud16_macro(9); + rho_ad_ud16_macro(10); + rho_ad_ud16_macro(11); + rho_ad_ud16_macro(12); + rho_ad_ud16_macro(13); + rho_ad_ud16_macro(14); + rho_ad_ud16_macro(15); + +#endif + +} + +void rho_eqov16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s) { + + g8A(s,c); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#define rho_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ud16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + + pad(m,mp,len8); + + g8A(s,c); +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#else + + rho_ud16_macro(0); + rho_ud16_macro(1); + rho_ud16_macro(2); + rho_ud16_macro(3); + rho_ud16_macro(4); + rho_ud16_macro(5); + rho_ud16_macro(6); + rho_ud16_macro(7); + rho_ud16_macro(8); + rho_ud16_macro(9); + rho_ud16_macro(10); + rho_ud16_macro(11); + rho_ud16_macro(12); + rho_ud16_macro(13); + rho_ud16_macro(14); + rho_ud16_macro(15); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#endif + +} + +void irho_eqov16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s) { + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&m[0]) = m0; + *(uint32_t*)(&m[4]) = m1; + *(uint32_t*)(&m[8]) = m2; + *(uint32_t*)(&m[12]) = m3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(m[0], m[1], m[2], m[3], m0); + unpack_word(m[4], m[5], m[6], m[7], m1); + unpack_word(m[8], m[9], m[10], m[11], m2); + unpack_word(m[12], m[13], m[14], m[15], m3); + +#endif + +} + +#define irho_ud16_macro(i) \ + s[i] = s[i] ^ cp[i]; + +void irho_ud16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char cp [16]; + + pad(c,cp,len8); + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&cp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&cp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&cp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&cp[12]); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#else + + irho_ud16_macro(0); + irho_ud16_macro(1); + irho_ud16_macro(2); + irho_ud16_macro(3); + irho_ud16_macro(4); + irho_ud16_macro(5); + irho_ud16_macro(6); + irho_ud16_macro(7); + irho_ud16_macro(8); + irho_ud16_macro(9); + irho_ud16_macro(10); + irho_ud16_macro(11); + irho_ud16_macro(12); + irho_ud16_macro(13); + irho_ud16_macro(14); + irho_ud16_macro(15); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#endif + +} + +void reset_lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&CNT[0]) = 0x00000001; // CNT3 CNT2 CNT1 CNT0 + *(uint32_t*)(&CNT[4]) = 0x00000000; // CNT7 CNT6 CNT5 CNT4 + +#else + + CNT[0] = 0x01; + CNT[1] = 0x00; + CNT[2] = 0x00; + CNT[3] = 0x00; + CNT[4] = 0x00; + CNT[5] = 0x00; + CNT[6] = 0x00; + +#endif + +} + +void lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t C0; + uint32_t C1; + uint32_t fb0; + + C0 = *(uint32_t*)(&CNT[0]); // CNT3 CNT2 CNT1 CNT0 + C1 = *(uint32_t*)(&CNT[4]); // CNT7 CNT6 CNT5 CNT4 + + fb0 = 0; + if (CNT[6] & 0x80) { + fb0 = 0x95; + } + + C1 = C1 << 1 | C0 >> 31; + C0 = C0 << 1 ^ fb0; + + *(uint32_t*)(&CNT[0]) = C0; + *(uint32_t*)(&CNT[4]) = C1; + +#else + + uint32_t fb0 = CNT[6] >> 7; + + CNT[6] = (CNT[6] << 1) | (CNT[5] >> 7); + CNT[5] = (CNT[5] << 1) | (CNT[4] >> 7); + CNT[4] = (CNT[4] << 1) | (CNT[3] >> 7); + CNT[3] = (CNT[3] << 1) | (CNT[2] >> 7); + CNT[2] = (CNT[2] << 1) | (CNT[1] >> 7); + CNT[1] = (CNT[1] << 1) | (CNT[0] >> 7); + if (fb0 == 1) { + CNT[0] = (CNT[0] << 1) ^ 0x95; + } + else { + CNT[0] = (CNT[0] << 1); + } + +#endif + +} + +void block_cipher( + unsigned char* s, + const unsigned char* k, unsigned char* T, + unsigned char* CNT, unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + CNT[7] = D; + p_skinny_ctrl->func_skinny_128_384_enc(s, p_skinny_ctrl, CNT, T, k); + +} + +void nonce_encryption ( + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + block_cipher(s,k,(unsigned char*)N,CNT,D,p_skinny_ctrl); + +} + +void generate_tag ( + unsigned char** c, unsigned char* s, + unsigned long long* clen) { + +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, *c); + +#else + + g8A(s, *c); + +#endif + *c = *c + 16; + *c = *c - *clen; + +} + +unsigned long long msg_encryption_eqov16 ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* p_skinny_ctrl) { + + rho_eqov16(*M, *c, s); + *c = *c + 16; + *M = *M + 16; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return mlen - 16; + +} + +unsigned long long msg_encryption_ud16 ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* p_skinny_ctrl) { + + rho_ud16(*M, *c, s, mlen); + *c = *c + mlen; + *M = *M + mlen; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return 0; + +} + +unsigned long long msg_decryption_eqov16 ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* p_skinny_ctrl) { + + irho_eqov16(*M, *c, s); + *c = *c + 16; + *M = *M + 16; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return clen - 16; + +} +unsigned long long msg_decryption_ud16 ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* p_skinny_ctrl) { + + irho_ud16(*M, *c, s, clen); + *c = *c + clen; + *M = *M + clen; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return 0; + +} + +unsigned long long ad_encryption_eqov32 ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + unsigned char T [16]; + + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&T[0]) = *(uint32_t*)(&(*A)[0]); + *(uint32_t*)(&T[4]) = *(uint32_t*)(&(*A)[4]); + *(uint32_t*)(&T[8]) = *(uint32_t*)(&(*A)[8]); + *(uint32_t*)(&T[12]) = *(uint32_t*)(&(*A)[12]); + +#else + + T[0] = (*A)[0]; + T[1] = (*A)[1]; + T[2] = (*A)[2]; + T[3] = (*A)[3]; + T[4] = (*A)[4]; + T[5] = (*A)[5]; + T[6] = (*A)[6]; + T[7] = (*A)[7]; + T[8] = (*A)[8]; + T[9] = (*A)[9]; + T[10] = (*A)[10]; + T[11] = (*A)[11]; + T[12] = (*A)[12]; + T[13] = (*A)[13]; + T[14] = (*A)[14]; + T[15] = (*A)[15]; + +#endif + + *A = *A + 16; + block_cipher(s,k,T,CNT,D,p_skinny_ctrl); + lfsr_gf56(CNT); + + return adlen - 32; + +} + +unsigned long long ad_encryption_ov16 ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + unsigned char T [16]; + + adlen = adlen - 16; + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + + pad(*A, T, adlen); + *A = *A + adlen; + block_cipher(s,k,T,CNT,D,p_skinny_ctrl); + lfsr_gf56(CNT); + + return 0; + +} + +unsigned long long ad_encryption_eq16 ( + const unsigned char** A, unsigned char* s, + unsigned char* CNT) { + + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + + return 0; + +} + +unsigned long long ad_encryption_ud16( + const unsigned char** A, unsigned char* s, + unsigned long long adlen, + unsigned char* CNT) { + + rho_ad_ud16(*A, s, adlen); + *A = *A + adlen; + lfsr_gf56(CNT); + + return 0; + +} + +int crypto_aead_encrypt ( + unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, + const unsigned char* npub, + const unsigned char* k) { + + unsigned char s[16]; + unsigned char CNT[8]; + const unsigned char* A; + const unsigned char* M; + const unsigned char* N; + + skinny_ctrl ctrl; + ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void) nsec; + A = ad; + M = m; + N = npub; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else while (adlen > 0) { + if (adlen < 16) { // The last block of AD is odd and incomplete + adlen = ad_encryption_ud16(&A,s,adlen,CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 16) { // The last block of AD is odd and complete + adlen = ad_encryption_eq16(&A,s,CNT); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else if (adlen < 32) { // The last block of AD is even and incomplete + adlen = ad_encryption_ov16(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 32) { // The last block of AD is even and complete + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else { // A normal full pair of blocks of AD + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + } + } + + ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + *clen = mlen + 16; + + if (mlen == 0) { // M is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x15,&ctrl); + } + else while (mlen > 0) { + if (mlen < 16) { // The last block of M is incomplete + mlen = msg_encryption_ud16(&M,&c,N,CNT,s,k,0x15,mlen,&ctrl); + } + else if (mlen == 16) { // The last block of M is complete + mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x14,mlen,&ctrl); + } + else { // A normal full message block + mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x04,mlen,&ctrl); + } + } + + // Tag generation + generate_tag(&c,s,clen); + + return 0; + +} + +int crypto_aead_decrypt( + unsigned char *m,unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c,unsigned long long clen, + const unsigned char *ad,unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { + + unsigned char s[16]; + unsigned char T[16]; + unsigned char CNT[8]; + const unsigned char* A; + unsigned char* M; + const unsigned char* N; + + skinny_ctrl ctrl; + ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void) nsec; + A = ad; + M = m; + N = npub; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else while (adlen > 0) { + if (adlen < 16) { // The last block of AD is odd and incomplete + adlen = ad_encryption_ud16(&A,s,adlen,CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 16) { // The last block of AD is odd and complete + adlen = ad_encryption_eq16(&A,s,CNT); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else if (adlen < 32) { // The last block of AD is even and incomplete + adlen = ad_encryption_ov16(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 32) { // The last block of AD is even and complete + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else { // A normal full pair of blocks of AD + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + } + } + + ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + clen = clen -16; + *mlen = clen; + + if (clen == 0) { // C is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x15,&ctrl); + } + else while (clen > 0) { + if (clen < 16) { // The last block of C is incomplete + clen = msg_decryption_ud16(&M,&c,N,CNT,s,k,0x15,clen,&ctrl); + } + else if (clen == 16) { // The last block of C is complete + clen = msg_decryption_eqov16(&M,&c,N,CNT,s,k,0x14,clen,&ctrl); + } + else { // A normal full message block + clen = msg_decryption_eqov16(&M,&c,N,CNT,s,k,0x04,clen,&ctrl); + } + } + + // Tag generation +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, T); + +#else + + g8A(s, T); + +#endif + for (int i = 0; i < 16; i++) { + if (T[i] != (*(c+i))) { + return -1; + } + } + + return 0; + +} diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny.h b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny.h new file mode 100644 index 0000000..d9f4a34 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny.h @@ -0,0 +1,69 @@ +#define ___SKINNY_LOOP +//#define ___NUM_OF_ROUNDS_56 +#define ___ENABLE_WORD_CAST + +#include + +typedef struct ___skinny_ctrl { +#ifdef ___NUM_OF_ROUNDS_56 + uint32_t roundKeys[240]; // number of rounds : 56 +#else + uint32_t roundKeys[176]; // number of rounds : 40 +#endif + void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); +} skinny_ctrl; + +extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); + +#define pack_word(x0, x1, x2, x3, w) \ + w = ((x3) << 24) ^ \ + ((x2) << 16) ^ \ + ((x1) << 8) ^ \ + (x0); + +#define unpack_word(x0, x1, x2, x3, w) \ + x0 = ((w) & 0xff); \ + x1 = (((w) >> 8) & 0xff); \ + x2 = (((w) >> 16) & 0xff); \ + x3 = ((w) >> 24); + +#define PERMUTATION() \ +/* permutation */ \ + \ + /* 7 6 5 4 3 2 1 0 */ \ + /* 5 7 2 3 6 0 4 1 */ \ + \ + /* w0 (3 2 1 0) */ \ + /* w1 (7 6 5 4) */ \ + \ + /* w0 (6 0 4 1) */ \ + /* w1 (5 7 2 3) */ \ + \ + t0 = w1 << 8; /* 6 5 4 - */ \ + t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ + \ + t1 = w1 << 16; /* 5 4 - - */ \ + t1 = t1 & 0xff000000; /* 5 - - - */ \ + \ + t2 = w1 & 0xff000000; /* 7 - - - */ \ + t2 = t2 >> 8; /* - 7 - - */ \ + t1 = t1 ^ t2; /* 5 7 - - */ \ + \ + t2 = w0 & 0xff000000; /* 3 - - - */ \ + t2 = t2 >> 24; /* - - - 3 */ \ + t1 = t1 ^ t2; /* 5 7 - 3 */ \ + \ + w1 = w0 >> 8; /* - 3 2 1 */ \ + w1 = w1 & 0x0000ff00; /* - - 2 - */ \ + w1 = w1 ^ t1; /* 5 7 2 3 */ \ + \ + t2 = w0 & 0x0000ff00; /* - - 1 - */ \ + t2 = t2 >> 8; /* - - - 1 */ \ + t0 = t0 ^ t2; /* 6 - 4 1 */ \ + \ + w0 = w0 << 16; /* 1 0 - - */ \ + w0 = w0 & 0x00ff0000; /* - 0 - - */ \ + w0 = w0 ^ t0; /* 6 0 4 1 */ + diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule2.c b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule2.c new file mode 100644 index 0000000..923d4b8 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule2.c @@ -0,0 +1,227 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * load * AC(c0 c1) ^ TK3 + * calc AC(c0 c1) ^ TK2 -> store + * ART(TK2) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK2() \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ + w0 = ((w0 << 1) & 0xfefefefe) ^ \ + (((w0 >> 7) ^ (w0 >> 5)) & 0x01010101); \ + w1 = ((w1 << 1) & 0xfefefefe) ^ \ + (((w1 >> 7) ^ (w1 >> 5)) & 0x01010101); \ + \ + /* Load TK3 */ \ + /* TK2^TK3^AC(c0 c1) */ \ + /* store */ \ + *tk2++ = w0 ^ *tk3++; \ + *tk2++ = w1 ^ *tk3++; \ + tk2 += 2; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th,43th, ... ,51th,53th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + PERMUTATION_TK2(); + } + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + PERMUTATION_TK2(); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule3.c b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule3.c new file mode 100644 index 0000000..39254a6 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_key_schedule3.c @@ -0,0 +1,228 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * AC(c0 c1) ^ TK3 -> store + * ART(TK3) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK3(c0Val, c1Val) \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ + w0 = ((w0 >> 1) & 0x7f7f7f7f) ^ \ + (((w0 << 7) ^ (w0 << 1)) & 0x80808080); \ + w1 = ((w1 >> 1) & 0x7f7f7f7f) ^ \ + (((w1 << 7) ^ (w1 << 1)) & 0x80808080); \ + \ + /* K3^AC(c0 c1) */ \ + /* store */ \ + *tk3++ = w0 ^ c0Val; \ + *tk3++ = w1 ^ c1Val; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK3(0x7, 0x000); + PERMUTATION_TK3(0xf, 0x100); + PERMUTATION_TK3(0xd, 0x300); + PERMUTATION_TK3(0x7, 0x300); + PERMUTATION_TK3(0xe, 0x100); + PERMUTATION_TK3(0x9, 0x300); + PERMUTATION_TK3(0x7, 0x200); + PERMUTATION_TK3(0xd, 0x100); + PERMUTATION_TK3(0x5, 0x300); + + PERMUTATION_TK3(0x6, 0x100); + PERMUTATION_TK3(0x8, 0x100); + PERMUTATION_TK3(0x1, 0x200); + PERMUTATION_TK3(0x5, 0x000); + PERMUTATION_TK3(0x7, 0x100); + PERMUTATION_TK3(0xc, 0x100); + PERMUTATION_TK3(0x1, 0x300); + PERMUTATION_TK3(0x6, 0x000); + PERMUTATION_TK3(0xb, 0x100); + PERMUTATION_TK3(0xd, 0x200); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41td,43th, ... ,53th,55th round + PERMUTATION_TK3(0x4, 0x300); + PERMUTATION_TK3(0x2, 0x100); + PERMUTATION_TK3(0x8, 0x000); + PERMUTATION_TK3(0x2, 0x200); + PERMUTATION_TK3(0x9, 0x000); + PERMUTATION_TK3(0x6, 0x200); + PERMUTATION_TK3(0x9, 0x100); + PERMUTATION_TK3(0x5, 0x200); + +#endif + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,38th,40th round + PERMUTATION_TK3(0x3, 0x000); + PERMUTATION_TK3(0xf, 0x000); + PERMUTATION_TK3(0xe, 0x300); + PERMUTATION_TK3(0xb, 0x300); + PERMUTATION_TK3(0xf, 0x200); + PERMUTATION_TK3(0xc, 0x300); + PERMUTATION_TK3(0x3, 0x300); + PERMUTATION_TK3(0xe, 0x000); + PERMUTATION_TK3(0xa, 0x300); + PERMUTATION_TK3(0xb, 0x200); + + PERMUTATION_TK3(0xc, 0x200); + PERMUTATION_TK3(0x0, 0x300); + PERMUTATION_TK3(0x2, 0x000); + PERMUTATION_TK3(0xb, 0x000); + PERMUTATION_TK3(0xe, 0x200); + PERMUTATION_TK3(0x8, 0x300); + PERMUTATION_TK3(0x3, 0x200); + PERMUTATION_TK3(0xd, 0x000); + PERMUTATION_TK3(0x6, 0x300); + PERMUTATION_TK3(0xa, 0x100); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK3(0x9, 0x200); + PERMUTATION_TK3(0x4, 0x200); + PERMUTATION_TK3(0x1, 0x100); + PERMUTATION_TK3(0x4, 0x000); + PERMUTATION_TK3(0x3, 0x100); + PERMUTATION_TK3(0xc, 0x000); + PERMUTATION_TK3(0x2, 0x300); + PERMUTATION_TK3(0xa, 0x000); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + uint16_t c0; + uint16_t c1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + pRC += 4; + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + +#ifndef ___NUM_OF_ROUNDS_56 + pRC -= 78; + tk3 = &roundKeys[98]; +#else + pRC -= 110; + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_main.c b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_main.c new file mode 100644 index 0000000..74222ee --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/opt32_NEC/skinny_main.c @@ -0,0 +1,537 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * ART(TK1) -> store + * load AC(c0 c1) ^ TK3 ^ TK2 + * load TK1 + * calc AC(c0 c1) ^ TK3 ^ TK2 ^ TK1 -> use at (AC->ART) + * SC->SR->(AC->ART)->MC + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +/* + * S-BOX + */ +unsigned char SBOX[] += { + // Original + 0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b, 0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b, + 0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b, 0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b, + 0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9, 0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9, + 0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9, 0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9, + 0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d, 0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d, + 0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d, 0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d, + 0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad, 0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd, + 0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed, 0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd, + 0x36, 0x8e, 0x38, 0x82, 0x8b, 0x30, 0x83, 0x39, 0x96, 0x26, 0x9a, 0x28, 0x93, 0x20, 0x9b, 0x29, + 0x66, 0x4e, 0x68, 0x41, 0x49, 0x60, 0x40, 0x69, 0x56, 0x76, 0x58, 0x78, 0x50, 0x70, 0x59, 0x79, + 0xa6, 0x1e, 0xaa, 0x11, 0x19, 0xa3, 0x10, 0xab, 0x06, 0xb6, 0x08, 0xba, 0x00, 0xb3, 0x09, 0xbb, + 0xe6, 0xce, 0xea, 0xc2, 0xcb, 0xe3, 0xc3, 0xeb, 0xd6, 0xf6, 0xda, 0xfa, 0xd3, 0xf3, 0xdb, 0xfb, + 0x31, 0x8a, 0x3e, 0x86, 0x8f, 0x37, 0x87, 0x3f, 0x92, 0x21, 0x9e, 0x2e, 0x97, 0x27, 0x9f, 0x2f, + 0x61, 0x48, 0x6e, 0x46, 0x4f, 0x67, 0x47, 0x6f, 0x51, 0x71, 0x5e, 0x7e, 0x57, 0x77, 0x5f, 0x7f, + 0xa2, 0x18, 0xae, 0x16, 0x1f, 0xa7, 0x17, 0xaf, 0x01, 0xb2, 0x0e, 0xbe, 0x07, 0xb7, 0x0f, 0xbf, + 0xe2, 0xca, 0xee, 0xc6, 0xcf, 0xe7, 0xc7, 0xef, 0xd2, 0xf2, 0xde, 0xfe, 0xd7, 0xf7, 0xdf, 0xff, +}; + + /* + * S-BOX ^ AC(c2) + */ +unsigned char SBOX2[] += { // Original ^ c2(0x02) + 0x67, 0x4e, 0x68, 0x40, 0x49, 0x61, 0x41, 0x69, 0x57, 0x77, 0x58, 0x78, 0x51, 0x71, 0x59, 0x79, + 0x37, 0x8e, 0x38, 0x83, 0x8b, 0x31, 0x82, 0x39, 0x97, 0x27, 0x9a, 0x28, 0x92, 0x21, 0x9b, 0x29, + 0xe7, 0xce, 0xea, 0xc3, 0xcb, 0xe2, 0xc2, 0xeb, 0xd7, 0xf7, 0xda, 0xfa, 0xd2, 0xf2, 0xdb, 0xfb, + 0xa7, 0x1e, 0xaa, 0x10, 0x19, 0xa2, 0x11, 0xab, 0x07, 0xb7, 0x08, 0xba, 0x01, 0xb2, 0x09, 0xbb, + 0x30, 0x8a, 0x3e, 0x87, 0x8f, 0x36, 0x86, 0x3f, 0x93, 0x20, 0x9e, 0x2e, 0x96, 0x26, 0x9f, 0x2f, + 0x60, 0x48, 0x6e, 0x47, 0x4f, 0x66, 0x46, 0x6f, 0x50, 0x70, 0x5e, 0x7e, 0x56, 0x76, 0x5f, 0x7f, + 0xa3, 0x18, 0xae, 0x17, 0x1f, 0xa6, 0x16, 0xaf, 0x00, 0xb3, 0x0e, 0xbe, 0x06, 0xb6, 0x0f, 0xbf, + 0xe3, 0xca, 0xee, 0xc7, 0xcf, 0xe6, 0xc6, 0xef, 0xd3, 0xf3, 0xde, 0xfe, 0xd6, 0xf6, 0xdf, 0xff, + 0x34, 0x8c, 0x3a, 0x80, 0x89, 0x32, 0x81, 0x3b, 0x94, 0x24, 0x98, 0x2a, 0x91, 0x22, 0x99, 0x2b, + 0x64, 0x4c, 0x6a, 0x43, 0x4b, 0x62, 0x42, 0x6b, 0x54, 0x74, 0x5a, 0x7a, 0x52, 0x72, 0x5b, 0x7b, + 0xa4, 0x1c, 0xa8, 0x13, 0x1b, 0xa1, 0x12, 0xa9, 0x04, 0xb4, 0x0a, 0xb8, 0x02, 0xb1, 0x0b, 0xb9, + 0xe4, 0xcc, 0xe8, 0xc0, 0xc9, 0xe1, 0xc1, 0xe9, 0xd4, 0xf4, 0xd8, 0xf8, 0xd1, 0xf1, 0xd9, 0xf9, + 0x33, 0x88, 0x3c, 0x84, 0x8d, 0x35, 0x85, 0x3d, 0x90, 0x23, 0x9c, 0x2c, 0x95, 0x25, 0x9d, 0x2d, + 0x63, 0x4a, 0x6c, 0x44, 0x4d, 0x65, 0x45, 0x6d, 0x53, 0x73, 0x5c, 0x7c, 0x55, 0x75, 0x5d, 0x7d, + 0xa0, 0x1a, 0xac, 0x14, 0x1d, 0xa5, 0x15, 0xad, 0x03, 0xb0, 0x0c, 0xbc, 0x05, 0xb5, 0x0d, 0xbd, + 0xe0, 0xc8, 0xec, 0xc4, 0xcd, 0xe5, 0xc5, 0xed, 0xd0, 0xf0, 0xdc, 0xfc, 0xd5, 0xf5, 0xdd, 0xfd, +}; + +#ifdef ___SKINNY_LOOP +/* + * Round Constants + */ +unsigned char RC[] += { + 0x01, 0x00, 0x03, 0x00, 0x07, 0x00, 0x0f, 0x00, 0x0f, 0x01, 0x0e, 0x03, 0x0d, 0x03, 0x0b, 0x03, + 0x07, 0x03, 0x0f, 0x02, 0x0e, 0x01, 0x0c, 0x03, 0x09, 0x03, 0x03, 0x03, 0x07, 0x02, 0x0e, 0x00, + 0x0d, 0x01, 0x0a, 0x03, 0x05, 0x03, 0x0b, 0x02, 0x06, 0x01, 0x0c, 0x02, 0x08, 0x01, 0x00, 0x03, + 0x01, 0x02, 0x02, 0x00, 0x05, 0x00, 0x0b, 0x00, 0x07, 0x01, 0x0e, 0x02, 0x0c, 0x01, 0x08, 0x03, + 0x01, 0x03, 0x03, 0x02, 0x06, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x06, 0x03, 0x0d, 0x02, 0x0a, 0x01, +#ifdef ___NUM_OF_ROUNDS_56 + 0x04, 0x03, 0x09, 0x02, 0x02, 0x01, 0x04, 0x02, 0x08, 0x00, 0x01, 0x01, 0x02, 0x02, 0x04, 0x00, + 0x09, 0x00, 0x03, 0x01, 0x06, 0x02, 0x0c, 0x00, 0x09, 0x01, 0x02, 0x03, 0x05, 0x02, 0x0a, 0x00, +#endif + }; +#endif + +extern void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2); +extern void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys); +#ifdef ___SKINNY_LOOP +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC); +#else +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys); +#endif + +void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pack_word(K[0], K[1], K[2], K[3], pt[8]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pack_word(K[8], K[9], K[10], K[11], pt[10]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pt[8] = *(uint32_t*)(&K[0]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pt[10] = *(uint32_t*)(&K[8]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#endif + +#ifdef ___SKINNY_LOOP + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys, RC); +#else + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys); +#endif + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + + pskinny_ctrl->func_skinny_128_384_enc = skinny_128_384_enc12_12; + +} + +void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#endif + + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)T; + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#endif + + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +#define PERMUTATION_TK1() \ +/* permutation */ \ + \ + PERMUTATION(); \ + \ + /* store */ \ + \ + *tk1++ = w0; \ + *tk1++ = w1; + +#define SBOX_0(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0) ^ \ + (t1 << 8) ^ \ + (t2 << 16) ^ \ + (t3 << 24); + +#define SBOX_8(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 8) ^ \ + (t1 << 16) ^ \ + (t2 << 24) ^ \ + (t3); + +#define SBOX_16(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox2[t0]; /* AC(c2) */ \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 16) ^ \ + (t1 << 24) ^ \ + (t2) ^ \ + (t3 << 8); + +#define SBOX_24(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 24) ^ \ + (t1) ^ \ + (t2 << 8) ^ \ + (t3 << 16); + +#define SKINNY_MAIN() \ + \ + /* odd */ \ + \ + /* LUT(with ShiftRows) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* Load TK1 */ \ + \ + w0 ^= *tk1++; \ + w1 ^= *tk1++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; \ + \ + /* even */ \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* Load TK2^TK3^AC(c0 c1) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; + +#ifndef ___SKINNY_LOOP + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + tk1 = &roundKeys[0]; + + // 1st, ...,16th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 17th, ...,32th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 33th, ...,40th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th, ...,48th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 49th, ... ,56th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#endif + +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#else + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + for(int i=0;i<7;i++) + { + PERMUTATION_TK1(); + } + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + + // 1st, ... ,32th or 48th round +#ifndef ___NUM_OF_ROUNDS_56 + for(int j=0;j<2;j++) +#else + for(int j=0;j<3;j++) +#endif + { + tk1 = &roundKeys[0]; + for(int i=0;i<8;i++) + { + SKINNY_MAIN(); + } + } + + // 33th , ... ,40th or 49th, .... ,56th round + { + tk1 = &roundKeys[0]; + for(int i=0;i<4;i++) + { + SKINNY_MAIN(); + } + } +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#endif diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusn1+/rhys/aead-common.c similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/aead-common.c rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/aead-common.c diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/aead-common.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/aead-common.h rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/aead-common.h diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/api.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/api.h rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/api.h diff --git a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusn1+/rhys/encrypt.c similarity index 86% rename from ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/encrypt.c rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/encrypt.c index 4f35480..caf0c3f 100644 --- a/ascon/Implementations/crypto_aead/ascon128av12/rhys-avr/encrypt.c +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/encrypt.c @@ -1,5 +1,4 @@ - -#include "ascon128.h" +#include "romulus.h" int crypto_aead_encrypt (unsigned char *c, unsigned long long *clen, @@ -9,7 +8,7 @@ int crypto_aead_encrypt const unsigned char *npub, const unsigned char *k) { - return ascon128a_aead_encrypt + return romulus_n1_aead_encrypt (c, clen, m, mlen, ad, adlen, nsec, npub, k); } @@ -21,6 +20,6 @@ int crypto_aead_decrypt const unsigned char *npub, const unsigned char *k) { - return ascon128a_aead_decrypt + return romulus_n1_aead_decrypt (m, mlen, nsec, c, clen, ad, adlen, npub, k); } diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128-avr.S index d342cd5..0fafa4e 100644 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128-avr.S +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128-avr.S @@ -3217,7 +3217,7 @@ skinny_128_384_encrypt: eor r19,r9 eor r20,r10 eor r21,r11 - cpi r26,112 + cpi r26,80 brne 5721f rjmp 790f 5721: @@ -3672,7 +3672,7 @@ skinny_128_384_decrypt: push r0 out _SFR_IO_ADDR(RAMPZ),r26 #endif - ldi r26,28 + ldi r26,20 ldd r12,Y+17 ldd r13,Y+18 ldd r14,Y+19 @@ -3780,7 +3780,7 @@ skinny_128_384_decrypt: std Y+22,r25 std Y+23,r16 std Y+24,r17 - ldi r26,28 + ldi r26,20 ldd r12,Y+25 ldd r13,Y+26 ldd r14,Y+27 @@ -3894,7 +3894,7 @@ skinny_128_384_decrypt: ldi r26,hh8(table_3) out _SFR_IO_ADDR(RAMPZ),r26 #endif - ldi r26,28 + ldi r26,20 ldd r12,Y+33 ldd r13,Y+34 ldd r14,Y+35 @@ -4002,7 +4002,7 @@ skinny_128_384_decrypt: std Y+38,r25 std Y+39,r16 std Y+40,r17 - ldi r26,28 + ldi r26,20 ldd r12,Y+41 ldd r13,Y+42 ldd r14,Y+43 @@ -4110,7 +4110,7 @@ skinny_128_384_decrypt: std Y+46,r25 std Y+47,r16 std Y+48,r17 - ldi r26,112 + ldi r26,80 227: ldd r12,Y+1 ldd r13,Y+2 diff --git a/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.c new file mode 100644 index 0000000..cb1fbda --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.c @@ -0,0 +1,801 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +#if !defined(__AVR__) + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else + /* Set the initial states of TK1, TK2, and TK3 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } +#endif +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else + /* Set the initial states of TK1 and TK2 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } +#endif +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +#else /* __AVR__ */ + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); +} + +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.h new file mode 100644 index 0000000..2bfda3c --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinny128.h @@ -0,0 +1,244 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. + */ +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinnyutil.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-skinnyutil.h rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-skinnyutil.h diff --git a/drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-util.h similarity index 100% rename from drygascon/Implementations/crypto_hash/drygascon256/rhys-avr/internal-util.h rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/internal-util.h diff --git a/romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.c new file mode 100644 index 0000000..bb19cc5 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.c @@ -0,0 +1,1974 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "romulus.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const romulus_n1_cipher = { + "Romulus-N1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n1_aead_encrypt, + romulus_n1_aead_decrypt +}; + +aead_cipher_t const romulus_n2_cipher = { + "Romulus-N2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n2_aead_encrypt, + romulus_n2_aead_decrypt +}; + +aead_cipher_t const romulus_n3_cipher = { + "Romulus-N3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_n3_aead_encrypt, + romulus_n3_aead_decrypt +}; + +aead_cipher_t const romulus_m1_cipher = { + "Romulus-M1", + ROMULUS_KEY_SIZE, + ROMULUS1_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m1_aead_encrypt, + romulus_m1_aead_decrypt +}; + +aead_cipher_t const romulus_m2_cipher = { + "Romulus-M2", + ROMULUS_KEY_SIZE, + ROMULUS2_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m2_aead_encrypt, + romulus_m2_aead_decrypt +}; + +aead_cipher_t const romulus_m3_cipher = { + "Romulus-M3", + ROMULUS_KEY_SIZE, + ROMULUS3_NONCE_SIZE, + ROMULUS_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + romulus_m3_aead_encrypt, + romulus_m3_aead_decrypt +}; + +/** + * \brief Limit on the number of bytes of message or associated data (128Mb). + * + * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for + * payloads well into the petabyte range. It is unlikely that an embedded + * device will have that much memory to store a contiguous packet! + * + * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper + * 24 bits are difficult to modify in the key schedule. So we only + * update the low 24 bits and leave the high 24 bits fixed. + * + * Romulus-N3 and Romulus-M3 use a 24-bit block counter. + * + * For all algorithms, we limit the block counter to 2^23 so that the block + * counter can never exceed 2^24 - 1. + */ +#define ROMULUS_DATA_LIMIT \ + ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) + +/** + * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 16 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus1_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); + if (npub) + memcpy(TK + 16, npub, 16); + else + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); +} + +/** + * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus2_init + (skinny_128_384_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); +} + +/** + * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. + * + * \param ks Points to the key schedule to initialize. + * \param k Points to the 16 bytes of the key. + * \param npub Points to the 12 bytes of the nonce. May be NULL + * if the nonce will be updated on the fly. + */ +static void romulus3_init + (skinny_128_256_key_schedule_t *ks, + const unsigned char *k, const unsigned char *npub) +{ + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); +} + +/** + * \brief Sets the domain separation value for Romulus-N1 and M1. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N2 and M2. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Sets the domain separation value for Romulus-N3 and M3. + * + * \param ks The key schedule to set the domain separation value into. + * \param domain The domain separation value. + */ +#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) + +/** + * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); + TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); + TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); + TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); + TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + * + * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of + * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. + */ +STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) +{ + uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); + TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); + TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); + TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); +} + +/** + * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. + * + * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. + */ +#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) + +/** + * \brief Process the asssociated data for Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + skinny_128_384_encrypt_tk2(ks, S, S, npub); + return; + } + + /* Process all double blocks except the last */ + romulus1_set_domain(ks, 0x08); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Pad and process the left-over blocks */ + romulus1_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 32) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x18); + } else if (temp > 16) { + /* Left-over partial double block */ + unsigned char pad[16]; + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, 15 - temp); + pad[15] = temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x1A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus1_set_domain(ks, 0x18); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus1_set_domain(ks, 0x1A); + } + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus2_set_domain(ks, 0x48); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus2_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x58); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x5A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus2_set_domain(ks, 0x58); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus2_set_domain(ks, 0x5A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void romulus_n3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char temp; + + /* Handle the special case of no associated data */ + if (adlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all double blocks except the last */ + romulus3_set_domain(ks, 0x88); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Pad and process the left-over blocks */ + romulus3_update_counter(ks->TK1); + temp = (unsigned)adlen; + if (temp == 28) { + /* Left-over complete double block */ + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x98); + } else if (temp > 16) { + /* Left-over partial double block */ + temp -= 16; + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp); + ks->TK1[15] = temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x9A); + } else if (temp == 16) { + /* Left-over complete single block */ + lw_xor_block(S, ad, temp); + romulus3_set_domain(ks, 0x98); + } else { + /* Left-over partial single block */ + lw_xor_block(S, ad, temp); + S[15] ^= temp; + romulus3_set_domain(ks, 0x9A); + } + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Determine the domain separation value to use on the last + * block of the associated data processing. + * + * \param adlen Length of the associated data in bytes. + * \param mlen Length of the message in bytes. + * \param t Size of the second half of a double block; 12 or 16. + * + * \return The domain separation bits to use to finalize the last block. + */ +static uint8_t romulus_m_final_ad_domain + (unsigned long long adlen, unsigned long long mlen, unsigned t) +{ + uint8_t domain = 0; + unsigned split = 16U; + unsigned leftover; + + /* Determine which domain bits we need based on the length of the ad */ + if (adlen == 0) { + /* No associated data, so only 1 block with padding */ + domain ^= 0x02; + split = t; + } else { + /* Even or odd associated data length? */ + leftover = (unsigned)(adlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x08; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x02; + split = t; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x0A; + } else { + /* Odd with a full single block at the end */ + split = t; + } + } + + /* Determine which domain bits we need based on the length of the message */ + if (mlen == 0) { + /* No message, so only 1 block with padding */ + domain ^= 0x01; + } else { + /* Even or odd message length? */ + leftover = (unsigned)(mlen % (16U + t)); + if (leftover == 0) { + /* Even with a full double block at the end */ + domain ^= 0x04; + } else if (leftover < split) { + /* Odd with a partial single block at the end */ + domain ^= 0x01; + } else if (leftover > split) { + /* Even with a partial double block at the end */ + domain ^= 0x05; + } + } + return domain; +} + +/** + * \brief Process the asssociated data for Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m1_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char pad[16]; + uint8_t final_domain = 0x30; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); + + /* Process all associated data double blocks except the last */ + romulus1_set_domain(ks, 0x28); + while (adlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + ad += 32; + adlen -= 32; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 32) { + /* Last associated data double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); + romulus1_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(pad, ad + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + romulus1_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus1_set_domain(ks, 0x2C); + romulus1_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + romulus1_update_counter(ks->TK1); + m += 16; + mlen -= 16; + } else if (mlen == 16) { + skinny_128_384_encrypt_tk2(ks, S, S, m); + m += 16; + mlen -= 16; + } else { + temp = (unsigned)mlen; + memcpy(pad, m, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus1_set_domain(ks, 0x2C); + while (mlen > 32) { + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + romulus1_update_counter(ks->TK1); + m += 32; + mlen -= 32; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 32) { + /* Last message double block is full */ + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + skinny_128_384_encrypt_tk2(ks, S, S, m + 16); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus1_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(pad, m + 16, temp); + memset(pad + temp, 0, sizeof(pad) - temp - 1); + pad[sizeof(pad) - 1] = (unsigned char)temp; + skinny_128_384_encrypt_tk2(ks, S, S, pad); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus1_set_domain(ks, final_domain); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt_tk2(ks, S, S, npub); +} + +/** + * \brief Process the asssociated data for Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m2_process_ad + (skinny_128_384_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0x70; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus2_set_domain(ks, 0x68); + while (adlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus2_set_domain(ks, 0x6C); + romulus2_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_384_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus2_set_domain(ks, 0x6C); + while (mlen > 28) { + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + romulus2_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_384_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus2_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_384_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus2_set_domain(ks, final_domain); + romulus2_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Process the asssociated data for Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param npub Points to the nonce. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + * \param m Points to the message plaintext. + * \param mlen Length of the message plaintext. + */ +static void romulus_m3_process_ad + (skinny_128_256_key_schedule_t *ks, + unsigned char S[16], const unsigned char *npub, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *m, unsigned long long mlen) +{ + uint8_t final_domain = 0xB0; + unsigned temp; + + /* Determine the domain separator to use on the final block */ + final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); + + /* Process all associated data double blocks except the last */ + romulus3_set_domain(ks, 0xA8); + while (adlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + ad += 28; + adlen -= 28; + } + + /* Process the last associated data double block */ + temp = (unsigned)adlen; + if (temp == 28) { + /* Last associated data double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else if (temp > 16) { + /* Last associated data double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, ad, 16); + memcpy(ks->TK1 + 4, ad + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + } else { + /* Last associated data block is single. Needs to be combined + * with the first block of the message payload */ + romulus3_set_domain(ks, 0xAC); + romulus3_update_counter(ks->TK1); + if (temp == 16) { + lw_xor_block(S, ad, 16); + } else { + lw_xor_block(S, ad, temp); + S[15] ^= (unsigned char)temp; + } + if (mlen > 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 12; + mlen -= 12; + } else if (mlen == 12) { + memcpy(ks->TK1 + 4, m, 12); + skinny_128_256_encrypt(ks, S, S); + m += 12; + mlen -= 12; + } else { + temp = (unsigned)mlen; + memcpy(ks->TK1 + 4, m, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + mlen = 0; + } + } + + /* Process all message double blocks except the last */ + romulus3_set_domain(ks, 0xAC); + while (mlen > 28) { + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + romulus3_update_counter(ks->TK1); + m += 28; + mlen -= 28; + } + + /* Process the last message double block */ + temp = (unsigned)mlen; + if (temp == 28) { + /* Last message double block is full */ + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, 12); + skinny_128_256_encrypt(ks, S, S); + } else if (temp > 16) { + /* Last message double block is partial */ + temp -= 16; + romulus3_update_counter(ks->TK1); + lw_xor_block(S, m, 16); + memcpy(ks->TK1 + 4, m + 16, temp); + memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); + ks->TK1[15] = (unsigned char)temp; + skinny_128_256_encrypt(ks, S, S); + } else if (temp == 16) { + /* Last message single block is full */ + lw_xor_block(S, m, 16); + } else if (temp > 0) { + /* Last message single block is partial */ + lw_xor_block(S, m, temp); + S[15] ^= (unsigned char)temp; + } + + /* Process the last partial block */ + romulus3_set_domain(ks, final_domain); + romulus3_update_counter(ks->TK1); + memcpy(ks->TK1 + 4, npub, 12); + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Applies the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + */ +STATIC_INLINE void romulus_rho + (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } +} + +/** + * \brief Applies the inverse of the Romulus rho function. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + */ +STATIC_INLINE void romulus_rho_inverse + (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } +} + +/** + * \brief Applies the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param C Ciphertext message output block. + * \param M Plaintext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_short + (unsigned char S[16], unsigned char C[16], + const unsigned char M[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = M[index]; + S[index] ^= m; + C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Applies the inverse of the Romulus rho function to a short block. + * + * \param S The rolling Romulus state. + * \param M Plaintext message output block. + * \param C Ciphertext message input block. + * \param len Length of the short block, must be less than 16. + */ +STATIC_INLINE void romulus_rho_inverse_short + (unsigned char S[16], unsigned char M[16], + const unsigned char C[16], unsigned len) +{ + unsigned index; + for (index = 0; index < len; ++index) { + unsigned char s = S[index]; + unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); + S[index] ^= m; + M[index] = m; + } + S[15] ^= (unsigned char)len; /* Padding */ +} + +/** + * \brief Encrypts a plaintext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho(S, c, m); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus1_update_counter(ks->TK1); + romulus1_set_domain(ks, 0x15); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus1_set_domain(ks, 0x04); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus1_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus1_set_domain(ks, 0x15); + } else { + romulus_rho_inverse(S, m, c); + romulus1_set_domain(ks, 0x14); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho(S, c, m); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus2_update_counter(ks->TK1); + romulus2_set_domain(ks, 0x55); + skinny_128_384_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus2_set_domain(ks, 0x44); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + skinny_128_384_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus2_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus2_set_domain(ks, 0x55); + } else { + romulus_rho_inverse(S, m, c); + romulus2_set_domain(ks, 0x54); + } + skinny_128_384_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no plaintext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_short(S, c, m, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho(S, c, m); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-N3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_n3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + unsigned temp; + + /* Handle the special case of no ciphertext */ + if (mlen == 0) { + romulus3_update_counter(ks->TK1); + romulus3_set_domain(ks, 0x95); + skinny_128_256_encrypt(ks, S, S); + return; + } + + /* Process all blocks except the last */ + romulus3_set_domain(ks, 0x84); + while (mlen > 16) { + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + skinny_128_256_encrypt(ks, S, S); + c += 16; + m += 16; + mlen -= 16; + } + + /* Pad and process the last block */ + temp = (unsigned)mlen; + romulus3_update_counter(ks->TK1); + if (temp < 16) { + romulus_rho_inverse_short(S, m, c, temp); + romulus3_set_domain(ks, 0x95); + } else { + romulus_rho_inverse(S, m, c); + romulus3_set_domain(ks, 0x94); + } + skinny_128_256_encrypt(ks, S, S); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M1. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m1_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus1_set_domain(ks, 0x24); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus1_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M2. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m2_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus2_set_domain(ks, 0x64); + while (mlen > 16) { + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus2_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_384_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Encrypts a plaintext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the buffer containing the plaintext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *c, const unsigned char *m, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho(S, c, m); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_short(S, c, m, (unsigned)mlen); +} + +/** + * \brief Decrypts a ciphertext message with Romulus-M3. + * + * \param ks Points to the key schedule. + * \param S The rolling Romulus state. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the buffer containing the ciphertext. + * \param mlen Length of the plaintext in bytes. + */ +static void romulus_m3_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char S[16], + unsigned char *m, const unsigned char *c, unsigned long long mlen) +{ + /* Nothing to do if the message is empty */ + if (!mlen) + return; + + /* Process all block except the last */ + romulus3_set_domain(ks, 0xA4); + while (mlen > 16) { + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse(S, m, c); + romulus3_update_counter(ks->TK1); + c += 16; + m += 16; + mlen -= 16; + } + + /* Handle the last block */ + skinny_128_256_encrypt(ks, S, S); + romulus_rho_inverse_short(S, m, c, (unsigned)mlen); +} + +/** + * \brief Generates the authentication tag from the rolling Romulus state. + * + * \param T Buffer to receive the generated tag; can be the same as S. + * \param S The rolling Romulus state. + */ +STATIC_INLINE void romulus_generate_tag + (unsigned char T[16], const unsigned char S[16]) +{ + unsigned index; + for (index = 0; index < 16; ++index) { + unsigned char s = S[index]; + T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); + } +} + +int romulus_n1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n1_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n1_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n1_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n2_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n2_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n2_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_n3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypts the plaintext to produce the ciphertext */ + romulus_n3_encrypt(&ks, S, c, m, mlen); + + /* Generate the authentication tag */ + romulus_generate_tag(c + mlen, S); + return 0; +} + +int romulus_n3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_n3_process_ad(&ks, S, npub, ad, adlen); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= ROMULUS_TAG_SIZE; + romulus_n3_decrypt(&ks, S, m, c, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m1_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m1_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m1_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus1_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m1_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus1_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m2_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m2_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m2_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus2_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m2_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus2_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} + +int romulus_m3_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data and the plaintext message */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); + + /* Generate the authentication tag, which is also the initialization + * vector for the encryption portion of the packet processing */ + romulus_generate_tag(S, S); + memcpy(c + mlen, S, ROMULUS_TAG_SIZE); + + /* Re-initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Encrypt the plaintext to produce the ciphertext */ + romulus_m3_encrypt(&ks, S, c, m, mlen); + return 0; +} + +int romulus_m3_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char S[16]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < ROMULUS_TAG_SIZE) + return -1; + *mlen = clen - ROMULUS_TAG_SIZE; + + /* Validate the length of the associated data and message */ + if (adlen > ROMULUS_DATA_LIMIT || + clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) + return -2; + + /* Initialize the key schedule with the key and nonce */ + romulus3_init(&ks, k, npub); + + /* Decrypt the ciphertext to produce the plaintext, using the + * authentication tag as the initialization vector for decryption */ + clen -= ROMULUS_TAG_SIZE; + memcpy(S, c + clen, ROMULUS_TAG_SIZE); + romulus_m3_decrypt(&ks, S, m, c, clen); + + /* Re-initialize the key schedule with the key and no nonce. Associated + * data processing varies the nonce from block to block */ + romulus3_init(&ks, k, 0); + + /* Process the associated data */ + memset(S, 0, sizeof(S)); + romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); + + /* Check the authentication tag */ + romulus_generate_tag(S, S); + return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.h b/romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.h similarity index 57% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.h rename to romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.h index 3e27b50..e6da29d 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/forkae.h +++ b/romulus/Implementations/crypto_aead/romulusn1+/rhys/romulus.h @@ -20,50 +20,40 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H +#ifndef LWCRYPTO_ROMULUS_H +#define LWCRYPTO_ROMULUS_H #include "aead-common.h" /** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ + * \file romulus.h + * \brief Romulus authenticated encryption algorithm family. + * + * Romulus is a family of authenticated encryption algorithms that + * are built around the SKINNY-128 tweakable block cipher. There + * are six members in the family: + * + * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The Romulus-M variants are resistant to nonce reuse as long as the + * combination of the associated data and plaintext is unique. If the + * same associated data and plaintext are reused under the same nonce, + * then the scheme will leak that the same plaintext has been sent for a + * second time but will not reveal the plaintext itself. + * + * References: https://romulusae.github.io/romulus/ */ #ifdef __cplusplus @@ -71,131 +61,66 @@ extern "C" { #endif /** - * \brief Size of the key for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. + * \brief Size of the key for all Romulus family members. */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 +#define ROMULUS_KEY_SIZE 16 /** - * \brief Size of the key for PAEF-ForkSkinny-128-192. + * \brief Size of the authentication tag for all Romulus family members. */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 +#define ROMULUS_TAG_SIZE 16 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. + * \brief Size of the nonce for Romulus-N1 and Romulus-M1. */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 +#define ROMULUS1_NONCE_SIZE 16 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + * \brief Size of the nonce for Romulus-N2 and Romulus-M2. */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 +#define ROMULUS2_NONCE_SIZE 12 /** - * \brief Size of the key for PAEF-ForkSkinny-128-256. + * \brief Size of the nonce for Romulus-N3 and Romulus-M3. */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 +#define ROMULUS3_NONCE_SIZE 12 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + * \brief Meta-information block for the Romulus-N1 cipher. */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 +extern aead_cipher_t const romulus_n1_cipher; /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + * \brief Meta-information block for the Romulus-N2 cipher. */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 +extern aead_cipher_t const romulus_n2_cipher; /** - * \brief Size of the key for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-N3 cipher. */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 +extern aead_cipher_t const romulus_n3_cipher; /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-M1 cipher. */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 +extern aead_cipher_t const romulus_m1_cipher; /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + * \brief Meta-information block for the Romulus-M2 cipher. */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 +extern aead_cipher_t const romulus_m2_cipher; /** - * \brief Size of the key for SAEF-ForkSkinny-128-192. + * \brief Meta-information block for the Romulus-M3 cipher. */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 +extern aead_cipher_t const romulus_m3_cipher; /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. - */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 - -/** - * \brief Size of the key for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. - */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. - */ -extern aead_cipher_t const forkae_paef_64_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_paef_128_192_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_paef_128_256_cipher; - -/** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. - */ -extern aead_cipher_t const forkae_paef_128_288_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. - */ -extern aead_cipher_t const forkae_saef_128_192_cipher; - -/** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. - */ -extern aead_cipher_t const forkae_saef_128_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Encrypts and authenticates a packet with Romulus-N1. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -203,15 +128,15 @@ extern aead_cipher_t const forkae_saef_128_256_cipher; * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_64_192_aead_decrypt() + * \sa romulus_n1_aead_decrypt() */ -int forkae_paef_64_192_aead_encrypt +int romulus_n1_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -220,7 +145,7 @@ int forkae_paef_64_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Decrypts and authenticates a packet with Romulus-N1. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -228,20 +153,20 @@ int forkae_paef_64_192_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_64_192_aead_encrypt() + * \sa romulus_n1_aead_encrypt() */ -int forkae_paef_64_192_aead_decrypt +int romulus_n1_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -250,7 +175,7 @@ int forkae_paef_64_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with Romulus-N2. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -262,15 +187,15 @@ int forkae_paef_64_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_192_aead_decrypt() + * \sa romulus_n2_aead_decrypt() */ -int forkae_paef_128_192_aead_encrypt +int romulus_n2_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -279,7 +204,7 @@ int forkae_paef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with Romulus-N2. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -292,15 +217,15 @@ int forkae_paef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_192_aead_encrypt() + * \sa romulus_n2_aead_encrypt() */ -int forkae_paef_128_192_aead_decrypt +int romulus_n2_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -309,7 +234,7 @@ int forkae_paef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with Romulus-N3. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -321,15 +246,15 @@ int forkae_paef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_256_aead_decrypt() + * \sa romulus_n3_aead_decrypt() */ -int forkae_paef_128_256_aead_encrypt +int romulus_n3_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -338,7 +263,7 @@ int forkae_paef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with Romulus-N3. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -351,15 +276,15 @@ int forkae_paef_128_256_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_256_aead_encrypt() + * \sa romulus_n3_aead_encrypt() */ -int forkae_paef_128_256_aead_decrypt +int romulus_n3_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -368,7 +293,7 @@ int forkae_paef_128_256_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Encrypts and authenticates a packet with Romulus-M1. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -380,15 +305,15 @@ int forkae_paef_128_256_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_288_aead_decrypt() + * \sa romulus_m1_aead_decrypt() */ -int forkae_paef_128_288_aead_encrypt +int romulus_m1_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -397,7 +322,7 @@ int forkae_paef_128_288_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Decrypts and authenticates a packet with Romulus-M1. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -410,15 +335,15 @@ int forkae_paef_128_288_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_288_aead_encrypt() + * \sa romulus_m1_aead_encrypt() */ -int forkae_paef_128_288_aead_decrypt +int romulus_m1_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -427,7 +352,7 @@ int forkae_paef_128_288_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with Romulus-M2. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -439,15 +364,15 @@ int forkae_paef_128_288_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_192_aead_decrypt() + * \sa romulus_m2_aead_decrypt() */ -int forkae_saef_128_192_aead_encrypt +int romulus_m2_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -456,7 +381,7 @@ int forkae_saef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with Romulus-M2. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -469,15 +394,15 @@ int forkae_saef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_192_aead_encrypt() + * \sa romulus_m2_aead_encrypt() */ -int forkae_saef_128_192_aead_decrypt +int romulus_m2_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -486,7 +411,7 @@ int forkae_saef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with Romulus-M3. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -498,15 +423,15 @@ int forkae_saef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_256_aead_decrypt() + * \sa romulus_m3_aead_decrypt() */ -int forkae_saef_128_256_aead_encrypt +int romulus_m3_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -515,7 +440,7 @@ int forkae_saef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with Romulus-M3. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -528,15 +453,15 @@ int forkae_saef_128_256_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_256_aead_encrypt() + * \sa romulus_m3_aead_encrypt() */ -int forkae_saef_128_256_aead_decrypt +int romulus_m3_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/api.h b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/api.h new file mode 100644 index 0000000..a4aa567 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/api.h @@ -0,0 +1,5 @@ +#define CRYPTO_KEYBYTES 16 +#define CRYPTO_NSECBYTES 0 +#define CRYPTO_NPUBBYTES 16 +#define CRYPTO_ABYTES 16 +#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/encrypt.c b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/encrypt.c new file mode 100644 index 0000000..8668d91 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/encrypt.c @@ -0,0 +1,1024 @@ +/* + * Date: 29 November 2018 + * Contact: Thomas Peyrin - thomas.peyrin@gmail.com + * Mustafa Khairallah - mustafam001@e.ntu.edu.sg + */ + +#include "crypto_aead.h" +#include "api.h" +#include "skinny.h" +#include +#include + +void pad (const unsigned char* m, unsigned char* mp, int len8) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&mp[0]) = 0; + *(uint32_t*)(&mp[4]) = 0; + *(uint32_t*)(&mp[8]) = 0; + *(uint32_t*)(&mp[12]) = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#else + + mp[0] = 0; + mp[1] = 0; + mp[2] = 0; + mp[3] = 0; + mp[4] = 0; + mp[5] = 0; + mp[6] = 0; + mp[7] = 0; + mp[8] = 0; + mp[9] = 0; + mp[10] = 0; + mp[11] = 0; + mp[12] = 0; + mp[13] = 0; + mp[14] = 0; + mp[15] = (len8 & 0x0f); + for (int i = 0; i < len8; i++) { + mp[i] = m[i]; + } + +#endif + +} + +void g8A (unsigned char* s, unsigned char* c) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t s0, s1, s2, s3; + uint32_t c0, c1, c2, c3; + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#ifdef ___ENABLE_WORD_CAST + +void g8A_for_Tag_Generation (unsigned char* s, unsigned char* c) { + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t c0, c1, c2, c3; + + c0 = ((s0 >> 1) & 0x7f7f7f7f) ^ ((s0 ^ (s0 << 7)) & 0x80808080); + c1 = ((s1 >> 1) & 0x7f7f7f7f) ^ ((s1 ^ (s1 << 7)) & 0x80808080); + c2 = ((s2 >> 1) & 0x7f7f7f7f) ^ ((s2 ^ (s2 << 7)) & 0x80808080); + c3 = ((s3 >> 1) & 0x7f7f7f7f) ^ ((s3 ^ (s3 << 7)) & 0x80808080); + + // use byte access because of memory alignment. + // c is not always in word(4 byte) alignment. + c[0] = c0 &0xFF; + c[1] = (c0>>8) &0xFF; + c[2] = (c0>>16)&0xFF; + c[3] = c0>>24; + c[4] = c1 &0xFF; + c[5] = (c1>>8) &0xFF; + c[6] = (c1>>16)&0xFF; + c[7] = c1>>24; + c[8] = c2 &0xFF; + c[9] = (c2>>8) &0xFF; + c[10] = (c2>>16)&0xFF; + c[11] = c2>>24; + c[12] = c3 &0xFF; + c[13] = (c3>>8) &0xFF; + c[14] = (c3>>16)&0xFF; + c[15] = c3>>24; + +} + +#endif + +#define rho_ad_eqov16_macro(i) \ + s[i] = s[i] ^ m[i]; + +void rho_ad_eqov16 ( + const unsigned char* m, + unsigned char* s) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&m[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&m[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&m[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&m[12]); + +#else + + rho_ad_eqov16_macro(0); + rho_ad_eqov16_macro(1); + rho_ad_eqov16_macro(2); + rho_ad_eqov16_macro(3); + rho_ad_eqov16_macro(4); + rho_ad_eqov16_macro(5); + rho_ad_eqov16_macro(6); + rho_ad_eqov16_macro(7); + rho_ad_eqov16_macro(8); + rho_ad_eqov16_macro(9); + rho_ad_eqov16_macro(10); + rho_ad_eqov16_macro(11); + rho_ad_eqov16_macro(12); + rho_ad_eqov16_macro(13); + rho_ad_eqov16_macro(14); + rho_ad_eqov16_macro(15); + +#endif + +} + +#define rho_ad_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ad_ud16 ( + const unsigned char* m, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + pad(m,mp,len8); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + +#else + + rho_ad_ud16_macro(0); + rho_ad_ud16_macro(1); + rho_ad_ud16_macro(2); + rho_ad_ud16_macro(3); + rho_ad_ud16_macro(4); + rho_ad_ud16_macro(5); + rho_ad_ud16_macro(6); + rho_ad_ud16_macro(7); + rho_ad_ud16_macro(8); + rho_ad_ud16_macro(9); + rho_ad_ud16_macro(10); + rho_ad_ud16_macro(11); + rho_ad_ud16_macro(12); + rho_ad_ud16_macro(13); + rho_ad_ud16_macro(14); + rho_ad_ud16_macro(15); + +#endif + +} + +void rho_eqov16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s) { + + g8A(s,c); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&c[0]) = c0; + *(uint32_t*)(&c[4]) = c1; + *(uint32_t*)(&c[8]) = c2; + *(uint32_t*)(&c[12]) = c3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= m0; + s1 ^= m1; + s2 ^= m2; + s3 ^= m3; + + c0 ^= m0; + c1 ^= m1; + c2 ^= m2; + c3 ^= m3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(c[0], c[1], c[2], c[3], c0); + unpack_word(c[4], c[5], c[6], c[7], c1); + unpack_word(c[8], c[9], c[10], c[11], c2); + unpack_word(c[12], c[13], c[14], c[15], c3); + +#endif + +} + +#define rho_ud16_macro(i) \ + s[i] = s[i] ^ mp[i]; + +void rho_ud16 ( + const unsigned char* m, + unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char mp [16]; + + pad(m,mp,len8); + + g8A(s,c); +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&mp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&mp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&mp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&mp[12]); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#else + + rho_ud16_macro(0); + rho_ud16_macro(1); + rho_ud16_macro(2); + rho_ud16_macro(3); + rho_ud16_macro(4); + rho_ud16_macro(5); + rho_ud16_macro(6); + rho_ud16_macro(7); + rho_ud16_macro(8); + rho_ud16_macro(9); + rho_ud16_macro(10); + rho_ud16_macro(11); + rho_ud16_macro(12); + rho_ud16_macro(13); + rho_ud16_macro(14); + rho_ud16_macro(15); + + for (int i = 0; i < 16; i++) { + if (i < len8) { + c[i] = c[i] ^ mp[i]; + } + else { + c[i] = 0; + } + } + +#endif + +} + +void irho_eqov16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s) { + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + uint32_t c0 = *(uint32_t*)(&c[0]); + uint32_t c1 = *(uint32_t*)(&c[4]); + uint32_t c2 = *(uint32_t*)(&c[8]); + uint32_t c3 = *(uint32_t*)(&c[12]); + + uint32_t s0 = *(uint32_t*)(&s[0]); + uint32_t s1 = *(uint32_t*)(&s[4]); + uint32_t s2 = *(uint32_t*)(&s[8]); + uint32_t s3 = *(uint32_t*)(&s[12]); + + uint32_t m0 = *(uint32_t*)(&m[0]); + uint32_t m1 = *(uint32_t*)(&m[4]); + uint32_t m2 = *(uint32_t*)(&m[8]); + uint32_t m3 = *(uint32_t*)(&m[12]); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + *(uint32_t*)(&s[0]) = s0; + *(uint32_t*)(&s[4]) = s1; + *(uint32_t*)(&s[8]) = s2; + *(uint32_t*)(&s[12]) = s3; + + *(uint32_t*)(&m[0]) = m0; + *(uint32_t*)(&m[4]) = m1; + *(uint32_t*)(&m[8]) = m2; + *(uint32_t*)(&m[12]) = m3; + +#else + + uint32_t c0, c1, c2, c3; + uint32_t s0, s1, s2, s3; + uint32_t m0, m1, m2, m3; + + pack_word(m[0], m[1], m[2], m[3], m0); + pack_word(m[4], m[5], m[6], m[7], m1); + pack_word(m[8], m[9], m[10], m[11], m2); + pack_word(m[12], m[13], m[14], m[15], m3); + + pack_word(s[0], s[1], s[2], s[3], s0); + pack_word(s[4], s[5], s[6], s[7], s1); + pack_word(s[8], s[9], s[10], s[11], s2); + pack_word(s[12], s[13], s[14], s[15], s3); + + pack_word(c[0], c[1], c[2], c[3], c0); + pack_word(c[4], c[5], c[6], c[7], c1); + pack_word(c[8], c[9], c[10], c[11], c2); + pack_word(c[12], c[13], c[14], c[15], c3); + + s0 ^= c0 ^ m0; + s1 ^= c1 ^ m1; + s2 ^= c2 ^ m2; + s3 ^= c3 ^ m3; + + m0 ^= c0; + m1 ^= c1; + m2 ^= c2; + m3 ^= c3; + + unpack_word(s[0], s[1], s[2], s[3], s0); + unpack_word(s[4], s[5], s[6], s[7], s1); + unpack_word(s[8], s[9], s[10], s[11], s2); + unpack_word(s[12], s[13], s[14], s[15], s3); + + unpack_word(m[0], m[1], m[2], m[3], m0); + unpack_word(m[4], m[5], m[6], m[7], m1); + unpack_word(m[8], m[9], m[10], m[11], m2); + unpack_word(m[12], m[13], m[14], m[15], m3); + +#endif + +} + +#define irho_ud16_macro(i) \ + s[i] = s[i] ^ cp[i]; + +void irho_ud16 ( + unsigned char* m, + const unsigned char* c, + unsigned char* s, + int len8) { + + unsigned char cp [16]; + + pad(c,cp,len8); + + g8A(s,m); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) ^= *(uint32_t*)(&cp[0]); + *(uint32_t*)(&s[4]) ^= *(uint32_t*)(&cp[4]); + *(uint32_t*)(&s[8]) ^= *(uint32_t*)(&cp[8]); + *(uint32_t*)(&s[12]) ^= *(uint32_t*)(&cp[12]); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#else + + irho_ud16_macro(0); + irho_ud16_macro(1); + irho_ud16_macro(2); + irho_ud16_macro(3); + irho_ud16_macro(4); + irho_ud16_macro(5); + irho_ud16_macro(6); + irho_ud16_macro(7); + irho_ud16_macro(8); + irho_ud16_macro(9); + irho_ud16_macro(10); + irho_ud16_macro(11); + irho_ud16_macro(12); + irho_ud16_macro(13); + irho_ud16_macro(14); + irho_ud16_macro(15); + + for (int i = 0; i < len8; i++) { + s[i] ^= m[i]; + } + + for (int i = 0; i < 16; i++) { + if (i < len8) { + m[i] = m[i] ^ cp[i]; + } + else { + m[i] = 0; + } + } + +#endif + +} + +void reset_lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&CNT[0]) = 0x00000001; // CNT3 CNT2 CNT1 CNT0 + *(uint32_t*)(&CNT[4]) = 0x00000000; // CNT7 CNT6 CNT5 CNT4 + +#else + + CNT[0] = 0x01; + CNT[1] = 0x00; + CNT[2] = 0x00; + CNT[3] = 0x00; + CNT[4] = 0x00; + CNT[5] = 0x00; + CNT[6] = 0x00; + +#endif + +} + +void lfsr_gf56 (unsigned char* CNT) { + +#ifdef ___ENABLE_WORD_CAST + + uint32_t C0; + uint32_t C1; + uint32_t fb0; + + C0 = *(uint32_t*)(&CNT[0]); // CNT3 CNT2 CNT1 CNT0 + C1 = *(uint32_t*)(&CNT[4]); // CNT7 CNT6 CNT5 CNT4 + + fb0 = 0; + if (CNT[6] & 0x80) { + fb0 = 0x95; + } + + C1 = C1 << 1 | C0 >> 31; + C0 = C0 << 1 ^ fb0; + + *(uint32_t*)(&CNT[0]) = C0; + *(uint32_t*)(&CNT[4]) = C1; + +#else + + uint32_t fb0 = CNT[6] >> 7; + + CNT[6] = (CNT[6] << 1) | (CNT[5] >> 7); + CNT[5] = (CNT[5] << 1) | (CNT[4] >> 7); + CNT[4] = (CNT[4] << 1) | (CNT[3] >> 7); + CNT[3] = (CNT[3] << 1) | (CNT[2] >> 7); + CNT[2] = (CNT[2] << 1) | (CNT[1] >> 7); + CNT[1] = (CNT[1] << 1) | (CNT[0] >> 7); + if (fb0 == 1) { + CNT[0] = (CNT[0] << 1) ^ 0x95; + } + else { + CNT[0] = (CNT[0] << 1); + } + +#endif + +} + +void block_cipher( + unsigned char* s, + const unsigned char* k, unsigned char* T, + unsigned char* CNT, unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + CNT[7] = D; + p_skinny_ctrl->func_skinny_128_384_enc(s, p_skinny_ctrl, CNT, T, k); + +} + +void nonce_encryption ( + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + block_cipher(s,k,(unsigned char*)N,CNT,D,p_skinny_ctrl); + +} + +void generate_tag ( + unsigned char** c, unsigned char* s, + unsigned long long* clen) { + +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, *c); + +#else + + g8A(s, *c); + +#endif + *c = *c + 16; + *c = *c - *clen; + +} + +unsigned long long msg_encryption_eqov16 ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* p_skinny_ctrl) { + + rho_eqov16(*M, *c, s); + *c = *c + 16; + *M = *M + 16; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return mlen - 16; + +} + +unsigned long long msg_encryption_ud16 ( + const unsigned char** M, unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long mlen, + skinny_ctrl* p_skinny_ctrl) { + + rho_ud16(*M, *c, s, mlen); + *c = *c + mlen; + *M = *M + mlen; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return 0; + +} + +unsigned long long msg_decryption_eqov16 ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* p_skinny_ctrl) { + + irho_eqov16(*M, *c, s); + *c = *c + 16; + *M = *M + 16; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return clen - 16; + +} +unsigned long long msg_decryption_ud16 ( + unsigned char** M, const unsigned char** c, + const unsigned char* N, + unsigned char* CNT, + unsigned char*s, const unsigned char* k, + unsigned char D, + unsigned long long clen, + skinny_ctrl* p_skinny_ctrl) { + + irho_ud16(*M, *c, s, clen); + *c = *c + clen; + *M = *M + clen; + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,D,p_skinny_ctrl); + return 0; + +} + +unsigned long long ad_encryption_eqov32 ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + unsigned char T [16]; + + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&T[0]) = *(uint32_t*)(&(*A)[0]); + *(uint32_t*)(&T[4]) = *(uint32_t*)(&(*A)[4]); + *(uint32_t*)(&T[8]) = *(uint32_t*)(&(*A)[8]); + *(uint32_t*)(&T[12]) = *(uint32_t*)(&(*A)[12]); + +#else + + T[0] = (*A)[0]; + T[1] = (*A)[1]; + T[2] = (*A)[2]; + T[3] = (*A)[3]; + T[4] = (*A)[4]; + T[5] = (*A)[5]; + T[6] = (*A)[6]; + T[7] = (*A)[7]; + T[8] = (*A)[8]; + T[9] = (*A)[9]; + T[10] = (*A)[10]; + T[11] = (*A)[11]; + T[12] = (*A)[12]; + T[13] = (*A)[13]; + T[14] = (*A)[14]; + T[15] = (*A)[15]; + +#endif + + *A = *A + 16; + block_cipher(s,k,T,CNT,D,p_skinny_ctrl); + lfsr_gf56(CNT); + + return adlen - 32; + +} + +unsigned long long ad_encryption_ov16 ( + const unsigned char** A, unsigned char* s, + const unsigned char* k, unsigned long long adlen, + unsigned char* CNT, + unsigned char D, + skinny_ctrl* p_skinny_ctrl) { + + unsigned char T [16]; + + adlen = adlen - 16; + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + + pad(*A, T, adlen); + *A = *A + adlen; + block_cipher(s,k,T,CNT,D,p_skinny_ctrl); + lfsr_gf56(CNT); + + return 0; + +} + +unsigned long long ad_encryption_eq16 ( + const unsigned char** A, unsigned char* s, + unsigned char* CNT) { + + rho_ad_eqov16(*A, s); + *A = *A + 16; + lfsr_gf56(CNT); + + return 0; + +} + +unsigned long long ad_encryption_ud16( + const unsigned char** A, unsigned char* s, + unsigned long long adlen, + unsigned char* CNT) { + + rho_ad_ud16(*A, s, adlen); + *A = *A + adlen; + lfsr_gf56(CNT); + + return 0; + +} + +int crypto_aead_encrypt ( + unsigned char* c, unsigned long long* clen, + const unsigned char* m, unsigned long long mlen, + const unsigned char* ad, unsigned long long adlen, + const unsigned char* nsec, + const unsigned char* npub, + const unsigned char* k) { + + unsigned char s[16]; + unsigned char CNT[8]; + const unsigned char* A; + const unsigned char* M; + const unsigned char* N; + + skinny_ctrl ctrl; + ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void) nsec; + A = ad; + M = m; + N = npub; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else while (adlen > 0) { + if (adlen < 16) { // The last block of AD is odd and incomplete + adlen = ad_encryption_ud16(&A,s,adlen,CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 16) { // The last block of AD is odd and complete + adlen = ad_encryption_eq16(&A,s,CNT); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else if (adlen < 32) { // The last block of AD is even and incomplete + adlen = ad_encryption_ov16(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 32) { // The last block of AD is even and complete + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else { // A normal full pair of blocks of AD + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + } + } + + ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + *clen = mlen + 16; + + if (mlen == 0) { // M is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x15,&ctrl); + } + else while (mlen > 0) { + if (mlen < 16) { // The last block of M is incomplete + mlen = msg_encryption_ud16(&M,&c,N,CNT,s,k,0x15,mlen,&ctrl); + } + else if (mlen == 16) { // The last block of M is complete + mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x14,mlen,&ctrl); + } + else { // A normal full message block + mlen = msg_encryption_eqov16(&M,&c,N,CNT,s,k,0x04,mlen,&ctrl); + } + } + + // Tag generation + generate_tag(&c,s,clen); + + return 0; + +} + +int crypto_aead_decrypt( + unsigned char *m,unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c,unsigned long long clen, + const unsigned char *ad,unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { + + unsigned char s[16]; + unsigned char T[16]; + unsigned char CNT[8]; + const unsigned char* A; + unsigned char* M; + const unsigned char* N; + + skinny_ctrl ctrl; + ctrl.func_skinny_128_384_enc = skinny_128_384_enc123_12; + + (void) nsec; + A = ad; + M = m; + N = npub; + +#ifdef ___ENABLE_WORD_CAST + + *(uint32_t*)(&s[0]) = 0; + *(uint32_t*)(&s[4]) = 0; + *(uint32_t*)(&s[8]) = 0; + *(uint32_t*)(&s[12]) = 0; + +#else + + s[0] = 0; + s[1] = 0; + s[2] = 0; + s[3] = 0; + s[4] = 0; + s[5] = 0; + s[6] = 0; + s[7] = 0; + s[8] = 0; + s[9] = 0; + s[10] = 0; + s[11] = 0; + s[12] = 0; + s[13] = 0; + s[14] = 0; + s[15] = 0; + +#endif + + reset_lfsr_gf56(CNT); + + if (adlen == 0) { // AD is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else while (adlen > 0) { + if (adlen < 16) { // The last block of AD is odd and incomplete + adlen = ad_encryption_ud16(&A,s,adlen,CNT); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 16) { // The last block of AD is odd and complete + adlen = ad_encryption_eq16(&A,s,CNT); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else if (adlen < 32) { // The last block of AD is even and incomplete + adlen = ad_encryption_ov16(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x1a,&ctrl); + } + else if (adlen == 32) { // The last block of AD is even and complete + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + nonce_encryption(N,CNT,s,k,0x18,&ctrl); + } + else { // A normal full pair of blocks of AD + adlen = ad_encryption_eqov32(&A,s,k,adlen,CNT,0x08,&ctrl); + } + } + + ctrl.func_skinny_128_384_enc = skinny_128_384_enc1_1; + + reset_lfsr_gf56(CNT); + + clen = clen -16; + *mlen = clen; + + if (clen == 0) { // C is an empty string + lfsr_gf56(CNT); + nonce_encryption(N,CNT,s,k,0x15,&ctrl); + } + else while (clen > 0) { + if (clen < 16) { // The last block of C is incomplete + clen = msg_decryption_ud16(&M,&c,N,CNT,s,k,0x15,clen,&ctrl); + } + else if (clen == 16) { // The last block of C is complete + clen = msg_decryption_eqov16(&M,&c,N,CNT,s,k,0x14,clen,&ctrl); + } + else { // A normal full message block + clen = msg_decryption_eqov16(&M,&c,N,CNT,s,k,0x04,clen,&ctrl); + } + } + + // Tag generation +#ifdef ___ENABLE_WORD_CAST + + g8A_for_Tag_Generation(s, T); + +#else + + g8A(s, T); + +#endif + for (int i = 0; i < 16; i++) { + if (T[i] != (*(c+i))) { + return -1; + } + } + + return 0; + +} diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny.h b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny.h new file mode 100644 index 0000000..5b36459 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny.h @@ -0,0 +1,69 @@ +#define ___SKINNY_LOOP +#define ___NUM_OF_ROUNDS_56 +#define ___ENABLE_WORD_CAST + +#include + +typedef struct ___skinny_ctrl { +#ifdef ___NUM_OF_ROUNDS_56 + uint32_t roundKeys[240]; // number of rounds : 56 +#else + uint32_t roundKeys[176]; // number of rounds : 40 +#endif + void (*func_skinny_128_384_enc)(unsigned char*, struct ___skinny_ctrl*, unsigned char* CNT, unsigned char* T, const unsigned char* K); +} skinny_ctrl; + +extern void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K); + +#define pack_word(x0, x1, x2, x3, w) \ + w = ((x3) << 24) ^ \ + ((x2) << 16) ^ \ + ((x1) << 8) ^ \ + (x0); + +#define unpack_word(x0, x1, x2, x3, w) \ + x0 = ((w) & 0xff); \ + x1 = (((w) >> 8) & 0xff); \ + x2 = (((w) >> 16) & 0xff); \ + x3 = ((w) >> 24); + +#define PERMUTATION() \ +/* permutation */ \ + \ + /* 7 6 5 4 3 2 1 0 */ \ + /* 5 7 2 3 6 0 4 1 */ \ + \ + /* w0 (3 2 1 0) */ \ + /* w1 (7 6 5 4) */ \ + \ + /* w0 (6 0 4 1) */ \ + /* w1 (5 7 2 3) */ \ + \ + t0 = w1 << 8; /* 6 5 4 - */ \ + t0 = t0 & 0xff00ff00; /* 6 - 4 - */ \ + \ + t1 = w1 << 16; /* 5 4 - - */ \ + t1 = t1 & 0xff000000; /* 5 - - - */ \ + \ + t2 = w1 & 0xff000000; /* 7 - - - */ \ + t2 = t2 >> 8; /* - 7 - - */ \ + t1 = t1 ^ t2; /* 5 7 - - */ \ + \ + t2 = w0 & 0xff000000; /* 3 - - - */ \ + t2 = t2 >> 24; /* - - - 3 */ \ + t1 = t1 ^ t2; /* 5 7 - 3 */ \ + \ + w1 = w0 >> 8; /* - 3 2 1 */ \ + w1 = w1 & 0x0000ff00; /* - - 2 - */ \ + w1 = w1 ^ t1; /* 5 7 2 3 */ \ + \ + t2 = w0 & 0x0000ff00; /* - - 1 - */ \ + t2 = t2 >> 8; /* - - - 1 */ \ + t0 = t0 ^ t2; /* 6 - 4 1 */ \ + \ + w0 = w0 << 16; /* 1 0 - - */ \ + w0 = w0 & 0x00ff0000; /* - 0 - - */ \ + w0 = w0 ^ t0; /* 6 0 4 1 */ + diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule2.c b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule2.c new file mode 100644 index 0000000..923d4b8 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule2.c @@ -0,0 +1,227 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * load * AC(c0 c1) ^ TK3 + * calc AC(c0 c1) ^ TK2 -> store + * ART(TK2) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK2() \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK2) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x6 x5 x4 x3 x2 x1 x0 x7^x5) */ \ + w0 = ((w0 << 1) & 0xfefefefe) ^ \ + (((w0 >> 7) ^ (w0 >> 5)) & 0x01010101); \ + w1 = ((w1 << 1) & 0xfefefefe) ^ \ + (((w1 >> 7) ^ (w1 >> 5)) & 0x01010101); \ + \ + /* Load TK3 */ \ + /* TK2^TK3^AC(c0 c1) */ \ + /* store */ \ + *tk2++ = w0 ^ *tk3++; \ + *tk2++ = w1 ^ *tk3++; \ + tk2 += 2; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th,43th, ... ,51th,53th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + PERMUTATION_TK2(); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys) +{ + uint32_t* tk2; // used in MACRO + uint32_t* tk3; // used in MACRO + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[4]; + w1 = roundKeys[5]; + + tk2 = &roundKeys[16]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk2++ = w0 ^ *tk3++; + *tk2++ = w1 ^ *tk3++; + + tk2 += 2; + tk3 += 2; + + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + PERMUTATION_TK2(); + } + + // even + + // load master key + w0 = roundKeys[6]; + w1 = roundKeys[7]; + + tk2 = &roundKeys[18]; +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + PERMUTATION_TK2(); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule3.c b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule3.c new file mode 100644 index 0000000..39254a6 --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_key_schedule3.c @@ -0,0 +1,228 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * AC(c0 c1) ^ TK3 -> store + * ART(TK3) + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +#define PERMUTATION_TK3(c0Val, c1Val) \ + \ + /* permutation */ \ + \ + PERMUTATION() \ + \ + /* LFSR(for TK3) (x7 x6 x5 x4 x3 x2 x1 x0) -> (x0^x6 x7 x6 x5 x4 x3 x2 x1) */ \ + w0 = ((w0 >> 1) & 0x7f7f7f7f) ^ \ + (((w0 << 7) ^ (w0 << 1)) & 0x80808080); \ + w1 = ((w1 >> 1) & 0x7f7f7f7f) ^ \ + (((w1 << 7) ^ (w1 << 1)) & 0x80808080); \ + \ + /* K3^AC(c0 c1) */ \ + /* store */ \ + *tk3++ = w0 ^ c0Val; \ + *tk3++ = w1 ^ c1Val; \ + tk3 += 2; + +#ifndef ___SKINNY_LOOP + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + // 3rd,5th, ... ,37th,39th round + PERMUTATION_TK3(0x7, 0x000); + PERMUTATION_TK3(0xf, 0x100); + PERMUTATION_TK3(0xd, 0x300); + PERMUTATION_TK3(0x7, 0x300); + PERMUTATION_TK3(0xe, 0x100); + PERMUTATION_TK3(0x9, 0x300); + PERMUTATION_TK3(0x7, 0x200); + PERMUTATION_TK3(0xd, 0x100); + PERMUTATION_TK3(0x5, 0x300); + + PERMUTATION_TK3(0x6, 0x100); + PERMUTATION_TK3(0x8, 0x100); + PERMUTATION_TK3(0x1, 0x200); + PERMUTATION_TK3(0x5, 0x000); + PERMUTATION_TK3(0x7, 0x100); + PERMUTATION_TK3(0xc, 0x100); + PERMUTATION_TK3(0x1, 0x300); + PERMUTATION_TK3(0x6, 0x000); + PERMUTATION_TK3(0xb, 0x100); + PERMUTATION_TK3(0xd, 0x200); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41td,43th, ... ,53th,55th round + PERMUTATION_TK3(0x4, 0x300); + PERMUTATION_TK3(0x2, 0x100); + PERMUTATION_TK3(0x8, 0x000); + PERMUTATION_TK3(0x2, 0x200); + PERMUTATION_TK3(0x9, 0x000); + PERMUTATION_TK3(0x6, 0x200); + PERMUTATION_TK3(0x9, 0x100); + PERMUTATION_TK3(0x5, 0x200); + +#endif + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[98]; +#else + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... ,38th,40th round + PERMUTATION_TK3(0x3, 0x000); + PERMUTATION_TK3(0xf, 0x000); + PERMUTATION_TK3(0xe, 0x300); + PERMUTATION_TK3(0xb, 0x300); + PERMUTATION_TK3(0xf, 0x200); + PERMUTATION_TK3(0xc, 0x300); + PERMUTATION_TK3(0x3, 0x300); + PERMUTATION_TK3(0xe, 0x000); + PERMUTATION_TK3(0xa, 0x300); + PERMUTATION_TK3(0xb, 0x200); + + PERMUTATION_TK3(0xc, 0x200); + PERMUTATION_TK3(0x0, 0x300); + PERMUTATION_TK3(0x2, 0x000); + PERMUTATION_TK3(0xb, 0x000); + PERMUTATION_TK3(0xe, 0x200); + PERMUTATION_TK3(0x8, 0x300); + PERMUTATION_TK3(0x3, 0x200); + PERMUTATION_TK3(0xd, 0x000); + PERMUTATION_TK3(0x6, 0x300); + PERMUTATION_TK3(0xa, 0x100); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 42nd,44th, ... ,54th,56th round + PERMUTATION_TK3(0x9, 0x200); + PERMUTATION_TK3(0x4, 0x200); + PERMUTATION_TK3(0x1, 0x100); + PERMUTATION_TK3(0x4, 0x000); + PERMUTATION_TK3(0x3, 0x100); + PERMUTATION_TK3(0xc, 0x000); + PERMUTATION_TK3(0x2, 0x300); + PERMUTATION_TK3(0xa, 0x000); + +#endif + +} + +#else + +void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC) +{ + uint32_t *tk3; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t w0; + uint32_t w1; + uint16_t c0; + uint16_t c1; + + // odd + + // load master key + w0 = roundKeys[8]; + w1 = roundKeys[9]; + +#ifndef ___NUM_OF_ROUNDS_56 + tk3 = &roundKeys[96]; +#else + tk3 = &roundKeys[128]; +#endif + + // 1st round + *tk3++ = w0 ^ 0x01; + *tk3++ = w1; + tk3 += 2; + + pRC += 4; + // 3rd,5th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<19;i++) +#else + for(int i=0;i<27;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + + // even + + // load master key + w0 = roundKeys[10]; + w1 = roundKeys[11]; + +#ifndef ___NUM_OF_ROUNDS_56 + pRC -= 78; + tk3 = &roundKeys[98]; +#else + pRC -= 110; + tk3 = &roundKeys[130]; +#endif + + // 2nd,4th, ... +#ifndef ___NUM_OF_ROUNDS_56 + for(int i=0;i<20;i++) +#else + for(int i=0;i<28;i++) +#endif + { + c0 = *pRC++; + c1 = *pRC++; + c1 <<= 8; + pRC += 2; + PERMUTATION_TK3(c0, c1); + } + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_main.c b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_main.c new file mode 100644 index 0000000..74222ee --- /dev/null +++ b/romulus/Implementations/crypto_aead/romulusn1/opt32_NEC/skinny_main.c @@ -0,0 +1,537 @@ +/****************************************************************************** + * Copyright (c) 2020, NEC Corporation. + * + * THIS CODE IS FURNISHED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. + * + *****************************************************************************/ + +/* + * SKINNY-128-384 + * + * ART(TK1) -> store + * load AC(c0 c1) ^ TK3 ^ TK2 + * load TK1 + * calc AC(c0 c1) ^ TK3 ^ TK2 ^ TK1 -> use at (AC->ART) + * SC->SR->(AC->ART)->MC + * + * number of rounds : 40 or 56 + */ + +#include "skinny.h" + +/* + * S-BOX + */ +unsigned char SBOX[] += { + // Original + 0x65, 0x4c, 0x6a, 0x42, 0x4b, 0x63, 0x43, 0x6b, 0x55, 0x75, 0x5a, 0x7a, 0x53, 0x73, 0x5b, 0x7b, + 0x35, 0x8c, 0x3a, 0x81, 0x89, 0x33, 0x80, 0x3b, 0x95, 0x25, 0x98, 0x2a, 0x90, 0x23, 0x99, 0x2b, + 0xe5, 0xcc, 0xe8, 0xc1, 0xc9, 0xe0, 0xc0, 0xe9, 0xd5, 0xf5, 0xd8, 0xf8, 0xd0, 0xf0, 0xd9, 0xf9, + 0xa5, 0x1c, 0xa8, 0x12, 0x1b, 0xa0, 0x13, 0xa9, 0x05, 0xb5, 0x0a, 0xb8, 0x03, 0xb0, 0x0b, 0xb9, + 0x32, 0x88, 0x3c, 0x85, 0x8d, 0x34, 0x84, 0x3d, 0x91, 0x22, 0x9c, 0x2c, 0x94, 0x24, 0x9d, 0x2d, + 0x62, 0x4a, 0x6c, 0x45, 0x4d, 0x64, 0x44, 0x6d, 0x52, 0x72, 0x5c, 0x7c, 0x54, 0x74, 0x5d, 0x7d, + 0xa1, 0x1a, 0xac, 0x15, 0x1d, 0xa4, 0x14, 0xad, 0x02, 0xb1, 0x0c, 0xbc, 0x04, 0xb4, 0x0d, 0xbd, + 0xe1, 0xc8, 0xec, 0xc5, 0xcd, 0xe4, 0xc4, 0xed, 0xd1, 0xf1, 0xdc, 0xfc, 0xd4, 0xf4, 0xdd, 0xfd, + 0x36, 0x8e, 0x38, 0x82, 0x8b, 0x30, 0x83, 0x39, 0x96, 0x26, 0x9a, 0x28, 0x93, 0x20, 0x9b, 0x29, + 0x66, 0x4e, 0x68, 0x41, 0x49, 0x60, 0x40, 0x69, 0x56, 0x76, 0x58, 0x78, 0x50, 0x70, 0x59, 0x79, + 0xa6, 0x1e, 0xaa, 0x11, 0x19, 0xa3, 0x10, 0xab, 0x06, 0xb6, 0x08, 0xba, 0x00, 0xb3, 0x09, 0xbb, + 0xe6, 0xce, 0xea, 0xc2, 0xcb, 0xe3, 0xc3, 0xeb, 0xd6, 0xf6, 0xda, 0xfa, 0xd3, 0xf3, 0xdb, 0xfb, + 0x31, 0x8a, 0x3e, 0x86, 0x8f, 0x37, 0x87, 0x3f, 0x92, 0x21, 0x9e, 0x2e, 0x97, 0x27, 0x9f, 0x2f, + 0x61, 0x48, 0x6e, 0x46, 0x4f, 0x67, 0x47, 0x6f, 0x51, 0x71, 0x5e, 0x7e, 0x57, 0x77, 0x5f, 0x7f, + 0xa2, 0x18, 0xae, 0x16, 0x1f, 0xa7, 0x17, 0xaf, 0x01, 0xb2, 0x0e, 0xbe, 0x07, 0xb7, 0x0f, 0xbf, + 0xe2, 0xca, 0xee, 0xc6, 0xcf, 0xe7, 0xc7, 0xef, 0xd2, 0xf2, 0xde, 0xfe, 0xd7, 0xf7, 0xdf, 0xff, +}; + + /* + * S-BOX ^ AC(c2) + */ +unsigned char SBOX2[] += { // Original ^ c2(0x02) + 0x67, 0x4e, 0x68, 0x40, 0x49, 0x61, 0x41, 0x69, 0x57, 0x77, 0x58, 0x78, 0x51, 0x71, 0x59, 0x79, + 0x37, 0x8e, 0x38, 0x83, 0x8b, 0x31, 0x82, 0x39, 0x97, 0x27, 0x9a, 0x28, 0x92, 0x21, 0x9b, 0x29, + 0xe7, 0xce, 0xea, 0xc3, 0xcb, 0xe2, 0xc2, 0xeb, 0xd7, 0xf7, 0xda, 0xfa, 0xd2, 0xf2, 0xdb, 0xfb, + 0xa7, 0x1e, 0xaa, 0x10, 0x19, 0xa2, 0x11, 0xab, 0x07, 0xb7, 0x08, 0xba, 0x01, 0xb2, 0x09, 0xbb, + 0x30, 0x8a, 0x3e, 0x87, 0x8f, 0x36, 0x86, 0x3f, 0x93, 0x20, 0x9e, 0x2e, 0x96, 0x26, 0x9f, 0x2f, + 0x60, 0x48, 0x6e, 0x47, 0x4f, 0x66, 0x46, 0x6f, 0x50, 0x70, 0x5e, 0x7e, 0x56, 0x76, 0x5f, 0x7f, + 0xa3, 0x18, 0xae, 0x17, 0x1f, 0xa6, 0x16, 0xaf, 0x00, 0xb3, 0x0e, 0xbe, 0x06, 0xb6, 0x0f, 0xbf, + 0xe3, 0xca, 0xee, 0xc7, 0xcf, 0xe6, 0xc6, 0xef, 0xd3, 0xf3, 0xde, 0xfe, 0xd6, 0xf6, 0xdf, 0xff, + 0x34, 0x8c, 0x3a, 0x80, 0x89, 0x32, 0x81, 0x3b, 0x94, 0x24, 0x98, 0x2a, 0x91, 0x22, 0x99, 0x2b, + 0x64, 0x4c, 0x6a, 0x43, 0x4b, 0x62, 0x42, 0x6b, 0x54, 0x74, 0x5a, 0x7a, 0x52, 0x72, 0x5b, 0x7b, + 0xa4, 0x1c, 0xa8, 0x13, 0x1b, 0xa1, 0x12, 0xa9, 0x04, 0xb4, 0x0a, 0xb8, 0x02, 0xb1, 0x0b, 0xb9, + 0xe4, 0xcc, 0xe8, 0xc0, 0xc9, 0xe1, 0xc1, 0xe9, 0xd4, 0xf4, 0xd8, 0xf8, 0xd1, 0xf1, 0xd9, 0xf9, + 0x33, 0x88, 0x3c, 0x84, 0x8d, 0x35, 0x85, 0x3d, 0x90, 0x23, 0x9c, 0x2c, 0x95, 0x25, 0x9d, 0x2d, + 0x63, 0x4a, 0x6c, 0x44, 0x4d, 0x65, 0x45, 0x6d, 0x53, 0x73, 0x5c, 0x7c, 0x55, 0x75, 0x5d, 0x7d, + 0xa0, 0x1a, 0xac, 0x14, 0x1d, 0xa5, 0x15, 0xad, 0x03, 0xb0, 0x0c, 0xbc, 0x05, 0xb5, 0x0d, 0xbd, + 0xe0, 0xc8, 0xec, 0xc4, 0xcd, 0xe5, 0xc5, 0xed, 0xd0, 0xf0, 0xdc, 0xfc, 0xd5, 0xf5, 0xdd, 0xfd, +}; + +#ifdef ___SKINNY_LOOP +/* + * Round Constants + */ +unsigned char RC[] += { + 0x01, 0x00, 0x03, 0x00, 0x07, 0x00, 0x0f, 0x00, 0x0f, 0x01, 0x0e, 0x03, 0x0d, 0x03, 0x0b, 0x03, + 0x07, 0x03, 0x0f, 0x02, 0x0e, 0x01, 0x0c, 0x03, 0x09, 0x03, 0x03, 0x03, 0x07, 0x02, 0x0e, 0x00, + 0x0d, 0x01, 0x0a, 0x03, 0x05, 0x03, 0x0b, 0x02, 0x06, 0x01, 0x0c, 0x02, 0x08, 0x01, 0x00, 0x03, + 0x01, 0x02, 0x02, 0x00, 0x05, 0x00, 0x0b, 0x00, 0x07, 0x01, 0x0e, 0x02, 0x0c, 0x01, 0x08, 0x03, + 0x01, 0x03, 0x03, 0x02, 0x06, 0x00, 0x0d, 0x00, 0x0b, 0x01, 0x06, 0x03, 0x0d, 0x02, 0x0a, 0x01, +#ifdef ___NUM_OF_ROUNDS_56 + 0x04, 0x03, 0x09, 0x02, 0x02, 0x01, 0x04, 0x02, 0x08, 0x00, 0x01, 0x01, 0x02, 0x02, 0x04, 0x00, + 0x09, 0x00, 0x03, 0x01, 0x06, 0x02, 0x0c, 0x00, 0x09, 0x01, 0x02, 0x03, 0x05, 0x02, 0x0a, 0x00, +#endif + }; +#endif + +extern void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2); +extern void RunEncryptionKeyScheduleTK2(uint32_t *roundKeys); +#ifdef ___SKINNY_LOOP +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys, unsigned char *pRC); +#else +extern void RunEncryptionKeyScheduleTK3(uint32_t *roundKeys); +#endif + +void skinny_128_384_enc123_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pack_word(K[0], K[1], K[2], K[3], pt[8]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pack_word(K[8], K[9], K[10], K[11], pt[10]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); + + pt[8] = *(uint32_t*)(&K[0]); + pack_word(K[7], K[4], K[5], K[6], pt[9]); + pt[10] = *(uint32_t*)(&K[8]); + pack_word(K[15], K[12], K[13], K[14], pt[11]); +#endif + +#ifdef ___SKINNY_LOOP + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys, RC); +#else + RunEncryptionKeyScheduleTK3(pskinny_ctrl->roundKeys); +#endif + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + + pskinny_ctrl->func_skinny_128_384_enc = skinny_128_384_enc12_12; + +} + +void skinny_128_384_enc12_12 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pack_word(T[0], T[1], T[2], T[3], pt[4]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pack_word(T[8], T[9], T[10], T[11], pt[6]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); + + pt[4] = *(uint32_t*)(&T[0]); + pack_word(T[7], T[4], T[5], T[6], pt[5]); + pt[6] = *(uint32_t*)(&T[8]); + pack_word(T[15], T[12], T[13], T[14], pt[7]); +#endif + + RunEncryptionKeyScheduleTK2(pskinny_ctrl->roundKeys); + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +extern void skinny_128_384_enc1_1 (unsigned char* input, skinny_ctrl* pskinny_ctrl, unsigned char* CNT, unsigned char* T, const unsigned char* K) +{ + (void)T; + (void)K; + + uint32_t *pt = &pskinny_ctrl->roundKeys[0]; +#ifndef ___ENABLE_WORD_CAST + pack_word(CNT[0], CNT[1], CNT[2], CNT[3], pt[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#else + pt[0] = *(uint32_t*)(&CNT[0]); + pack_word(CNT[7], CNT[4], CNT[5], CNT[6], pt[1]); +#endif + + Encrypt(input, pskinny_ctrl->roundKeys, SBOX, SBOX2); + +} + +#define PERMUTATION_TK1() \ +/* permutation */ \ + \ + PERMUTATION(); \ + \ + /* store */ \ + \ + *tk1++ = w0; \ + *tk1++ = w1; + +#define SBOX_0(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0) ^ \ + (t1 << 8) ^ \ + (t2 << 16) ^ \ + (t3 << 24); + +#define SBOX_8(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 8) ^ \ + (t1 << 16) ^ \ + (t2 << 24) ^ \ + (t3); + +#define SBOX_16(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox2[t0]; /* AC(c2) */ \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 16) ^ \ + (t1 << 24) ^ \ + (t2) ^ \ + (t3 << 8); + +#define SBOX_24(w) \ + \ + t0 = (w) & 0xff; \ + t1 = (w >> 8) & 0xff; \ + t2 = (w >> 16) & 0xff; \ + t3 = (w >> 24); \ + \ + t0 = sbox[t0]; \ + t1 = sbox[t1]; \ + t2 = sbox[t2]; \ + t3 = sbox[t3]; \ + \ + w = (t0 << 24) ^ \ + (t1) ^ \ + (t2 << 8) ^ \ + (t3 << 16); + +#define SKINNY_MAIN() \ + \ + /* odd */ \ + \ + /* LUT(with ShiftRows) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* Load TK1 */ \ + \ + w0 ^= *tk1++; \ + w1 ^= *tk1++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; \ + \ + /* even */ \ + \ + /* LUT(with ShiftRows & AC(c2) */ \ + \ + SBOX_0(w0); \ + SBOX_8(w1); \ + SBOX_16(w2); \ + SBOX_24(w3); \ + \ + /* Load TK2^TK3^AC(c0 c1) */ \ + \ + w0 ^= *tk2++; \ + w1 ^= *tk2++; \ + \ + /* MC */ \ + /* 0 2 3 */ \ + /* 0 */ \ + /* 1 2 */ \ + /* 0 2 */ \ + \ + /* 0^2 */ \ + t0 = w0 ^ w2; \ + \ + /* 1^2 */ \ + w2 = w1 ^ w2; \ + \ + /* 0 */ \ + w1 = w0; \ + \ + /* 0^2^3 */ \ + w0 = t0 ^ w3; \ + \ + /* 0^2 */ \ + w3 = t0; + +#ifndef ___SKINNY_LOOP + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + PERMUTATION_TK1(); + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + tk1 = &roundKeys[0]; + + // 1st, ...,16th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 17th, ...,32th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 33th, ...,40th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#ifdef ___NUM_OF_ROUNDS_56 + + // 41th, ...,48th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + + tk1 = &roundKeys[0]; + + // 49th, ... ,56th round + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + SKINNY_MAIN(); + +#endif + +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#else + +void Encrypt(unsigned char *block, uint32_t *roundKeys, unsigned char *sbox, unsigned char *sbox2) +{ + uint32_t *tk1; + uint32_t *tk2; + uint32_t t0; // used in MACRO + uint32_t t1; // used in MACRO + uint32_t t2; // used in MACRO + uint32_t t3; // used in MACRO + uint32_t w0; + uint32_t w1; + uint32_t w2; + uint32_t w3; + +// TK1 + + // load master key + w0 = roundKeys[0]; + w1 = roundKeys[1]; + + // 1st round + // not need to store + + tk1 = &roundKeys[2]; + + // 2nd, ... ,8th round + for(int i=0;i<7;i++) + { + PERMUTATION_TK1(); + } + +// SB+AC+ShR+MC + +#ifndef ___ENABLE_WORD_CAST + pack_word(block[0], block[1], block[2], block[3], w0); + pack_word(block[4], block[5], block[6], block[7], w1); + pack_word(block[8], block[9], block[10], block[11], w2); + pack_word(block[12], block[13], block[14], block[15], w3); +#else + w0 = *(uint32_t*)(&block[0]); + w1 = *(uint32_t*)(&block[4]); + w2 = *(uint32_t*)(&block[8]); + w3 = *(uint32_t*)(&block[12]); +#endif + + tk2 = &roundKeys[16]; + + // 1st, ... ,32th or 48th round +#ifndef ___NUM_OF_ROUNDS_56 + for(int j=0;j<2;j++) +#else + for(int j=0;j<3;j++) +#endif + { + tk1 = &roundKeys[0]; + for(int i=0;i<8;i++) + { + SKINNY_MAIN(); + } + } + + // 33th , ... ,40th or 49th, .... ,56th round + { + tk1 = &roundKeys[0]; + for(int i=0;i<4;i++) + { + SKINNY_MAIN(); + } + } +#ifndef ___ENABLE_WORD_CAST + unpack_word(block[0], block[1], block[2], block[3], w0); + unpack_word(block[4], block[5], block[6], block[7], w1); + unpack_word(block[8], block[9], block[10], block[11], w2); + unpack_word(block[12], block[13], block[14], block[15], w3); +#else + *(uint32_t*)(&block[0]) = w0; + *(uint32_t*)(&block[4]) = w1; + *(uint32_t*)(&block[8]) = w2; + *(uint32_t*)(&block[12]) = w3; +#endif + +} + +#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128-avr.S similarity index 100% rename from romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusn1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusn1/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn1/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusn1/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusn1/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/LWC_AEAD_KAT_128_128.txt b/romulus/Implementations/crypto_aead/romulusn1v1/LWC_AEAD_KAT_128_128.txt deleted file mode 100644 index 4b26771..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/LWC_AEAD_KAT_128_128.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = -CT = 5D8DB25AACB3DAB45FBC2F8D77849F90 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00 -CT = 2590094BA7DD1CDFF6BDED1878B0BD55 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001 -CT = 4937850252E6D938F72E2B1FF82010F0 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102 -CT = E7DCCDB0D67928143E899ABE363CFEE8 - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203 -CT = 2D2BB0BDCDAC9654A3963D19E009747A - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304 -CT = 2C0C713C7E14D20E10CC1B4F53DAB25D - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405 -CT = D8187667C1012A51481B6F59AD035B03 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506 -CT = 186BE82956155733C134EE9F3C610B40 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 0001020304050607 -CT = FB03DA497168FDC76C46EA493128FB21 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708 -CT = 816165DEEAB6C80DE8864774A49072E2 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 00010203040506070809 -CT = 3E22DE085B28D78718CE4C5E7C1204E8 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A -CT = CB0B3FEFEC9BE98878D986A303DFBE7A - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B -CT = AC0CA2C2CACD2732C43C43C5CB5F86EA - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C -CT = E7C5F6D0C7A8B9F37CA6C30D363631B3 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D -CT = C3A4A90F657EBEBD39D453FA70F33F95 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E -CT = BBD0C3A7C4A83BCCC513DAAF3BB64A14 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 475DFEF7D5E4DF7601A5F5328F5B3202 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 76BB89DEB0612755D51D434D81640CB6 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = E3A6CA1B8E0085A23D2AB246582AEF69 - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 65B90C937A2CACB77C49D22E77714C40 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = B2BFD659B0D754B9669683DF9B204771 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = B72E1A9BE61EC88663775B6F3A52C687 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 4B6C6DA866173D7A31BE33DE30649B6F - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 4D272CEF7E2436CBAD05EB840ADDF50C - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = C5B2B5129BC0FB1F631DFE5BAD13617D - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = F9B1337FC80AF556C629CD1A3CE60289 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 51AECBF4B5FD04C28E81BAE33C624782 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6B365E1BEB957E29706E1A6B4D369B08 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 3E94DDAD9B54A80A63E732D455034F44 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = B95EB2054634122D7E21EC8B96886292 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = B21D8F9AFB9AECEFE2DD1A1D469B30A5 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 912B3867BD1F7FD7D6F748A57132D7E2 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 3FFF0D2D366D022A7996B16FA0E10E3E - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = -CT = 896531796709540239DD66621B504BD255 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00 -CT = CB4D354361E0B2E89B7BD3375F5547437E - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001 -CT = E5848409AE5E6B818278BD2040538F5BB2 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102 -CT = 806BF4587AAB07F61BDE79BF9145ED1C68 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203 -CT = 9F4ABF3154B82222B2BE79CAE5B1AB3D51 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304 -CT = 1DD99011A4D7C2F1F124875416F2D28F0C - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405 -CT = F593BEE046974B2CC11D02EF653D0DB1CA - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506 -CT = 3EDA90F7D2759E6F4214C2F230FEB252D6 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 0001020304050607 -CT = 15E8BED67663B68E0F339AA42CC4F2E0FA - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708 -CT = 39C835814421D0B83C2CDEAE889CF24A43 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 00010203040506070809 -CT = 49146B139EEBF3CC8EA7B58A4B1A294D16 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A -CT = 8424BD1C5F613284F41020CE5CA3B35727 - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B -CT = BE8797C1AFC2D86DFF138744955561CA37 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C -CT = F27C17F0824684707B7A650C5EA969A869 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 2698B02CD3E31D9CB183AD0A79D0E48730 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = AC4AD9AF378D1CC394D3D4B6BF58345448 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = B52C077CDF95B0B1042DA4416B4993EF49 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A39AFEEFD207F0A9244E605717E89D3F3B - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A34CC912FA5979ECFDB301405B4FF2ED0E - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A88DF0A0DD2B3EDD93433FB55E91624EB7 - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECFC8E80537C0CF49F81078D6BD17A6C54 - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 50C1B2D557F0BF8A412409DC5866406330 - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A84611C8A12D14415E5137041AE4093E25 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64CB4C15C7F683C9315FF1547F9B88592E - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9FBDF7230BB71D2FEABB4B8D30893318A0 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7C77DE69DB5E70EF82478A5359C427AC69 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE611D3BD628C9725BC52E9DA75E13EA2A - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 583574D0ADC671B4F415B652E1429AE002 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8EDD383FB7959C9521E725AAD9018B2D94 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CB8E638615CC4DDBDDCEFFDFFD94410EC9 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A41AAEC53B9D24C2935D81F90C22BCE93 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 917DFFDF4B653B7074286C6005CACFBACE - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 644FAB331F78B6E33CF33A40DE2BE610C0 - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = -CT = 89A64DF193A360AF3E6FC48141B6586E3B1E - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00 -CT = CBF1B80E483D9EF0F57253FC4DD0A5AB9FD5 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001 -CT = E54BEF623FCFB4F52F1517AC988701AA4AFB - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102 -CT = 807328F525631E49628D522C3BD9B2C7C5C5 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203 -CT = 9F3F11B71DB3373451E5FB912B2CDDA8BC65 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304 -CT = 1D078CEE44AEEB8F0E604C910453EADC240B - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405 -CT = F594B97B57D45213A42288B2F12D3672B170 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506 -CT = 3E59C0A5879DCC8DD0FCE587A737C45F91EB - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 0001020304050607 -CT = 15D3204FD5DEEBA4340D8CA17449FD37E44C - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708 -CT = 39A676FEC61603470BD45CCE896B657BDC02 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 00010203040506070809 -CT = 495F8F7E68FBA41C90FA78FBF4439C6A3F7E - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A -CT = 8435B2186DFD36B919055062F2F989CBBAE1 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B -CT = BE5717D62C51F51DDE8B636B9D8E5F2BF88F - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C -CT = F2E6D9B7A23D70F1DCF52EF76DE78C149755 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 26BD89FE25C807CD7617C10EE791F20C433E - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9166406EE05365B4450BFA3939D5505AE - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = B560C3E6FCA2D45C84B7521FEC7AE70C683A - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE06AED6E58402984CC6CB5988D17F21E - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A371B8B7368799620C41C268A50C8D7A4307 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A884DC7D2F6C3B39B4353D45628BB53457CB - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB74117DE14417EE7D3062604B327DAA55 - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502C7F2681565F747DF466235090C63795DF - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B0036F16932E6E0029CC06ECA2AA37408 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A7CC6150FDC5D4328311939BAC76601870 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F09D2268B5A30D390EA6AE03F587B9037B6 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE73113B374B44563F6CA5BEF58DF9C34BC - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C1D611E319C2DF192093B1EA1879EC319 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 5867CD78FC3FEDCF5F74D8030C10A5BF1756 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3347D2EC3C4491D7E4D3B49DA32AA8B406 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5825E3F31D5216047511956A5032BE70E - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47B197412D5480C60F969D0173B4DFD703 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91991F00D8465A0EDA19794F6455BBBD7AF1 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BC2FEB86350C228B4A9C2CC991E0DC296C - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = -CT = 89A6BC83977A85A0318201CCD82D7000C630A0 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00 -CT = CBF1A87612DE2BA707DCC4A048AD947F2F2094 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001 -CT = E54B7677F7F06905FDC116165B1790BAEAD56E - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102 -CT = 8073F501F34C01B9AAA76110E03224E53CE06B - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203 -CT = 9F3F60F4DDCADB0EEB780215525534907ADDFE - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304 -CT = 1D07AAE80B44EF2756869A51D0573BD421B337 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405 -CT = F5941EBE1793796B3DE284EE47B1BEE699F6FC - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506 -CT = 3E59841591349FCA4E8EB52346B8A02C0FE4EB - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 0001020304050607 -CT = 15D3A5CBC45A837D85C92F0DC004FB10200011 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708 -CT = 39A67B7230DDA7EA57D3CAFA5A0452B0216717 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 00010203040506070809 -CT = 495F891769CFA2A3AA6B5AF51C77F0D043DF18 - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A -CT = 84355B2400CFF6B13FBB58D8A25E6DF13883C0 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B -CT = BE57E3EB0D34916A3D9F0A432A090E00733555 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C -CT = F2E67F826B7A07D562E952B75395515097637C - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 26BD5476E060A04DAD6A02EC842117B0D6AD37 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFC08A365B4FD0AEF0122E84687D352CC5 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604D0AC0C837A483FEA4C4839BFC4ABB620C - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6C39516D216919AC04F2A6BB5AABEE839 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FA2A75BD400E7D7D84625FDBFE51EE170 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844F1AF57963CA4AFA6FAE068AC5F45D0BBB - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638D3BD19827A7313ABE1ADCE7AF400F09 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5F43FA8BBF9DA8901DF75D1EE7F647CE1 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B713D48ED36C9D8A0E57AC2DFDD2E1BE76E - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76EC0F741F2988D882667541EB1FB93DB6B - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EB59A86E8FA8C71CFBF3D3270EA7893A3 - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BD2D1DC2F4EE3C3546875671FE5EF50BE - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C442BBA1C6455ED97D52F4BDDF7BA004 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670D71E17C9B52B03EF6FBBDB608B25A658E - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359A0501D6B729A20856E6FAE9C27E7DF0F - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5ACD47741A41D7A26735808109F2A21A68E - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EFF70847EF3C1A9B3D12C91680561F9DEF - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B7246CED2BA5C9C238CEA095E56D82E58 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF20F6D6E2C14D590E5E5C18EAC51B85DB - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = -CT = 89A6BC50C5231E96E9A06F662291F50541343A21 - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00 -CT = CBF1A8AFD542DF241765EA528A660A008214DD10 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001 -CT = E54B761ECB1214E3B4840BE1F78E8B1A241654CA - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102 -CT = 8073F503CF01D899A898B8AC0A0086ADF9B10DC9 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203 -CT = 9F3F600219C38BA35749779C85AB185F8D58D716 - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304 -CT = 1D07AA1D2CEDA0AE4A5CC86D8948A0BAF1FD228A - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405 -CT = F5941EF44248AB6CA452A775BBF6296B5C3D6875 - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506 -CT = 3E59844DAD26524DFF5E2B09490729C2B5AD9B0B - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 0001020304050607 -CT = 15D3A59134FC14180F76BB1EAADA3BDBC2F9D452 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708 -CT = 39A67BEA301210D5421EB58242A63869383997FF - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 00010203040506070809 -CT = 495F89652AB32FD2476D37D9BBEAFAB62104D720 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A -CT = 84355B90E2D8DFF037A6C6937D1D03593D4CFE08 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B -CT = BE57E303E466E38065B2CC81284482C2E303D55C - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = F2E67F04BDB59589CFCB3A0B6EC837A1E2DF97A4 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E37F280C725A54A67FC324DCD391A997A - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB18BCF6128B759994FB82215BE3703D913 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF35AA4A34A87A463B1874857DB4F962DE - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A3567643F03F7B36BB429EA434CBD1186C - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF16631A092D139552726AAE3353BD2840 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE41C029DE90B1D4265BB3BDB9ECB6C7BF - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB6385EC68E5767D77E8498D4D78493B39230B - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9379E3C9591B0459F237E06B4C2438F58 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B7100BB7EE6E3B708A3BBFB3D11717C9ED1F0 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E090BD453C59C5D823A23E7798058490A8B - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE00DE05B81EF8EEF3B5C7CC74272E90114 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF21466DC958D7B5C1BC8EEC7C1B5818879 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2108923808B6077D5459ACB9ECCD50272 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DEDB3A866C899C875ABB33B29346ADA9D3E - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E33595679C049D63E09F1825702080211A6EA6D - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E357D81CEC1EE3A4C9D2A7AF6873D64C1 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6D8137AA45DF262F3DBF5BC39109F3947C - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B955D8733D8C5733A966B75BFE2C7C9FFCA - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8D47A2C0D41BFBAE751C37F584119223AC - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = -CT = 89A6BC509C67AAD3A5EFFBCC98336B63A07B527F5B - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00 -CT = CBF1A8AF0382EFB2BF936EE6C55D90F62DD169F472 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001 -CT = E54B761E4A7B6826D0D57CB16F93FBD8E37C9459D9 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102 -CT = 8073F503267C666EBFC2ACA2F74AB38DECFA04D1AC - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203 -CT = 9F3F6002F8D617E6EF9C02237105E509C424DC88BA - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304 -CT = 1D07AA1D70E56AE9662FE300FE4FDC272A7812A8D9 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405 -CT = F5941EF434491C2F373675A69E09D550574AEC7EB5 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506 -CT = 3E59844D00DDE437474C86C3C391FFBD62BA210BF6 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 0001020304050607 -CT = 15D3A591833EBB45A53AB6B966651ACA7DB64F3B1E - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708 -CT = 39A67BEA2B2DD643AF84210E8E7F5C5F3FAEEBB31D - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 00010203040506070809 -CT = 495F89651BDBCF34AFA4CCE73E809175DD8A5AA557 - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A -CT = 84355B90FC96AD5EC7BEDBB3F883253F80CB75DB5A - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B -CT = BE57E3035FE7292680AC70399EBFDCE6D62634BBCE - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = F2E67F043065FEB165E921A35FA0FAE6BE9D647BC0 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0E393F7C2D10D85AE5DC41849DDA30BA15 - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB1047EA62A44DDF4B9B97E84A6D32C8BF25E - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF952A28CF2E9B3996A2F97E81E8B1693758 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D0791C3EA2740F0D45210C613FE78F7BF - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5C6985F9F5DD6AC93EFEB55CDC949ADF62 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE4724BF8D5DE5457EC5260536842C4A9FDF - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB6385038F6A8AAC4068BF9061C1ACE347085A88 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6C16C14D006373B6B033FD49190D4D379 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074AFAC543F4C1FB5BFFB424708BD1C2D3C - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E0931601661BA56D3BDE826A72AF91FF4DB11 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04E39D2D95D3D3A0A82B0FB30F5CAFB5A72 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E209ADBAA4867CA1AD63E4A4B17908DBB - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAAA0B1734508E058378F38E225683C576 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A8423F21461DFF629ED1871C3D24300A6 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569760D6B2EDAA58CA752B872B3282A58221 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E70349D65556CE95F8752B25B50A15CD742 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B9A572E2D91D4E5E2AC6355AF9FE2C1 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E277D8FB4F7C4E89C71B3DAA3C7D9F11D7 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAECE7BFBCECFAC4AC6D4E02941704AD26E - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = -CT = 89A6BC509C2FAFE883D718EA3F5F57E38E272B77D25C - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00 -CT = CBF1A8AF0311531E76CD7D5A5C0F193F16DB95633BA9 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001 -CT = E54B761E4A8F7A5481E94FEF54CA1AE0415DE60EBEE6 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102 -CT = 8073F50326B51A12A721C9F740978A08EDA84893113C - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203 -CT = 9F3F6002F89F03F1649909A837D362FFA0A17AF16923 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304 -CT = 1D07AA1D70FD93D8AD81C92EDB62E1BD2060E447ADC0 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405 -CT = F5941EF434BC19515366CAC1483BCDC362220A4F42C8 - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506 -CT = 3E59844D00E14DADF939EAF32281367E1746ADF98FB9 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 0001020304050607 -CT = 15D3A591835709D5565C3730DA132B03D85329436823 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708 -CT = 39A67BEA2BD6D90D81ED955D8376C88C6F11B1960CAF - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 00010203040506070809 -CT = 495F89651B34FC582DBDE637D560A03C50D2602A139B - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A -CT = 84355B90FCA6B7C672A8793E786E0DD765509EE26F49 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B -CT = BE57E3035F319DF8C9A266D028347B4B7564A4DD88D2 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = F2E67F043069B7DDD4AA08D9187A5F77E8B08789402B - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED967C9E2853313F569D149C542C111B44E - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB1049535079CFED2BEB61C07B2E57F022758EC - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517BD1D054EE697F87E318B941ADF98793D - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4297E17AB1D4995AD0232A524B82373D43 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE0D18EEE11EE35D240CE1CD9C82ECBFB0C - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475AD01DD366B7A5DF95993CDE37EDA9A1AD - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C5A69D62915DBE4610A0E506187B455627 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61792CC7D63763627B59F8B33C6949AC8 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074775636362676B385F4052FACBDCADF91B9 - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B9388CD9E26D43A815609EBC162946AD - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA8DD7E6D74C5BF0DB5A5540B82896CC7B7 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E7218E3A3D96DF3080D6483D7DD0EDE8F68 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4B780B27880BE1C515C290244D733D2D8 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A072B115E3F32D9E0F32F373295475D8BAC - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E33595697706EC5B15B3E2BBDB942755AD0350D9F92 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706CA807B2486D1E3CA7810694AF79A7B859 - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17BF40AC008B551E37823BF51A187322FD9 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221BD7995620D3519F76C1029125CAC9CAC - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A31D8680989A449F2E58560B49F2D152A - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = -CT = 89A6BC509C2FA1FF3F4E0AB9C88687267DE87350261075 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00 -CT = CBF1A8AF0311E9BD5B64B5DFE06E40BE30D204028CF036 - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001 -CT = E54B761E4A8F0D37FACC5DEC04D2A31C7B96AB12928278 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102 -CT = 8073F50326B592A1EE20F00DFE3530C533116919E61B65 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203 -CT = 9F3F6002F89F5CA9A1F7027050810A065F7DCEE14FCAE7 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304 -CT = 1D07AA1D70FD65652D08DB9A2723FF22B693819CDAAFB9 - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405 -CT = F5941EF434BCE811951B4E6696711CAA3B970AB07D51A8 - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506 -CT = 3E59844D00E1B3ABE12D08BFC0C94A65B732668A69BC93 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 0001020304050607 -CT = 15D3A59183579562B9AAD9D8181D5C865B8C67CDC1ECE7 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708 -CT = 39A67BEA2BD662BDF9A57E079E8E78475C4F469AA33A8B - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 00010203040506070809 -CT = 495F89651B34602E9821BEB5160FEB8EC3967B843FF5B3 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A -CT = 84355B90FCA6CC35FC8938ED9B13443C7873F1B29D2329 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = BE57E3035F312165A5BA118A8DD563A5847F45A6EFD745 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = F2E67F04306927025A70A33143986457D7BDC1D8C712AC - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A943ABA14D2B9F8DE867081F685ABF1946 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F8A75BCE7374CEDA18819B7F13457FE75 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E31B6BABB9E17918DB17E00FB21B32EBA6 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D42452E818C71B1F541293A1DCC309023F2F2 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05A8FE616983B390B0AA9AB0861A376A06A - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B26F62F9605D466A5305780BC46438A5D - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C55987EB4130247764492D9C99C070EB8290 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A6440354E590924C9D151A649E538ACB7 - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A5C4BD6F1163129B788B9C6EA8492DE60 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B46438C5B6359BB7A913345ABC45FE41C8 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A396E12AD005CDDFC4533911AD713BC09 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72ADF20321DA3D70AB6FAC7E4DCF9366F8CA - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C616257EC249AE14EDD6A46F6DA407B116 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718E408602D57C9B52399421CAE9D5504F5 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A998B2154EBE1725275067B8B914175150 - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C381C66BF4BCA7F95DD357A37BC62BF1942 - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B531465C0092F651CC6143CB7C85BD269FA - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDD146A8C9CC6A5DCF6DEB0D900F11B8EA - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A005332E5A90D15F6E284E614170154455E - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = -CT = 89A6BC509C2FA19985D311F6C23A1390FC6988E50507AB8D - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00 -CT = CBF1A8AF0311E9921AA571635480AB54E9FDD9283C9CCE2A - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001 -CT = E54B761E4A8F0D1DC7578E7B54A2749B6686E16AEEE18CB3 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102 -CT = 8073F50326B592E50A18B4CC7D509FAE42922A4240933916 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203 -CT = 9F3F6002F89F5CA221DF6F6802181422C9D58113FA0C1F8E - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304 -CT = 1D07AA1D70FD6573D467D9C06A2F200BE279E534614A0E71 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405 -CT = F5941EF434BCE8E3D11701B6ED6F8615D9FE435C334C80B0 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506 -CT = 3E59844D00E1B3B1DE488E2024209622CEBFB416F2B049CC - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 0001020304050607 -CT = 15D3A591835795972446B68ADFBB5648BD562A91C282C561 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D7EB1EC8ED0236A6C6000D21AAC612C8C - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 495F89651B3460E653C63F2392D4FFFB56D1E6CC9D12BDE7 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 84355B90FCA6CC9632C53A40C3587A709B61B6B97D5E94DF - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F15DDD175F4020C66A0B35CA199A06AA19 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = F2E67F0430692732ABAFADE7A55B4052D1ED39FEBCCEDC48 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C73FD8D0FB43FBC7A628E3EBEDA23153A6 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6FD5CBB4C0E9CACCE84AA7A9080A969E72 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3380D869A39E999C7DA1D09A175C55FC6C8 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D424519CD441690EDE24A7016FA3F9C8ECF1743 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE08CF6E8DB3384E492FDCD2260E7104447 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B1052B82AD79B12930FB2217A9E7312778C - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C55975D8FF28ABECE30538676B1D1E6DBF7D37 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A27CC90BE87B03B9AE15A3BEB7A216A6DDF - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A797490043C5857C688BA83A14EBD97B62A - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B414F8C0EE08AB16D15A947F3BC628766E48 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A59121EAA4661144E91E6E6CC25F4272936 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3C84BB3E1B9C0382C1D7759F93E6B27B7D - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C6630CC80DA962408CC406363A9B40AA3A6D - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A07188359CE6D7451B00C55106E2AFA8DD2E81A - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A42912DCD82E02B3054DCF687AE2117B4A - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CC5F630EEDDBEAC819C2DEEF2201711B29 - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364167C534D49662E61B849ED74226F370E - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC10A9C0E8248D2EB6CA92650238AA8D5A - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB16046BBEAB8E9CFA426C2728187A849D - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = -CT = 89A6BC509C2FA19946BB90A56E0513305B63E9890AB3569F53 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00 -CT = CBF1A8AF0311E992A78A32AA8D4E740C68D754B32319FEA66F - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001 -CT = E54B761E4A8F0D1D9444592A2FB4B251A691B45D2B5D477A7C - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102 -CT = 8073F50326B592E59269DA4A89B869C4E11E35833A4F669BB4 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203 -CT = 9F3F6002F89F5CA2B4D05823AD1B6DC0165A9BFA05716B3E02 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304 -CT = 1D07AA1D70FD65735A730665EACE083909FEE6B522ACBBE28F - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405 -CT = F5941EF434BCE8E38E2364E46E4AD44F13298E0F5CF40EC4E8 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E86348437080D7B960C8083022638C655 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 0001020304050607 -CT = 15D3A59183579597383CDCC93C39AA74539A915959F14221A7 - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0DACB3835A5C3B014477CB3E4A2C7F385A - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 495F89651B3460E65FB0E607DBC745C42DFC69B76A1450E12A - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DBE97B4A3C18D5343EE196FAD5BCEF366F - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1079764C09DE7C5F2EED33F8C0523DE2FA9 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262BEAC89B4CFD665D649D82000D9BF8F2E - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D029DAF78D5B25A2E2630A6E5C413FCA84 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5BBBF988040E2E57CAAA9B4A10F16767D6 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C5D55A7102322C089D2AAC80B0DD3F390 - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B3BBC18566222D350060CD97126E3E051 - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB29F2899321EEB2B708480CAA6CECF092 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACB5AEA87BB37AE1EBE36077E57E8CAFB5 - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C5597536469C3C42947E378E2F3DADA92C93FDF6 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A27736FFC2AD3DCE21991BD31BF256604D5E0 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79958222CB75B72337A721FBC3D1AE9A4DE5 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E94C0E8C6557EE393955E0ECACEC695F5 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D2A37B080E1821C3F5CB61BE972ED498D - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB72D897D9AE735007518C5A5D2A669F316 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C663566417ED8EB94F5592506E7BE90926FF9A - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839BC1CA87FCF0985878ADDA3EBE9D44BDD9 - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49D021752031963E9214F6FD35CF7E0F6B6 - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB715CC1ADA9DD5C35DDA6BB564083CA68A - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E37275FCDBED9446A9A7366055C306AC84 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC697DFAD028C5429DBF79B1C978BD7158AF - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB4938CABA8D23BC7550D5449065BD3F7D12 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = -CT = 89A6BC509C2FA199469FCDBBF235311CE7D092D277C4292A932B - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00 -CT = CBF1A8AF0311E992A7412EA125B6D913A932EBA9523B2DDF40ED - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001 -CT = E54B761E4A8F0D1D94D9ED21708B33C930E8D64D5E099D812BAC - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102 -CT = 8073F50326B592E5922BB08D428DF0106F7C30DC44B408600C6E - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DDFEDDDBEE5BB2B07EA73374D7485EE14 - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2C35ED369F523FA92CEA9EA3BE5A55315F - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405 -CT = F5941EF434BCE8E38E632112FEC62EAB408619506C9EF38C65DD - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E6C6825759002B59792F435F7D0D38464 - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 15D3A5918357959738589E7A682BE14924935695447AAE7E7E0F - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D46042D74EBF959CC0A2D224DCE310E001F - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 495F89651B3460E65F00A51B0AF19ADF71E72BA56DE7A0BD4E97 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB8296BEF5B088045831D3427DA6043CD5C5 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DAF86350AD9959D3CE809808293D449F3 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C433D936865AC6E597FD3BC72C7F4156F6 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C71B3695053CFF6417A8BDCC9BFB59A45 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B615DDEA8DBF165499792ECF451796244D2 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47A262AA449EF56499D617414D4C896D14 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10165C52472EDEA889A874C5BBFE52EB60 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7AD233BBD67B7CE69C2E24776CBD359A6D - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE26EBC4AFC66F8C650B1A34A72FD6C381B - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693BAA1F38895D566F7733329FD6BD33E70 - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A27732426427ED1387907CACD3965EA199A8CA1 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9F2AAB40A78352F69DC25CE275BF9D69 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F10A3C510F1E81A18BB132EC4391F6320 - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D8798266FE34946A56D264F7A3368507CE3 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0459254AE638C1B311E9A4FDA5D8FFC - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356195E86697FB985CA206B3CC767102ED955 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B249A2F8A0450622AAA7251550C80A214 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCFC180A11F1EAC687C96A86BB2F6020BC0 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9796EEB02DCC4A0B70D5E10DA36F43CA3 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F5ABC7445C2ACE584CB7394A0FB627481 - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC6916E6AC4F1E28F356222FE712A65E84C864 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C04D312335F8453C3EA680350031D65EF - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = -CT = 89A6BC509C2FA199469F9291A2B928035B7A9162ED79E25484C2D9 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00 -CT = CBF1A8AF0311E992A7410E80696CD31C78B016DCB28A74B3CAC8EC - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001 -CT = E54B761E4A8F0D1D94D92F4496A44241FBDDDB98923ED251AFBB84 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102 -CT = 8073F50326B592E5922BADF85D5CF35D5133EC822D1D74B22E8861 - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF52ECBA388CEAEEF3D1A6EF3B7CF290F24 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD0562EF2C4EECC0154E2CE09EA0FA3095D - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5464A36ADCF52862227C7B8BFAD99B70A - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65B6B5FC804A9DA164C902C904E4389D9E - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 15D3A591835795973858CF04FEABE60D1E1E246503EFAE853E3B79 - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D4665C789F2AAC742B2307251D21AFEC58C30 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BBDF847AC520277D4DDAFE82A679E9D72 - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A956EABD342A354426E5F2C932B533855B - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA18CDA52B8CE04977143170032ECCA2634 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42DFDD300D0C91F8C395C29DDD8E707298B - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11BFDCA90B0E2B2D847D8AC38A25DCB55A - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F438580D17993CA385FEC9E22B1464219E - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C4771FA651FEDCF609B8E989E710F63F8C44D - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BDB1C9986BB9C82B700CD9E86D67651ADF - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87ED7BAABD344781C5DEBD929CDF35315F - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F6CA27879ECA03D99003434A047442254 - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570BA2858CCC1ACD5E166C67D8C759749 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D94CFC276CD7F9802497ABBECA77EFE7CD - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9376221015102E311312967A81139E2EDC - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1CA7CA41E27A5410CA641FCD12D1A66E1B - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE16981CC94ADA577F0106BA00A1AF834E - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0E452F3849E6685C6A315572083BF43BC - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C6635619794E57701A9A76F8871D5FD150BC032F3E - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0CBEACF0FD0A0915284E9843360146358D - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7AF198A04DFF7CEA7D15824A20AC22B1B2 - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D32407009A5CBA128889375D44573BEB27 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0A6D86B1CD7ED30D320EEF65C7E93BD745 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161CED64750593F8F257D7AD44CD600A675D - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C0607E02E55ABC48EEEC95A9BB941412F01 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = -CT = 89A6BC509C2FA199469F92E4CCD4EA0AB3B86151E2AF867E3C52C63F - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00 -CT = CBF1A8AF0311E992A7410E62739CF4BCDF02206D1BDDABBF8D38EFD8 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001 -CT = E54B761E4A8F0D1D94D92F14971B1D5C0185F3763B427AC5BCA7DB42 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102 -CT = 8073F50326B592E5922BAD63B910B24B780BFEC1AC9A900991D7882D - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5303AA4AA98FBC31032573C0E4C73CA84D6 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02358810F9D3DB409742E1DA75E3F25A96C - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD5C59382E06F61ADC780F88F32F086B5F - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB163251A7D847D47823AEE1211D8ACB92 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 15D3A591835795973858CFFD1AEB47F50B389CACD43B4FFC05E82D6D - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558F3AC8AAC85E5027F1B77CDA2DB7220AB - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA7CA8F9912996AA2EEE11090D1FC837598 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A9670A853BE08F1871DB76A4D411B6C39B75 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA1550CB7A1684360EB2C1BE9C4F3917909FB - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D958C7E2781B92C288FCAD82605764B9F6C - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C1135C14831394BCF300849D12DDE1A3251C5 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EBA3102C9D86AFEB7414AE4B27FC718AD - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B4DD98B970B3292894EB8B6B344370C84 - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96705CFCC76C0AB7B5A5A940ACD1B57EE5 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E354CE8BA50471F683A7B2DA7E22A7EEEF - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D795043D95F30B924E74C8D6F322D45F3 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A57043643C166DE2FAE4461152C4C94E8BA8 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D9536A0616E7F7069ED479DC3B7ED7B981DB - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E93052B105EC480A39ACC47B47BB2C3F40A4E - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C952549E7FDAC3312967D8C7E8F0B2E7AA7 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1DFF9EEE05DA2E19A1E205BECE77347975 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D19F7F360758E720AB7D56C36A405B9D5C - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960D6E678CB5EDCB3A72DF9DB270125129D - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C60ED6BF88C9EBF36816CD03CE799E63AB2 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACA23991977320EB6FAF58A6E3C95906392 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C1F7A2F72C6FC2055EE3A59A12FA9CC3A2 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC6AC81983CD0B235C4966515A17E3F35A0 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9D1447FF1E7CAC22BFCE56351ADFE1FCF5 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C067512232E32D015B2CD9104ECB2624D5BFC - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = -CT = 89A6BC509C2FA199469F92E4F4AF154849D57C7D8292B982AD3E17428D - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00 -CT = CBF1A8AF0311E992A7410E6238DE59ED371A2ADCE0241578FE5CF3A918 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149B7956F748FC788C2EDF784A728CF6CF00 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102 -CT = 8073F50326B592E5922BAD631EA40AC47AFEFCC38937B3E2B27AD964BB - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300DA117F3AC375F8031EAEF2B0F41794EA5 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305410C0213ADD832F7898255181E8FF92A - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C5B0819703E983BD74A67B02119687831 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34E8339153B199D9CC357745DCBE3F55BC - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF3377ECCCB6121F26AAF3E18BF6A95C4A8 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D46655816343951452C21C09476DD1C487D2C652C - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766447A7A15D3A4FEFAA4D3B2EA561E7222 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A96791BD63A245D49398C2420B979832983C0D - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CF4A17BF40BC3EC11AA824F4402E561E10 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D95222308E443EA42C5A5936EF2A21936F2AA - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B43287DBA3E95BDF7807A5113443BDE08 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE01DED7AA3DC969105904F668164D99013 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B37EFD062B76AF7AA238CFC064D0EF2A27F - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D97DC7384B0335DB0A19A03A054B4179C0 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F097A4EC96E292AE6CB5C93C2B187FF840 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D4951741A29C58C003F56C941E0F22D728A - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD3BF29BC31EB365D95AF7504CC004B559 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B6F3543C941BF7970CD8DD446639A0A405 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A92B54FA762076D4F39D2CC0E0AF888326 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C95360D6484B2F2EF17FED6082F50ACADAC28 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D3599766262F6899DB5FA8BBA8EF5E4C0CF - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D8F92AFD8BA9243A3E4B58253A490050A - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C6635619796053D15200011AA4774858BF32795302344F - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602E2246FB3A122D0B68A4038297E2BDF5C9 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4EC1B460C99E341418418EFD8497910CE - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15DB8C7276DA8DD06FE0AB521984A819ABE - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F8976E5542D272876BBD75E6A73DCD8B2 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD1AC54F1B472DF8116B0DA4EA72CE74F93 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C067520624AF353D3639A1A4A05192FD2423015 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = -CT = 89A6BC509C2FA199469F92E4F44E84E0B73FD12BB3A11F24A69E66EDCCB9 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D308A319AD332685CC1542F789377FFECE - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCC0565595660B5E94F1689BB21F2DE11DC - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = 8073F50326B592E5922BAD631EE51DA79CE26570DF8C3853708E064AABD2 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06D5360DD3A670BC441A30071DF36AF59A - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D98C884C87CA3A37108906EC0BF0138BE8 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29E7EA72790318C43A8BF5BA9019591CF8 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34666BD5DA1DA9034FED5BD2B7AA4743E2D3 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307DF365E80C97DD9ACF80062B5EB97999A - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D4665581612A322D64E013F11D696747BC67F1B04B1 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5655B71C3DFF387DEEB05C05ED6B35A10 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919FEA8415E53D7A7220060979A935CDF1C8 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDF1DEEEF26257EE2F8C041F9A25EB24DB - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D95223280395621A41E4CC74970DE908FE57924 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B99A50289743A4B9861189374B48F239289 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C80C644199087B888DD4C7ECA1E0C26B0F - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B37003ABC06AEE0D5EDE750923B0790C497FA - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968ED9E6E36842FD004605646C1C9DA8879 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F0936D9C97F72D229C8A70D4D19BA107D278 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D4971EDCDD955274D42D7D11B7BA0E2CEC34A - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6EC6D3F59F8E3666D4A688A1E3CDF95F0A - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68BA9E929FB69A23840A4C1243D5F169384 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EA8472FE52FD05A98E8A24E7C56740996 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C95363320087EAF5A53754A031473A4901AAC25 - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A3B3BC967894061E428D641F7DA101CAE - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D8229B8CD0DE1B785B58708DA49625FDBF6 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539BB76597E9A475C532C314CC3C7D67749C - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFB7A748B509FB1FD678E0328A08CF2281 - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2D23AAD12F17721A5B869DC52AB3C2F89 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40A13950A24988B34FA34C41A2870DD147 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7BAF16D976F3845F7A4F8F00E13601CD12 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD1729B3ED9AC4E758F70454C46E848DDDD13 - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C067520521442B18305C06090BCE3C8079947CA22 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9B3C9BD79C57363EA31627C468FC320FB - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D3654083FE3E26D37A49833A577289DB55F7 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA2D271F21245B09D18DE310E92E6F0785F - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A340C7437F33A11643252108FACDE10E19 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E413CF3EAB03A96A7AA23EF24AA1B1ECB7 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94C22D7A53FE8F49B0C32BE8BE415107657 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D53D1442C71F8A8AB5D621572B9D30B3E5 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B9DB75CB0A4074E23E87A5E2233FE4608 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC468DD97C514FB11440733D15B31B5BE4 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D4665581612730869370DEA8499682BB345C03855BA17 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C584EE56B4006B940005372886CB1A384181 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A99A636A8B69FEF9216F9C8DC3D77A193 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDED4C22B6F50581FE06F18FAA980073D9BA - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322A51DBABBABE6721C6306613659FA601BD - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B99693909056B2EF996E6229B94F2013A74B2 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C869C71C0CB8762E514F09CF0A21AEDB81D4 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BBF0F001D86FC9F615863D2DC83CAC8FF0 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968370EF2B772EFD247B3E625E465765930BF - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093418CAA419883DFFCD026DC2DE9E8F9D79B - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D4971965BCA1220B92E72041348ACD1D3C61D9D - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E9700CA69C5F45848C360A840EA687F7DB8 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B26159BE4BBFB6AD8707E7FE67DCAC72F1D - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFAC8269C42835617A89F988CA411350E6C - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EBE68B73AF2F2F129FDC071DC1CFD103D9 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5D6C7B5DB2DC1B08A685519C39D653E792 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CD3877555749BBEFA63E0CDDF8686A6B50 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94AC7C981A1EB8FC885C722A58522F0998 - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFACB4792F2DC524E3A3D2E9206E09466046 - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E95B63BEBED1E85CDB2C9FDEFC79871C81 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE6218C546B18190E6584D0DB54A0075DD - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45FEB6B453B5BEA263B8904C406D0A9D4B - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293D7FC0F125B069465ED66C616437FA7C4 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3280C1AD26CCCA796092B0A19B362CCFB - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC8BAB9A9CDE663E2524E5419DAF1CB3A2 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D365080A4D41C454A8BEEB50A1A7649C8B16EC - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21AB298FA39442AE3C541E36E613E518411 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E3FDCA807EAD619F00611A02607C26B4D8 - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1BCF2E64DEE8B40A9B0AA7C4AD87603B3 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE87022715909B026F38DEC90AE138FA180 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B72AF07C6EE263E52FE799C494591E3198 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94A2B9484D07EAE8299950EBFCF77D914C - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC17988464F432FA169CB3465FA9E75F3639 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B7FABD89F76F62F2E919D87C8CE1470039 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FFDCE87040396207628F852A4E0D9E3C4 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90F0A26D5E34E478BECDFEA1A7211A98DA - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8E073795B221B5E7C50DBB0BE13D4D34B - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4B2D116659872E5B1B3FE2C6209D6E9AD - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B99691071FB698F92CF70E988EE4FE89C3E3772 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E8923FCC6C04E9C14062EC561D0D552D1 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7FA36059931CA7AE1A7629D328138ABC67 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D9683745A4287E79442816291B92B2BEF391305B - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413FAECD775190D3C752BA247338F5B58747 - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D9D5648ED203496CECA94515EAD10D1C37 - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971D7C65C1479C354A8C0300126A9B6CF80A - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E514BF34D9E8321D157820A57086AE864 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7E8AA4D039DD6EFBF9C5B19E6B30F0965B - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB130294F4394AB6D8B9D34BE130CCDC9D5C - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB7DB0C69FE14FC29CBE149E421911F8A81 - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9CC9BB4AC903244AC7C982E8B06DBAF2F - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B947062A6FE7EE3158633E9CF80ADD8D36E7A - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E456256C20264845C7BDF170818B04920 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950173F98DE373B5F02B96F4D7E37A225C7 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE093AD6899DA2348699CA6541385448B8AF - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F09A2CAD0EFBF59D5A7F632C37EFF6A4A6 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD1729334BEC34F623D36C3B4F5664297F3AB8CA5 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D922B691D7A897DA13800F1B50751BD936 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0C5D8989EE6956F22274DDCF77D3EBB027 - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C5101008FAE7658C775BA521C991AD6EE5 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A729DC7CB0E344E2A8EC366B57E42D4BEEF - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BBEA5F08E1C093031FA50CAA73B97E543 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1062C51D0FB40DDD4E0066EC1ACAB3685DB - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAEF127824152F02F59070A7B66A028C26 - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B7305FFAD4FB96449D45392C11A462957671 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B9430069FFB6341D9FF07A90576BA2C2452BB - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC17384B3F0B012E46029DDC4C4F50DAAC69C4 - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B7000712B1D507FD80ADBE37FB89545BBA3A - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC03A7A61145A0C357E8FBB1A81AF8E6032 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C362813649CB8781D9BA6466B93D12332D - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7B7ED0AB2E05851C2EDCD710A84312EC9 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4311CA4B094E656DDEA7E8A3799A156AC6C - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108B1B8470007BE203536AA650907CFE4AE5 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2F0A6F843ECC18E939A25C4308B80E514D - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3DB7199B8A93DB1669AE4DC48E990F9D00 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D9683745128B9F12B76A5F7C6EB018E050C7ECF98F - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05BA91719F7DE32B57E95BB8E3F58DA974 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D907639463FFEB3E5119F7E2E4A625E50B26 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAFA470A815BD9A2388D364D1C8F22A944 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37A93CB0BD49746F8D79A96E3AE3001AF5 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2B0063F0E6A8C1F0CD44400A9348A2330 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E1EDA2BA48BD4C06B8D039A61A90F20DC - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A912A0C20CE78A16F742355BA7D230F6B - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5CBC0D2E5106EC34E7773ECCA071E9755 - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DA2118988EAE6DCECD166978624864A76 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E882C363EB4D4A378D4F71B8E78E59CF7D2 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AEE77A110297CF3197E919C8CE7E80A3C8 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE0939EF345D78008D932159F4A928AC2C78E9 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C29281DC969C99BC12207C4767B8D4CF0 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C6A3CEA8901C57049C6885FD5F42E911C - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF23ED67B55039053EAC8212749DCBEBC - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA96C1E852DCB5DA3B09A3B24257F8AD8B2 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C19F7687623D7A4ED57004FC7C91AC7AD - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB5971CB1E707838A51DAE972CE545F2C4 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC9C4A6F6A52785FA99FCD7DB045536F4F - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069F29C5EEFEA639FA291021E88592219F3A - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF0900CA19723DB701432D97BBB1F64FF2 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D32CA2854B1ACDC4D756D85EBDFFE495BB - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308EBCEE78B8574649CEE64EAFD0BE037A52 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC1738453248B842D5660CF3E982F2579872C55C - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F8F6684F21B76C02C3EC3C032115FD7CD4 - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3AACEACF260DD04BF6BC718000E62B49 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BABF3658F1B9092F4D2E918FB00F83CF43 - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D77478DC2F13E625E2C3061EE7E53D90FE1C - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E0E0735CDAE040D8EDF8DA40242133E08 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE5C623AD54D816FB37B70896F20CBAE447 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B255AA79A96DFB36418CED39648EDCD3 - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40AF72CFAC10F564EAE4665F8C8C0CF542 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512018681E227B257D853F251AAD55F8BB8DC - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F9F252A83B6893DC1BE2A29ABC754BAC80 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D9075736801AA4A93FFA9EAC5DEA6E6C380063 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB960C8271EAAC167B0178BE0E8EF38F4FF - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37ABC4058A4C6B4627C03277F735EBBA22A5 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E405E8595CBA2EECA2359D17E27C60BDE9 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E94835103A7BC7B1656398E52C2A442F854 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A3562174CC69729E5C449A71F258D455F34 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BB7CF81E0720BD0101311A1EAB53857C40 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF19613841B1A5EDE571A901CF79F01D758 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C2D7D6EAC13656AE074354710D4494A12 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67E7C28843C2FC13DE85FAA6F0C9A487BC - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D36D12DAAD91D815EC01ED4372C063E1C - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C42CE48A44DB2CEFC82A6900D2779743B10 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C57F5387D16F696A78A1CD9914D46B523CB - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0BE6DCCFCE9B4B58F71CB01F024B988B5 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C3305469D5624234B9042C38E684B8344 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C929E7A4950FD260F848FABAB411752D693 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58A2FF1DFBEDFCF34448C989C778BF7BA5 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC397A5D170E75F27486B4B0D4437C7B8A20 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC986D252A0B3F18596BB04D7BB2E377C00 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF550C387DF76D7C197F263484E9014CBACC - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA9724EFE7193160C734E94B7ED3B8C553 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E93F434A2F4A1A62F6DB761C4CADF074522 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC17384571B3C909F800AED34AE89FB31E74B43A68 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893A11318D587FA2CB15846A226DAC123C5 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B7922105D790D46EABEBE8BB38D94A7AD - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA38F22E7A84D1E2A1E5E648EB611BE31EED - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741AFFC9374EF422DA78A0947590CE40A3D5 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00FDA6B508D1952934EC15D91392146360 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AE5E5CC355885E194A39BC6DFBF9739C4 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B679114C21744E5790FA890549261F3379 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E6E7E741B394D3171FC0DC88FC51807108 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010A63819B6A687F2699C012AC9798C0FDC8 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928296657C783DD436817A2D22D008C08B8 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C1A5C4856C52BAA1D1CD706F2D65EDA8EB - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB9274DFEE95CE6E72D2DD3FF8C3B6C0BAB93 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB7317AF9059647A3B91BC413739668B1094 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E78ED9C6F62DC648D810CE9DAE966D536A - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B7E192DCC6FEDE9356643C679FF99EFAF - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BCE639E7DD5D3428E9FE4D7CF74A1D2D5E - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB19B23785F2BF1BB77088041E96ED5BA82 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A7B571308D4536C518F4DB528398F6B9E0 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11B1B6021A1E6E40C3F2955D438A23C49D - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B5A7B1FF4EFD1BF4ECD26F2478D7816C61 - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D37B923B32620F169689B2F027A4992902E - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C4293B22AF20BC83500E8B0B239B38532565F - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C57393E6420C35BDD2DE2B1A140043CFC0A33 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A9698DFB67FCDDB695B8E8F367828047E9 - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C51DD70ACE370C0DA9D4D2EC4A2CE0A6A79 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C9227233403032D58AD0615B5D9A12EFDCCFE - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D43D381B0504534E8EF1C2325753392029 - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC3910084D0A403F98E8AE2D6072401EB77C61 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC9120029E41EFE8035485903EC0D2809B4B6 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563669ECAE799D39596E8F9A83CBBFB09CD - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98FF65DA03FC553D7C03AF46A5DF01ECB3 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E934815B606FA2A3409341560AC76D0B86D18 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A7BBF4FED1D084970CDC52233307DAD60 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F8932506289E5B0E98E82C747728DBF623D9ED - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B627A82DB0576FD5CD86D7140555DCE3A85 - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DFFE9B226770F9203F5658CE04CD5B781 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A582AEE51FC5811FF63FD9B4D278F5C1D7E - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D1B2300B90CBEC9FAF879AB03D60B42398 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF755E36F548586D24BF52784BFB889A22 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4128798CD689B779502FAC14909CB5D3B - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66D03770772F60900CCDD45A7028B548ADD - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD104888743AED8F9AC40D4CC34C8BB7A6A - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928410F89F44893EAB61B32D4E1C88FD847D7 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C1015A969EC47FEC5933E5FF98189A0B9CCA - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BEE30206BA97A14DF90E4065CB30F3B263 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733A70F4A3356975D52EA57504415F66E373 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E796921E6560050A6439A8A38F97160FC20E - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1D5BAC3C730A80835A54B9C1F603BB6D90 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC35F41AF6B455642D4479E1399F81EC9820 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB1451353ACD814EDCC8D1D6215FEAE5C9BDA - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A74085C8E7329A1C25DBC35617014449D505 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C1154D40BA3FF909BB5A4B685A0B4367AAF90 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B599AB4713F7CD8CF36C9C6623C374988DF1 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773922532D80E626ED3C2648F35F6FB7907 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302190564D2466D890501DFE0B65D523BE4 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739661318AD1CF59CC0A57F573120F7C6DE4E - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A9381174704A4D4154AF63DEF51AEB3E9F56 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180267144074C1B13FC99BA5A50111CF892 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C92275521A1DA4F1603FD6B229652AFA34107E6 - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3317BBE35ED34F32856200D183D2E4C98 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC3910603DD20D122FEEA121DBE6DBC13A3AD33C - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269DF79D7E8B3BCB9DD8B23037677B4908C - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1878A6DFAAE80C564E644F2284F346AD4 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871F208C158B75157825FAE0D910A3A8DD - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB2C3EF3734DCF605A3C48A78E879F0799 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46A45458A4088B12D2BFE29C21A12B1E6C - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B6D13AA3479DFFFB7C531735A6E06C69F - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629F77F5C6D127034CB0C8A06333153D1AA7 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3E0A7F7D65DCAD7CE6FE6273CCC1F9FD8 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583CB31838FB408FB2FDF857CEB5BC01A038 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D11376E8812094A35E613B24601A31804761 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C570DB375D12898D5A1A2429C5A92B419 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2995A24B84EDB1FA34D6C5D5DCE318AA5 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF9F1FB757F121AB21F121427DF504AA945 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1716B26D110D8BF097E82A07D794CA4B121 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F92841764EDA927DC0688F6B3A7EB08731F9FD53 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106851AA3A088B067F52721AC8FF4DD8A7C - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE347E8FF604B847271DED5F53FFF6FBA4F5 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACADFBCEDC6D246B5A1B0C3FC14D8C896C6 - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E79674F8413D0F6C925906AF0F73BC1CCE9C50 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE7D7CF8C25728170DF22D829F8C7BB3722 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351DA819B5F27ED931FE71D3F61412ED83D1 - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A36E23E620B1315999631E363D179F2CD0 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D289C4A97751256C55455CCA6B5586EA4B - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C1154640D99F1807E6B2DF71671D03FDA25E4B6 - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B5998281CD30AAA8144F92E3612CA78084DCD3 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D377324AC589C08766DFA9C5A87DA4187D75B42 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E29B409CC1E99C2AABDD51A909BCB32D97 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B35207E8AAC5B6E50EB0E387363265109 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A1BE1B8A92FD450CACB63AAB2ADE1E4FEA - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BD3E3DFF61F263A30D387517374CB3DD93 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D79AE05909854CC8F8C1F22E029538B1F4 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D6A450D26E4A7D78DF95C01B6FAD7DF846 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F32CD9243A78A5B5A1BF0EC1A09A720275 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F2F5EE7152E6C4E4EF9750257C4A7DDCDC - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C4538571A7C26F46AC1953EF02A90F6A6F - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871D08F1D229715DC290826E01B4DF4AE197 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97DAD326554E8CBC59EE9F3D5FD2A32BEB - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C611FB5A02615E60240AF443B10F3E73B7 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55F165E78019FE44DC0FF1DB875EF181B5 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF0616F2D90F359B391814051EB66ADBA0 - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB307D1B262640DC786B756A8CC7B18411205 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C3EB455A7975E005F3BE7A7C02B48B591 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D11363E6998C08311CC08AB7249C7C890CF9F1 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C4AA2E6F1FAB279D09D73612E7854DD87 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6DAC766581DCDE9B4D4D4011BFC660332 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FB367507C777A8835E3ABFB1ACBAA78BC - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DF135D098EF6B8940D32AAA04F1DE1A3B - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F92841766687F021FF2CEA1B90E4D50F8073599EE2 - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EAAA45F17A7DB4AF372E295BE1772CF5D9 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A12258AC44CFA81E63DB2862F2F169080E - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5C6F6CC7E3503D5A8AD69DFEFAD44612 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E796744321F7F6A9FA4272CC244B793226FCF1C0 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE75376F55928664F323BE8739D8F06B6114D - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69093A5F8EDA01CA1B359E85F2E1AE609D - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EA0D521C7F69DD882A176D0F032E9E04FE - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249165DE58011409CD0323451558C8C6752 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449D7B846A5FBBCC6149A7C8027C9D5EC27 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F1F17FF8030683AFDB306B58F6E7BC1845 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241455FE43979DD2FBC4722E980E9454C67B - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27573CACB37F9BD41A9653B74DDB0461B93 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F1493876ED5AA4B1DDA7A8B40B6C0C3EE - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A11753B83F1BC754861E118AD98DBABE0FB2 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC17F74AE60A69B99B6FABBA303E5C93824 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D721147D0AA943EF6A22F693D811AC6FF557 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D64C669D306FF4FE70FE08005F3BC7829 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD25E7C0EC709D6121D7CDCB52002CBF95 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A54F0FD17CD8E37F7BB4777374E70DE74 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47EF7885539CC83FC29531A5362A61BA485 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2149B4C08F5ED9A7540FED36E7E3CF4BA - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1938DDE26B61EC79B04CC13FF4F15F7AC - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C6161C982AED835309ACD1AD1062B68011F6 - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55AC67185E8747758A6DBA1BFDE9F2757F65 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8670444A1CD802EC8B43C4BF47141C1445 - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074C4C886A05D7EAC99C26179DD7E3C0EB0A - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C940A11AA483317A90BF09F8018E69FD7EC - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EC4A724E6C1476A10825480D6D43A3996 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5CF9F4A408C1DADEB9D83FAC0196B79984 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB6FCC68E43D3D58B3905461EC4D595468 - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1B802F1B2774DCD463CF7E6CF81AED6B2 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA76036198B43A2968A931348C18273009 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A53DEB31612AB4E6D8F7DA118671F3C0A7 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DB73A6E3B93D91282E2561D7A8FBDDADA - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1458A61B1B8E7FA362F3E64A8AE0C45E152 - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC59D5E525B69FAA9AE7EAF90FBDE4515330 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E82E93EB58278E5DC0E38CFE888A8C10E7 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753235993EDD696E624D1E023A486FA703DA9 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F705DCD2FC55FA904EA0B9FE1C63591DDC - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB8FE0D8599B17FE0B823525C03FD1E97C - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CB3B27C6FD73E907204D5E24B150C10BAD - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B89D1B19BF30FDCC7F3602ABEC5625586A - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11B0C6E9E82CAD8CF5E57B05CD7B86A564F - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D377324144981571DC2CFACF2BE10F5227D31A56ADD - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E275973F3D6242FE660B1C3772F2F66B1F33EF - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F19E11C112F8BE3ED34AE813908E16E1413 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC4CE357976CE74C45F8E3B69ECBA445F9 - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6AB4BB0EF4B75D0438BFF307A68EF3BD - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BCB014ED542AAFED9656083B1500DF5FA - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D434E2F465097A408A9F33A090DC32570B5 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81768A6D94E4FD7448F59F17F548F00A17 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DA7911AE5559090220B572831625D0E30 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75715EDA60D68A57CA64EFD8B19D30F2D1 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DE57C6EFE50421483CE3F9B9C4C3943DAD - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F151D1DF8418C6FEBED03860466AC55E356B - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C0651143F92B9F87E05168F807D297547D - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC1E1816F078C804FBACD12DB7573E37460 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF868070C2476104D701F8A6F9B74DD2B6A988 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE4373634E66D83CB01128776D26576909F - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498CD21E4DAC2D2F50CB05AD79A30C56C3F - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDB45BEAE7429CFDCD22D7B3BBE84FFA30A - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1ED5F56A0F853617CD054ED50A9B88D786 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB445C3B9759323C946AAC9B42AE1233513C - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D93FA46BEFC851EC1F532781AF79F92F8A - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7B1E10EEDBD39395D9D8BC06C3EF9632A2 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CF901D920EE1E7143797ED3DA5300105E0 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBA1350CF5B4D6EE2805042EFFD711C154B - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452530E621017B5C76B66632497E0ECB533D - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961CEE3D9A8F3DA8E97D073A6885AAEA595 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB2697E258057AF950930F493BF8E39A7B - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE7532397206FD7449E71F1E957EC9C295D8E8C84 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F98E9D400A8836BC3DDF0D84F8256D732 - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67C5780CF94A855A660A70B7B6C385DA9B - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD213FF2B98E2C29B66EFA740A31487AD05 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80BA72F3E1CA5FC0716B00D4494B7C1A14C - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD96C33D099E6EED52E6E39996D14D84A19 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D4522A04E1DC228A362D786C755B71D0DC - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1ABA626E297E17BE8C2AD78C5527EEB96 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F1931FA235FB96352B97D3DA3C2273DD9672A - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC0234A91024DE027600FD2287DDFBDCA30A - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B651DF05CE4CD11E1E84D74E62D437D9E78 - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDFDA95B65C96072C947362861968571A3 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B49BBEBA3BC0645C0F30DAD857FA313335 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FE16FBB42FF9DEF1AAD06ED1F34E70742D - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD81C877A23E5398B762812E119B530A6BF - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD8742110FE5788D49B021554244D3E1B7 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA51E33E2A575D5FC0A4C3F2BB5C459C3DB - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CA10402C866AB4B557354B5A57D381DC4 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C03588D65179E46E59B3C149E40785FB7829 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC19809F2F5EB41405645031CA93AF44117A7 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D38CCD4F60CAF41BDD96BDD3FBB97828AE - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C9230A3772B545611B1F06431969DB4B1 - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C949815A4956560B590BE6CF0B37305673172C0 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6AA6D82A88A15039C42C42CF1834A22F5 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF5E570FEA7D151B13E26A1F100E6DE0341 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B682C570AAE8CB3643E6A44D3F70E5609 - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99A5E80B46589A54C92516F2705766C0D67 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB0BEEDA48DDE343E597BB926043E19A18E - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE89F8DF69FE6F3EB77AE2E371B2F478F2D - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADC61F9A65005BE569F663A4B322FCF3CBC - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587D344915AA84928871C2F2632FE9B9681 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77AED7524D80E87F522C5732A5F1AC924 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8CA77786C93D877CB546603BB5883051BF - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743E58124AD68686F88F5823BD6306D261A - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B6EDA52534FCE987897FE835B430EA404 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DE576FD3B3D7297D7C2AF893A3CEFF52CC - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C06674D82D3F835D45A3DD26D4652225A - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B256E97B4D398FF0FE6E22602FAC35621D2 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD942C5429A44650829F19C410F259270AEE7 - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435166D995323E3CDA731AD551797BA2800 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAD58B5560A6C494141D8C54AF0EAE19FA - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111E9156399D2DA47C23457847A99031A90 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6AA1EE25D30ADF13BFCCD64681E1B5967 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B65072F8F123D31B58D756E3C71B90268B46D - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA0244BB016D874B0F97F0E13563EA7499D - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B4857B37AE2F569A9A159796C643ACEEB18C - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF369E10F12014B3C3787B35F154668A653 - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D20BD040DF5D460DCD2AF068CA306E5D8 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD169D273C3A02B19BFD97F1073CF9296FF9 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520D3153B8413998AD3AA8D74B521E6917A - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CABAF1D34008C4C2C5B27276A65CA3F7E0F - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF2A53629C1420E7B37C34D52E96E92E0C - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA39DCB4ABF81A5F8A67200AE1DC296F1B - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBD752612AA8F335FFD9BBD2EA65DCD386 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C4720018DFC224267F682A67679EAC364DF - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B35FFA86644E4C1C0DAC4C9118E816276 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B72D168F8AABDE2DC1EB26525A06913C41 - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF5381907A959487594749E0F05E8034A4915 - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303FBBF3BA21D9926AEE9497478CF4677 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFE812FAF4389C0859C6128EAC989F20798 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034A92D18A6806E891FEC39457703781B68 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE868388136AF867C63D17471FD74E4CD8BD5 - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE83B6E82AF1D7A618566389C23CC52A07C - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E91923061ADE7115F0D590DD8FAAFAA93D - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E771F6656E2530794BECE38B140A1A29471A - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1BA5DF9B00C5924B521B80AB5121540272 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A66C5BB70929DA94A65FBF4BE8C115BE13 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B85C0C4BEAEA2DE22D5AAF284B5D81DDBEA - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEEB49266EA300E014FF8264859B80323FC - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C2486881FF48A722A7FABC4DA5DC8E4D71C - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532F77CABF4DC9EA535CCF3C62AF71A0591 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD942306CA0B27D3A4557DD3ED221A5F018A1C2 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D4DA5F3A0925F34CD2C0F4048F88F2C236 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC160CBB74E98426ECCE4DD0FD2F9AA342D - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A5771528ABB14A7F4723D426ACD0630BCF - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DBE3B9107D989B27DF9F978F2C3844C8A4 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F297E028E30E4F53B780371F1CF7F27045 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05B39CAF8397940D5E3E28E62DB217A80F5 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0ACBCF911DB2B0A54977DB2F46F87DC58 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7E3D33C80DE3FE4B3A5EE00725E0F2497 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4C90B2164BA63D11EE2D48EA78C4DB7AB7 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD1602B9D7271A759FB4789CEABE7E5C7CC96B - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5F198338601A9ED8C2B5B65890482FAC4 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB9049CBB5C9FE2F398A60CA9CD7E861F3C3 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF8477AE1CAD2A1A54322DFA87D3903B8C43 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33256FD2CB32C417950BE78742DA311A7E - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBBD9715175DB6A739D1BFBA2ED53CE70E0 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C86EB507BBF3A44851E5A88008B8EB5D68 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4FDB1B3538092A7987E89A9C4A60E3D910 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780692B93811714505A742BD280FCAA5C8A - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF53852B56067FFA6828FFA385A1E9762D1801D - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B03033E050C4B1D715ADD636CB4EE4B2A9306 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED09B7E4DF269B05ED77DD65CF2CFC80BF9 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CB21DD5010F214AAE6AF65E045537223A4 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CF519B300DDF2FAC71294FC20EA75B57D - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE86648E1D1327D9900A39F2B4DA3F6E3AF0E - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96BAC194E0A790F5A9C3CACAF2B38031A50 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E7710294411EA50A4FF6F3992281165BA89E64 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6E6B1BEEE840788DAF2D97C72B39AF36 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A6263F7C9F5E307ECC7898AC5463F618E665 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F9097FA165FA512B77C119B9F44F59E6 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE937FD2E8613C6ED9B523ADFAA7F0D23B7F - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4C7AFDFF7BB2B665AA48A3806B63B553E - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C0175220696168D5E5BD2B534C68DC1899 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A55D194059AC56E57FB2BF4D8501E0B8D9 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B479850E1E948A11D7D3FE2A12BCD58C2 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A539E9C829B50AE11DA406D0E1AE3960E - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CC80EE5FCAC888384B4398E97A7E53907 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B2C539BE31DBEF61606526BC683520DE6 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F2C02AD32D7923E16206D902FDB8BFC314F0 - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05BB7DE54D47585E13D638FF425DB5CA6CC67 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0EAD56FFA973D1537D86647F3476C431343 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7A495E8DA53D948714266389906A4E103A2 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4CA249E448998021E672F192BC47FC4F5EED - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD1602335D2F55B0EAA00B9575D1118327BAE174 - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5C2B979450E85F45323C4B9917CDAE36F05 - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB90A06151F8DCA29A71867F7AD9F854D743F4 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF849E70A4A61296B9454E2B956BA7D1B65A7A - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33B2FCC43406ED2E2A5FF47A732499322C3D - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBB0007DB5D1231DC641BC68630424FAF7EE4 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C87E64B29D4BAA816EADF4E21253B01F763E - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4F1DA0A49E44100DAD40B4D991651D50C540 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780FF023FB6729CDBA222D10D2B9CB998D639 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF538527DE475C93397F29CC37D4954E3471E2E0F - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303B20C0A7386CD3D428575E5D7108D6159A3 - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED0932DBFF91B8D08FE58E665482EA20F726C - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CBC5D5A2448F7E80F149B29860561FFE1C64 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CD948391F3CFE2948EDB7E0F12A5B1D5676 - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE866754CAE156DBEF2CBF26E7BA69B223C4EE1 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96B792F1020CA832C02756DE4F063525A771D - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77102EB3E137CE1ABD5AE04F7962B565B7D9291 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6B8EF79E61BAA16763262D6A8BE542227D - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A62627AB23F2A1975E41DD208251446E1EECF0 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F1E1C6A38D6B13765902CE21D9D9A810B1 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE93A79A79CE13F04B2B3120E4C43FCBB1BA18 - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4B79AC9756019AA3B9C9E52C999D3A523CC - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C041C555AE45FF8AF0183C68CE905FBDE702 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A5296E6E67E19503955AB8FE8D166BAECF83 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B5D43CAB6DA8DDB4DCEE3DFCB030B0C3D1C - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A36E960811C3824A4322D4396DF9ACFA98D - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CECC6BCA83B3B3AACC8EC52AE64B3F8C6F1 - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B8900BA5D208630737213E258B3868B168B - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F2C011834329EF723989EB1C8E613398D5F9DD - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05BB783BE60440826050ECE69E21D25EFF9E906 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0EA35A6C1D9ECDCE8C8C4AA91AD55FF8E0357 - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7A46CB31004340E2F360EF50B74F5091B2FCE - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4CA268064C8B9167809ABD7233F80F73474047 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD16023334B7E431BD66B41DAD7B03F619AF2EB54E - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5C2139678D125B58A63430FE7B8381ABF8C6C - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB90A0B7DF0ECCDA2D3A6C262522842EB9F7D472 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF849E9DC154BDF1C096555F11DBD63EAF2F33DA - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33B27597CB395494C73FA5CC83CB1BAE4825E4 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBB0070787B832BADE64AC441BFD650014DFF8C - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C87E4F224636DA5FAB981BEB72E71A0945B778 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4F1D244E831488D44DE9B89FDE8F56A075B997 - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780FF7F03F32EA5C8714E9AA3B99F0DFF6E0FD2 - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF538527D05C6C8FBE18B0543CA771D6D1808D7C9CE - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303B293CD78DC04E9161A155603B79399B877FA - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED0934E5CDD79ECF371D2592A72BF4183DC1A77 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CBC5023DE8D8431D60481598D710FD62E1467F - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CD94EAEF84FA7883DE288038D2D4F38C0302C - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE866755CBDF842400D3227E882D01B8D05C3DC2D - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96B79A08D7B3D32310D2B7DA92E852C36B0FBBB - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77102EB9F529650B8B170C9633DB2236055725FF1 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6B99004CD6EAE717151036671C65527FFD18 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A62627CF046DDD99FF700DAD57E9F6DC2EAE2242 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F1A27D04E11DA91EC8C817DDB4E8CBD287C5 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE93A76BC0716A6B27FA79D92F44B59558DDC850 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4B7AC8A89EC572CDD829C857367F03818E880 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C041741AC4AF9F36B7A4C73BDF208EECF9E379 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A52994C73A87D85362B6ED26FC1219DE649DAE - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B5D7EB108028D41355343C02FD0AEB16BCB3D - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A36AE329C9017421BA1F351794106DDD98DE7 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CECED52F94134FE98B765B3F79387FCAD7D8B - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B893B1410B68C8CD38EC2F5F4D673FCBD9240 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F2C011AEB33CD92B73BCD51921B6D8B7ACD28177 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05BB783FD2F3B676A25ABA2C578FFC5DA1E662E7A - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0EA35847C559177CF8B3BCE5AA73F418AECBB61 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7A46CE58F5169CA927DF9C001CC74D57EF03079 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4CA2682064302CA4198619E34D6E5201EB6C11E0 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD160233341AD5E85C26903A33C37C1A0593F0BB79EA - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5C2133B48E120581981926616D4A491C53E6C87 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB90A0B786E33E6C73CCED600B3FF01D35D2A67BEC - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF849E9DB598A7601FCCAF139EF17AF15404532CA3 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33B275D601880D035AD1E3DDBDC3769F5E30EE8F - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBB007099F6D6C164328EC5BA03CAD1C048C2AA0A - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C87E4F657C94C5978541F837145F62B573D84554 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4F1D2432D961A432317651B74F5B3C80C52FDF90 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780FF7FD3948F12EF4027D839A7F769E4BB37DEB9 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF538527D059470230EB5BD28E4C8C325494C46369253 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303B293A7BC7870EE86B3DE524ECFC61FE95490A5 - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED0934E1599FED621BF5A64F4853399DB394FE22F - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CBC50291FA8A4DDD7FFD1C5FE156F284A7D8A3E8 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CD94E773B55A28EEC364715C17B6540A424236F - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE866755C271E61D239FEFEBE71C88E6FEF4BE606E7 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96B79A09A176F28780E943EBBE48F97D0E9C7B78C - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77102EB9F63C6C6490995B0A71D9392DA725FF8D8D5 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6B99A1C74AB41D4E344B6214F89830601D934B - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A62627CF4C2E798B7D16ADCF4C7268D0A355AAA347 - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F1A2D065EE366110A5F21C199EA2D98427AA66 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE93A76B5D4366A4A4708EFB1F37C0AA22B14328E2 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4B7AC05CB7BE2AD254A616E11F652CA21FE34B3 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C04174A175DD4C852A8535881F4A1430B96A95E2 - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A529940D0AACA8158F720FE715D730F8257DBE60 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B5D7E896C919E007CBC00CFE901F5BA3E90D7CF - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A36AEA4095E5C1E70E0E3E63E868B77CC6930C5 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CECED3DF0E6BFDC4BC9B7ADE7B3387AEDAC7F77 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B893BEE878AF8BF741FB176BBA8C9CE8967D2C8 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F2C011AE849E84E6AA27C1F8411F5242D79011EDAA - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05BB783FDAD2E2102D2C0BF95DDAF4C0F6A2D89F1F0 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0EA358451C4D177A7206CD390B3AC4754657BD2EC - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7A46CE5D9585D1196515AED9F0A292E1B224559A3 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4CA26820C3912986381096CAA092BA842375032CE1 - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD160233341A5AD16232B65366B673B1292119394D07DF - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5C2133B5B447059ECC5545C59DEB6E69EED273BB3 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB90A0B78678528873675705EC50FC7334C0F01FAABD - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF849E9DB51F4CE603F1027FD905409CB59ED28BC630 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33B275D64B6D728E1161DBF2EBDE8E58B76B4C4F2D - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBB0070990A44EE82F80AA1D3C06DF8AE4B3CE63DAC - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C87E4F6595DA69D74395DFC1D3D3A94FF9EB34B15E - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4F1D24323E0F9C02389070C1068A9DBEF65101D4A4 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780FF7FD3E8CCA38A203DA4312FEC69FCE66C11E37D - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF538527D059422DD590229CFADB791B0727F743B2C2ECA - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303B293A718A89C7ED1DBC5882C0FDC62A28F31A849 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED0934E152C3BCE19350FDEFBCE851DD35490EA4865 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CBC50291AF29B3D4E5EA27FC27FCED907DC5E6CDD3 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CD94E77C19D1A20EF9121F74DC46BB031F1EF9942 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE866755C27C71AA2C1DFBDBB4E316218110BD7D1CEC0 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96B79A09A55C0AC253063B0E1898B2CC60C9ED7D269 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77102EB9F633F7F41EF13DA1023B3E74453FAACCF6A47 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6B99A17C6BE85557C0FC2AE31C24E56630F15C76 - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A62627CF4CAD4A331BC1A09349791B3F9EBB065730FB - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F1A2D0E8A7B6EFA09A6CE41A03762D19158B1277 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE93A76B5D0C008094A73DAF1766F4465EA8049E0FB3 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4B7AC057913F066D6EDDAE7F1A8FA81339D717E5E - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C04174A169F48795EA264B16CEEC3D5E5F5ABD6BB9 - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A529940DAC7DD1F9E06EF9927FBB330DEEE674C4A1 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B5D7E8972F64B2B08CEC19FB5DC89641A6CA54FCF - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A36AEA4B16D2FD73976EC4E4F5AC9AD29C1D18AF4 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CECED3DCD3A64D6407B89DCFDE4D03CD27BB31495 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B893BEED64DAAAF814B14BFA5D3DB7BB8150A7AFD - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = 89A6BC509C2FA199469F92E4F44EC9AC0CA94C5180BDC12B6507F2C011AE842519A073B121A07F9C85D86B7E5E1B621C - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = CBF1A8AF0311E992A7410E6238D36508C58C922755D7212BFDA05BB783FDAD544063DDB220006783AE86E7550D1D6C60 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = E54B761E4A8F0D1D94D92F149BCCA21A72CB58D4D3D60D43B485D0EA358451589FA4C15860BCAAC29D71DC55063E8D54 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = 8073F50326B592E5922BAD631EE5A3E34BEC391060F3DD81FEF3F7A46CE5D9F0F630235D028C510D0CD8D785A9748CF9 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 9F3F6002F89F5CA2B48DF5300D06E4E1069FC91269F26A9DD88D4CA26820C3967DA37EAC13B5A4EDF635C8F3FFD39DC4 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 1D07AA1D70FD65735A2CD02305D94CE8DAAF5563A1C47E75DD160233341A5A70579BB463AC6B12BEE2E8C870C6373B6C - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = F5941EF434BCE8E38E63F5FD9C29D5B730D3CA98871DD2DEA520B5C2133B5BBF6BE399C7FCE31D4B67F01A9A9D1C975D - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 3E59844D00E1B3B13E8E65DB34669B94308E9348DB97F1510CAB90A0B786787517167BD05D87984B6508725A5E729FDC - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 15D3A591835795973858CFFDF307BC173845710A46C616C035AF849E9DB51FCADD4CFA88485F3932286CE428AAD0BC7C - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 39A67BEA2BD6620D0D466558161273B700F893252B55ACC198EA33B275D64BA1EE7E1BBFFC73291EB646FC02FBB0F625 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 495F89651B3460E65F003BA766C5845FC02E3B629FCF8680D3CBBB0070990A49AB45EA92A6663204D9A42D02D9ED2F5C - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 84355B90FCA6CC96DB82A967919F4A90C3BA382DB3074CE42C47C87E4F6595E372E2D628EB160E612D2DACCB50CA2764 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = BE57E3035F3121F1071DA155CFEDEDE8D7741A583C5C9498159B4F1D24323E6E598BA32C3CDDD0B46B4A46CA4EFFE7E3 - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = F2E67F043069273262C42D9522322AA4317E00D113636EDBB6B780FF7FD3E8C43EAC44997404DBD80AD4EDDB96C3A1B4 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 26BD543E0ED9A9C7D06C11353B9969108BE56AFF6C3C5C1EF538527D059422E03204F80949392C6D0D0203637FDBAE45 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = ACC9DFB104957F6F5B61F44EE0C8699E2FF5B6F4B2B6CB443B0303B293A71875E7558BCEED9C4361E53F8BACE7A3B8B0 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = B5604DCF9517E3384C47714B3700BB7F3D40E66DF97FE1D99AFED0934E152CA74713E91D184E479F6E425C8C6EE0A2A8 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = A3DCE6A36D4245193B10BD96D968374512010AD1717DBA7BB034CBC50291AFF342F8384B0654DDCB7EC36E0A71E3ADB2 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = A3716FAF5CE05AE0DB7A87E3F093413F05F928417666A5CFE8688CD94E77C19A81DF8DF304EC4824B63E9067F50C99DE - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = A8844FEE475A9B10ACE25F7D497196D90757C10106EA2DBADCE866755C27C75B1A7094D2D210035B7D7A5CF32BBE6E3A - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = ECBB638503C559753693A570DD6E971DCAB927BE34A1452587E96B79A09A55BADFC073A7E8D46A55AE45EEBA6FB9EB30 - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 502CE5C9F6B61A277324D953B68B262E37AB733ACAFC5961E77102EB9F633FA6BFCFDB404B5F61D851C61EAFFC659780 - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = A85B710074776A79954E9305A94EFA7ED2E4E7967443E8FB8C1B6E6B99A17C54AD522C7B09D8A0FD2F4F5C233B33A4B7 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 64A76E093101B4145E1F1C953633EB133E945B1DE753239743A62627CF4CAD181CFB80A0149DC9A4E5EFA4976B390F71 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9F092EE04EA80A598D87EE1D359A5DB71A35BC351D69F73F6B8587F1A2D0E86D2617D1F3B17EF10A096A3FFB7C3D161F - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 7CE77BF23E72AD3CB7F3C0D12D82CDC9E5BBB145A3EABB67DEEE93A76B5D0C668A59DC41917DD1D9427F2CECC73AA527 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = AE5C18C2DAC4C66356197960539B94705DF1A740D249CBD28C24D4B7AC0579620578E900A9A7D489F6D37FBD3F9B3811 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 58670DED3A0718839B4B0C602EFFAC3E885C11546449B80B2532C04174A16959F85ECE5C0B2D4386C45F51A49A8CEAC9 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 8E3359569770A9A49DCF7ACAF4E2E950AE67B59982F11BD94230A529940DACC07249D049E3A8AA32949C719A06379D7E - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CBA5AC3E706C38CCB7F9D3C15D40BE09393D3773241449D435D41B5D7E8972C4ADA6708ED83BCFD3C856F87A0900783E - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 3A47EF6DC17B5364E30F0AC65F7B45F03C429302E27597B1CAC14A36AEA4B1B0CA5D3AEA0875CD3184C7681AAE6AE531 - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 91995B95E221DDAC69161C9DD17293349C5739663B0F193111A58CECED3DCDF780D0ADDE739814BBEC0D9498824E6725 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B0C0D0E0F -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 64BCEF8DAE0A00AB494C06752052D3D91AF0A938A117EC02C6DB1B893BEED6441FA8D67F5C20E9B50D6B7FEB1D07C91A - diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/encrypt.c deleted file mode 100644 index 444a0c6..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n1_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n1_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn1v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128-avr.S similarity index 100% rename from skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusn2/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusn2/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn2/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusn2/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusn2/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/LWC_AEAD_KAT_128_96.txt b/romulus/Implementations/crypto_aead/romulusn2v1/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index 2f55446..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = C543F9D547B68FFCA08FABBD9983997E - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = 99F599A3361F11E971FFE9073EEC3344 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = 2B03E1BB97BB9AFBFFD84FC5FE6FCA01 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 0DDC3A18751EDBCA0958EC8A3E8CF5CB - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 0D68612ED24E72A508F61F1343F4DBB7 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 57C5D787455A51D8AB836A985ED05F0C - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 4ACFE2DA8FF158B91F59BEA9BB219115 - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = A17547546D9A5D704108288FC22C9992 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 6E8FF6DD9E92436D0FDC7732635CEE97 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = FE0D8754DA146FFEDF1CAF77FF7A01D3 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = DA906645C5BBF0FF894604C6F384437D - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = 6A451C42CA8239BD25BFF9B41B05EB1E - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 96B3D55B8386B1789A198D84B80FEA63 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = 3E358F70CF0C24C1AA10BE62D374771D - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = 079B85B78B0D9B7B3F82C05A0D38F478 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 8DCDEE8F83AB434A1DF7629B759D3DD2 - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 619D4B54B8DA2C164D19B20A6AA22B62 - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 05DFC578A15D27F4FE8E0DD3D2ED7640 - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = E18E486A598A521309A96F0A610CD65D - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = DBD35CCF9823385A085F263654055BDC - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 91B4DF856EC2330A6BE249F2E261875B - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = 9EBDEC1724DC2100F7DABB1B12E14595 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 2D3F55B5BF7ACBAE0ED40DD8720D7DA1 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 1C55DA577512A77984EE60C6915797E2 - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = 9478877A1C29F986B4EB8A2F50CD1496 - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 2BB4F1FB6E7CE907E6219B82DEE13806 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = A07EC49E3230F61C7034DD7C107F7165 - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = C2FFB276FF8312F0835D26DCC37CB1D4 - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 4DFC61D2650F0A5726A42E9C94910917 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 948556EFE394D60581EFBDB61706EA03 - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 1A29D67F8805A68F77FB8B3B5CDD8C4B - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = 0022E10AFDBAB85DA2743E0B1F570511 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 78D90E0F6B106712C708C5BC415AE098 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = BCB8819AFBD5C3B118B254EC1446FAB366 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = B1EFC7AAF6ACFD436F8B330B0388251E10 - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = FD338B27F24E85D9AD4EF503E619C84715 - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = A26652548EDCF21972A7FCCA4DA366D767 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = 3E07CC440CABD8CED4DAF5D5C5D537F58C - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = 7E8DEC3790DD8BDE0194A5684A63C7572D - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = 1A60A320769BD5AD2AC37576E9956DF32B - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 1FF2E69469BF0EAB606B543D3B729FB301 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = 86482F44AFB20E21A1262E47A2AEC28119 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = 587872CD5F085E54247EBA2A35CB23C751 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = 6B0CA14D0ACD0D9872DAAD15AAC62DF31D - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = 5B73CD55FECFB020AB115CFB8AEC718B6A - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = FE6BA807BE8BB04ED5682A80AA36BAD6E2 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = 02C5D6A3FD7E5F363094385E8BD9C2BF76 - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 6880361FD028535C5EA869D6EA1CBF807D - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = E4F367AB177AA08FCB5C0C62DC7618BA3C - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF8F16E138DB369E723175688C1EF3501B - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5402EED71BB123E0D039DEF19421CEFE44 - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 3664359A97C225EDBBB809ED5A9A01166E - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C1F9B5D101871F391C33969BEFA8939E6D - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 014D2721412ABE4E859A33212572F7379A - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FB19AC89185C63BB711395076B4A938AFA - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE8567043C48B971531BDA01A5AE5CCAFF - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 955668803EDC39D5676F055432E04494BC - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CFFDDED5502E94639EFF757B6ED4C7C21F - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A56F5BB57DAE3C18C2C1EA6FB493A13819 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E24489ED97051E7A62F7F2ABEC9DEF41F - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB6B8BA451DBDBCC51196DA106BF8EE308 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 549CBA0327D6B0964B472585D14E64B6A9 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 221EE30E6B04624FE9232D7285299C29BA - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 0553FCCA51C6C7427C9CF3E6F5BFCC1710 - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C0878355AC0D394CB53F93499C3F2E68EF - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13DFBA9400792685FFBDE1D33676185BFA - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = BC737E3A48DAA7E0EB32E3FEDFCFCE30ECC7 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = B1A8573A8DF6142D49756B52707DE6239BE4 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = FDC9AC573AA4B7BCD8B4F1457E954484FD84 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = A2EED9BB3A9F883F6258092DF0D7C8779BA5 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = 3ECF602E68E5F3DDB8EFFEDF9C058D1A7B27 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = 7EA0B8A59B28CA1367624D104E555F336485 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = 1A94912F7285DC5109D4ABAFFFAC36325A48 - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 1F6DD0EE6138983A9328ED379ED5965405CF - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = 86A0CA39E6B3E646B32EDE877C33A0C219E4 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = 5840356DA3E76736F7D9E4A658927F86D9A3 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = 6B74877F8ACC9214316C487A6D5C2C7026A9 - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = 5BA13728D2CC5B1FCBD6FD5830B6F3090C94 - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = FEB663714E5B6DD53952D4B196CBACEB10BE - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 0286879A8149CBC6A0718A93E7981FE03296 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 681E50DBE7C22D441565E03C5FA6DE8F3B2D - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF3DA4DEF0778AAEBED0C2297B7FE3F0E - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0C14698DD0679F6F0E29C6B7C273AFD751 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 541104932A1EE8D6AFC1C64515B43C8B175C - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CED7E4633988ACE3C23F3190949EE127C8 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171B5BD878EFE688E9ABD51AA900FA4C3C7 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E45F06A0F9098AC9A0FE8FABE4EEFBA3AC - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAA63D7D7FCF59B45A4040ECFD92BBE6ED0 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6201647876244AA2A23AF9E2752EAFE3 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AF6205A152FCE12AA743083E6596406F4B - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FE77114811C119A6691C3EB401AD771D3 - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AE792AFA7D8FEE63CF8FE646786C1C0B16 - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F0B8B4FC2C12EA679C5483D4F12DBC229 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85FAEDEEEE33D99998593999D4754F7B0C - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D2CE9D083D06DCF66BB80084F4F03D673 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 228474F21E2D79F485D0D9950C8EEB67CD1C - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8272149DFD9ADC98D443DB7C015ABBC6D - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C01929B1685A438F696074DD42DDD42F9533 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B6C13DDD93EB478C8AA03E740F104628CB - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = BC73B148EF4F566C2DDD8476C7D7674A14EAD4 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = B1A8DFF1B83E98806E92DD39AE8BF93C19C59E - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = FDC95789049E490F4E0E6531C709B46B5A7322 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = A2EEF1B7299AB8890B4727FFA7046CCA6D7621 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = 3ECF2CC348A9769DFACF1A7CCADE8D5740B0FC - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = 7EA0A6FAB184D368A331BBE19E46AC71445667 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = 1A9471D7A7E5FB69155CB5241E01BDFA1886A1 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = 1F6D4F81F656B21CA691C8AD4C660D082E16FB - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = 86A003EB2B17B4483EFCA222EEF15C393D6304 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = 5840C91F07DABED91063CAD103E56A1ECD5674 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = 6B7449BA2889FC8F5C831FD9247961EBB6FD57 - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = 5BA183D97CC14E5A28A2A5FF5D8D25E91ACE18 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = FEB6AB5F16D9D058822C877EF94ACAB9F1EF51 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 028697C32D4ABFA1659C58F42D7F57A041DDE3 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 681E884BAD7C149A6C3E1D708B114E347343F5 - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8DA3BEA2A4133C19CB0434D9122073CB8 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1CF54C75720D2119D7D32D4254691D703 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 541111E3006B3840324F89775826BFA1E7BE71 - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88D3D950D7AD270BBE0F5AB20E5DEABAC9 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586DF5F47C9EFB71883FA543A82EA97284 - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E474633C5E40C248BE4BD6D602BEBE9EA4CB - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC5F273352A545CC685E8A8D3C7C6F152D - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FE1EAF662A543710938F6B79FCBDC56B7 - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA23971C95F1BBE555913EC7F46A42F565E - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB74F6DF9C2F08B874F8BCADE5D6CFBFC5A - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC9001D16C21E1069420E198051C119A9AD - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9FCECD92275EC75BA55DA2A26D03EA42CC - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E26C88814A654EC0B43DEAC414E4A5D580 - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8CA7379E8B30A6766D35A591970405E803 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284614FBA1CB02A6CE48B96C1453400F9DB53 - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B00E64238577A0219B003DEB8C4CBDFEA0 - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C2EE6BD21855FF0E14C8BA780FF04D52B1 - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B62511918C2D7BAB77BD7633BF664D74845C - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = BC73B1C24E29CFFDC2E7ADD32A3BC5D8B10B9F1D - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = B1A8DFB12CD1A86F5ED8369D7A455BE0B8994D02 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = FDC957619A541C37B28E8A6191DA16682AE01368 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = A2EEF13F17EE3740342CAAECBF75380CF7BEEA75 - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = 3ECF2C0BD94BD65849A58255110EBD6DDDB2C45C - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = 7EA0A670FDB46BBFDA06E7F1467B9AF16F9AB387 - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = 1A947165B2802DB081F793363C8DB3F7533195FD - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = 1F6D4FBA724351929A4BF1DEA235F48C011FBCDB - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = 86A003A0186FACDF166B076BCACAB6BF8659CC1B - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = 5840C9CD1813078CBC62614CFEC4F8FB33C62487 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = 6B74495424C8840E1518893F33B34A01DC51BC16 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = 5BA1831D7D5AE50BF0C703A4C9A1EA018A433E34 - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = FEB6AB5F46BF80269077FB24AA09EC8DCBFDA2D1 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 028697CF85E050846B652B8BBF129C3D355FB344 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 681E88AD7A5F9D7CC65330A31FBC4E9F12746176 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F5E24E6E823900A43E3B7A634BFB5561E4 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA111A3B70DA0D9A48DB9062EEA4896CE70A8 - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D8802DD780564F3E1D7A4706F8D69A7FF - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC2AAEA293CE4C7C2308AD0EEC7234ED50 - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C17158652091C8EB9C2077FD8FD16AE1C9394CBA - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467301ABAA25D6AC2BACD657303FA0C2422 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC6482D91C98024D80CEC8D40EF49864D477 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA46853BFDEBE6EE6202318AA209454BD7 - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D7528CF548DF81B79202229F5E8EA64BC - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E7588D289A29CFEEA51F63E6DBE20A7CFA - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98A7F4D720711BFF47400BFFFEDFD6F6BF1 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B0DC41A25D26328D5D16AD1D90010EA83 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF54D3D3450771C4092B38820266A56E7A - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7BD242C06190FB0461C2782206BE8BE42B - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C3F3A9A1ED2D769A13F01336F3D7286D3 - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDD5DF436AB434EE1B333941A4855CD6FB - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C2961D69A7D9B24A03407AC1E8B094C1B3E1 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5DA82C3A0BF1061335B6703D1946314B6 - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = BC73B1C2F36370F828AC2068FB01ABC0DBCEA16208 - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = B1A8DFB1928F88B201A006E9F863587B092358E35F - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = FDC9576118A65ECD4354AAA7F671CDFD40A607E4C0 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = A2EEF13FA0F94CD8576F507483077E6F905532F0CE - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = 3ECF2C0B16C9493177C2946151EBCC0CFD52281F39 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = 7EA0A67026AEE0E46291E5FAEABAFBFB96A394D10E - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = 1A9471657219911946F30729281AA4B895653A0FC8 - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = 1F6D4FBAA55F828EAB30B1B3BA423784B69624F45B - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = 86A003A0C555A889FFC37E5BCAA275FFA75C32CD80 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = 5840C9CD518576F76115AFBACDD56A53C260C059C5 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = 6B744954091BBC5749A2D5355A42920AEA651BDCED - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = 5BA1831D48BAD01E9C5B47BEF7E309C951C030D681 - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = FEB6AB5F16612E4AB60D9B745A90EE54B1DF072292 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 028697CF28CA7C89C1F5DEF0C1AAE4B794EC487B98 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDFED66ED9779418B07B36AE061372545FC - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F5570EBD84F6D4B6D70EF1E2224395141C3F - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114FFA3AD0DDEE86064AF0BD946012F2A4F3 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D718AB3E9E8E1554FD9D2AF0E30D230E88C - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC5702D47F1F0FC42F5B9CDB8D111E7C39E3 - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C1715865997A003118DAE733512F0456FA451B18AA - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC7216F60737E9C2AA8368BCE3A45C6847 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC6494F1BA2E7BB84D4D5610126317B92137A5 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D742117883796A8784EC45C7540C96C7C - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D9D022D00C88E2132C3DFCCB837820567 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E7386AD2E54021D4F5BC238C54E8587711A6 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA8EEB3D8696C4B2C2870D7DC69CB32C682 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B4532434E7BEA27878805C10A4F435C2A9F - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF033796C270F8DD70B907695656457FCE17 - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15B962C8D59674DD8BE0008BFB4C28B3E0 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C476E4D01491EC0A46B62CE70276CD7B8E8 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB0B9121A407ADE4209954F7E78A73B6C88 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C296038332FF15C5168F20794737FC00EBFAA3 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4FFB0824961D17AE71386DC3B432C7A83 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = BC73B1C2F3FE1861CCBE84668A60DD6877684C65440C - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = B1A8DFB192FA84A6B3E141B117CE2100B87A7D724C13 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = FDC957611833C83DDB7B55169C1D09B1244CB74E0136 - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = A2EEF13FA0EA43C542E76E5BB779CB83FF9A7A673246 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = 3ECF2C0B164E6C7D62A3CAFE86B39E21940425A78AAB - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = 7EA0A67026AE3758F2B070A5A5CAD6E30DACA8B1C63B - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = 1A94716572303040F45986A6A9D19AF83529A1B0870F - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 1F6D4FBAA5952543C296DA1C2FF88B8707DB58AE5B55 - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = 86A003A0C56CE1A2B043BBF52458E560F00EC9D40AD4 - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = 5840C9CD51285F42019151D2315865C150E7651B1D81 - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = 6B74495409117F4F37A882FD0187163C07D6152DF596 - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = 5BA1831D487F15ECA7B599DC777FDCE0E6D007BEF30E - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A467D69E5C729BD6052A4A711C0CC960F - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 028697CF285B58E8C24AA29713C41E19D852CF914FD8 - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF414B5E2BF90B9E88D858CADD64AE980D49 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F5579076D401E267464D1309843D302CAD7B39 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E80A055A80F18D870D4BB1EC7C58CB433 - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71AC2D428B7A5D44B75569159D73667C0563 - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F99A60E14B9793ACE50AA0538BDCC49924 - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0FC4DB57911E3F82AE9F54C770B6303B1 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5FA856B9D32F4A1DA224AC49C09CDF4630 - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496E66AB5E4573E1097B18D7574E31B6A94 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E3FFF5CBFE10067EFFE725F3572B672ED - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8C6DCDFE3D4AC643332005B7DD0D8D32BE - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873973304C20771F346D5E5875F7E0363A8 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860D84F235AEBFCCB0E6F792EA0035035A9 - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB8B88EE6180F0320B62413B7581C2AA77 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036ABC976602396B75A961EC1BC23CE81197 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15741BBF9DEE311E33AD6250CD31E484C034 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C47444AA6EB605B1E6F57FCDCD45C58D7F18F - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB0343940B982F5EE257785B6115A4DC3F0FF - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C177346887761CFB014B3C9DAC979574F4 - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF52BB7D8A88CCA1FAD88650DBA439F17E - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = BC73B1C2F3FE0C8A119DC8EB2006C09BF4EFEAC883B7C5 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = B1A8DFB192FA2C9B882BB5A1BD3E41388D3AF4A673390C - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = FDC957611833EC980BA62EBAE1DB3D5F20102A5E4BBD08 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = A2EEF13FA0EA16608D346308313B122286CFB3B5559FD0 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = 3ECF2C0B164EEE34C2140C1C8D2E40771B570B0C207446 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = 7EA0A67026AE73F721FC06F5000EBEA295460B9CB7328D - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = 1A9471657230C229576B97C2843E295BBB28DC584463BC - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 1F6D4FBAA595F10CC2F555FBD102CDF053BCFB044CA354 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = 86A003A0C56CDDD39EC8EEA5EF2CF00A0AEA7E833F7B44 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = 5840C9CD51283B537C39A4D4282BD443AD903C1B882C2B - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = 6B74495409113A0CCCECFEB8243BABEE89DA9F3D5F6F9C - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = 5BA1831D487F8EFA6D026EF5A0C895712620CE43F0B983 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5779902177882140EF8D0227D058F090B6 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 028697CF285B4635B4A253D9A452E6C146BC17C63022FA - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF417873AD44B477686423A78DE8135AC03D10 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F5579066B2DFE647B256590486521C9B4FA2A554 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E00B6B486E4F42D5CC4E814F5BC9CC80FAD - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC54E993609BACE6AC655FDAC45EB1E111 - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F9482A27BA5E2A0B4D7774B21CFBACD44842 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0291BCFBE391A76D208BBCDEB1AE4A7742A - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F8139E949DB80BC92FE6FB4B9378AF72D16 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A6C0095EDEBF24A17CA63BAD3F9D3B63EE - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CFF82B361C76DCE703BE3817C78EC8F42 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEAFCF2929528916D3C898A2B7784B6210A - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BEDB9A6D88BC4ED3853A646608024CF0B1 - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE9F5B626135CC7167C77DF7556A92C0BD - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9D3469DD24FE1B2B3703A4CDF242CDCC45 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7E9E0B1DEE14616DF028CC414045563A0B - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744BD3B185363ABC352D63FD4C339DA6E49D - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BF1B6CCD512DD5D2493933FCC616AE67CC - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB03495C5B311982ED379F547F3C6922F981EE4 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1652360795697AF19817D95A4EC63D4F7 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF9238AD49E129C32DA4CC49591FF0FFE760 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = BC73B1C2F3FE0C59948552C8DE953CB1E3E08CEDD1BA5F6C - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = B1A8DFB192FA2C1BA0E9EB7A2FA1F91AAA1189B654458494 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = FDC957611833EC301897788BAE70ECC2B672F133D9B700D4 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = A2EEF13FA0EA16BAF23CD117ABB6BC88EC6E6E5AC07B47CF - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = 3ECF2C0B164EEE0BB9891D2A0325D072D6017DFD1C0DAF6C - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = 7EA0A67026AE73868602786DA30C7456861B9E9949FB9F7C - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = 1A9471657230C227D6C5723DAB0014309F2421441459800A - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = 1F6D4FBAA595F14BCBA306C366BD2D987F7C00296B37DECE - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7EAE5D87D1081C2289B2F4CF370386DC9 - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = 5840C9CD51283BD1E079C98842EBFF04B82162EF4625249C - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = 6B74495409113A9078C89B0B041A3D903CED91C62D5A4581 - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = 5BA1831D487F8E2481C5CC35C31E82C6B0817A0202DD998F - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792DF340DF4CAD06CFEB3BD790766875C86 - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BF35586C7E282A2D311BC5B61BFC6237F7 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178133E12252A49A3600803032938FFAB0BF5 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660A21DFD9F8717252741067CFD6BD1051B5 - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E00513FCBCA12F4C9A7866E89C4C8660589EF - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5DCE1652636EDD9555311F7873D56E21B3 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6DD6BD49402E80FBDB83DDD221399B6CB - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C5E2D211F78FBAC902CF350E3C77CB466 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD07256E918962B2C2A1EC80BA3786D2F4 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F8475022B61BD16530E398C6BC88C28F - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE720296EDF39A45E0E076332CF2B80C71E - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA688EF347A6D6FE0D1BA5A4BBAE47000262 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A84B266AC7514FF26EF3AFF5E43718D43 - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE1759CF517D9D5CCAB7B24EFFAA626C2009 - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC42F6DAE7079FC59CD064C6A3F704C8585 - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE1300294BCF07E2CC0A3A768AA9C062379 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9A059EA450CE27E060DB074DED02E2DED4 - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1C161304FD558A4F42D8926E7F41AD2EA - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954EF8AAFD7DD7BDF979ED378837E8FEAC33 - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1EDCAFE6839B1782E71DBA2FC347E8255ED - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DA237FAE7E2180F716509958D83A2484E6 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = BC73B1C2F3FE0C59A36A93578573783993EA8BC810F4129261 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = B1A8DFB192FA2C1BD9C39E3B0F5DDFB3E690F07994221EA5CC - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = FDC957611833EC30515C9923386955D43CEA80D5D80F2F0D9D - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = A2EEF13FA0EA16BA674F7E1667CAC85C31D41BB1253640AA4F - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D94E827A3BA0D0ADFFC3513E448F01607 - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = 7EA0A67026AE7386204BD27E1598E19E5BF83EB0719463928F - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = 1A9471657230C2272CD7342800F68BCB53360A6A43993BEEF1 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B997986D01E3C077100D8E99C83F048C5C2 - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9437D59BDE2BA92AC392DB0B5451AC4EA - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D915C2DC46E37B58B9F59BA8D218CAC54F - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = 6B74495409113A904D0DC41111E7F062366E2C22462B1CD7D4 - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C7B5762C029C0D5B08774565B555E51F3 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A8A5D2CB7C789E148562BD8C8C902E1911 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA86B4C502746B82E53320C13AAA2F0D08 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF41781366EFFBD46DABCA396743589820FD6D302A - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0A34C2E0D81F896144231523638FD3008 - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC175D3E92EAD1FD4B35131C02AD67358F - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A79BAC9EDE22CD229EFD1CA6203DA986D - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D85AECDA62A6513EB4D34A227CA5517531 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87E53B7209F1FDC5B15675709F0DD1356A - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD2262BFDDBAD26BA3E9588D6F2E8B57AFFF - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F8BFC549618494EC0EA8479CCE97A5DEAF - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C17B434AFA1017DBBCFEB1FCB2814AD63F - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B269B586A42C5D8EA4EFCAC9212096BDE5 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A92E2FCB9C185CE20CAA43411A8674042B3 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F0CC8D1ACF15F971D083A792B520E43669 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DF7446A8F237ACDCDB26F8332AAB71AFF8 - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15FEFC83FDA0B4D563C57D2892369D217CF - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB08976C0DB8D4BA0C6C75D61280ADBA634 - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E3B99733EF4A3FEC17EE62FEE4B3647AF5 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E081C6544446179C70417FCA3DD64292E23 - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3DE1E25E542B8BA952681B043CB6847E40 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADD91E2EB94359F3397DD50EF532735373A - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = BC73B1C2F3FE0C59A329C5B54B86A65132FEB8F159B1C2AB5208 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = B1A8DFB192FA2C1BD9789C8DD7CC31435559E416A3F9A7878798 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = FDC957611833EC30511CE5BA1C9893F0960E34DEB1D8EAA9A306 - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = A2EEF13FA0EA16BA67E648CA515B1143F4517FF341961FF8FEA3 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D65E207FF29631230A54420795A95B65F6B - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = 7EA0A67026AE738620E3AD8D50D59324B1403461C1BC02C7505A - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = 1A9471657230C2272C41137618390F81DA6FC41B8C6F4105FC6C - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918CC4F96106A5520BFB6E4195CB0F298DC - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A985EA03C55961A5113FA45058E8A671EB52 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D909E480AE82867A6F43F36CF19A3FFE922E - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = 6B74495409113A904D45C67B8A581BE9EC670A4B0DF522235D24 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C91914227AB85E7C1D5D8EF6B582090C0D6 - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D89288D4433D2BE450774BE06F40DF3D6 - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13EE1BB9E6E50E172FF51BA79C6F065994 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF417813669390F893E30AA7EEA3A16E2CDABD403803 - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B71D8E07EC173DB6B5DE2EB8488CC0617F - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6EEF17089E8A3BD1CB8C6AC08E655E9D85 - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A103A4106275FE795F2B22A2DAC37689F34 - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81BBFCC5D88263BD4DB486D53F4B4F36ED6 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A39A988E74ACF02E9A66965619F2BBF864 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224E21A1FE5606ABE1792B289C0D8BA5AA3C - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85AD57B10F55326A2B4D22B76B437B4E4C6 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C1753876D84FCC9E64F6D68872CDBB7022E5 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D4C8960419E2CFCCF1B89C2246166EA02B - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E07F2A30FD158EBF8FB173E54A97C8691 - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F008B5EFFEC8CA556883BD48AD48789335AD - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA413F41F7EF40836626E49AB3C74CFE74 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F498B1CA1E2B403E5B60A83AAB2995BA4A3 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0630EB911EE97C486C332394190D7F253B3 - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E362096F0E7933B9A0E48F2F5CF2D7367C95 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E08531963D8A69D4134D074629BC22D323BBF - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94C423BB33CEA44114A40934C23044F318 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBCE73D0A53DAA1AA0051B6523B5F1EE20F - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = BC73B1C2F3FE0C59A329415D418E6A98AE8B176895D2816DDAB163 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = B1A8DFB192FA2C1BD978DE49263CEC42DEA90C0A140BB2AB769B46 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = FDC957611833EC30511C58D561F80A21E851F0DFF9FD83045721FC - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4B6B68B061F88F783366C9908AE84B12E - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C4B1F1B6C138FE2B54AEB5465BC4BF16E - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = 7EA0A67026AE738620E3693D86F40AEF6292B3BECB966F73EC9C60 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = 1A9471657230C2272C41927F22D069F9420C5C146BF6C8CB8A4C73 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C0944770D029C726E54208DF2F3CDF3985 - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853A5B5C2512AB918659489EF53A2933137E - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096EE7C57A7D59E828D053A47171933B8DC3 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = 6B74495409113A904D457353A2BA143AE5199592460C6482FEF7EA - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C91935B0976CD637D8C0FEE0C7ED3B5FC06CF - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A42F7D398DBAB377826CD120B93A08AC5 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BC58EFBC6D5BA3F5CBBD091C89222BFEC1 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD230A5BE105CF6D6853A37D6B8746E83B - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F30A81CDEC3EDF0EC5BD690CA02BFE24DA - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E3401081EC512E3F0168E9778A51D530134 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F077C4F163CF06E2C7244240706164DADF - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B209A900586EED52EAE21CA2A2EADAF8DD5 - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35602014123F533864E92137F8DD492387D - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE1CB106DF92E6520D0125D572F4A856028 - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A5061E82FB2563274BA5FCD9383961BEDD7 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DCABDB8CF623F2D9269B2400A0EDACCECB - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46D05B78D2B6A2161D95981F8D5EA019EC7 - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3BFAAF02263379C35069FEBFCED6E57BF0 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838562715A1ECDB1B93073B63E99199188B - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2CF725B21DF3685CFD686996957D837DB2 - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F4954CD12DCA17FD376A67A4969DC72F144DA - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638A0777FC495D38A3987A0D0BB80E4C0F4D - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E362854EB71886274B88A4B00A225DA84EC6A7 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E0853898D21191BB224D466497D7ECC53E1DC57 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA37972B57849868071038826A64B84CD6 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6BFE1BA1CDF0A6C602AD0A96E4C6DD85F8 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = BC73B1C2F3FE0C59A3294171F08A9DB4AD829896D18836C273B9AC5F - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A00AE5BA0572CFCEF918C5D187D163346 - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = FDC957611833EC30511C583B46F7B96D284E3DA0CF1621E72EB5B0D1 - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E411B53C3B5B58A67DED4FD031ACBE8AC0D3 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5270795C1379EEE25E0F18D46057683061 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = 7EA0A67026AE738620E369B965FEB54F99BF1E1D5C23D49BA51BA0C5 - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = 1A9471657230C2272C4192D923546D0BA81FF0157BE08C5D230487E2 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A6E93334C74EE85A8E4DB8AD50195BE8B - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA77DD268037F77E87B11B0D873C2D04EDF - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CFB2B3EA1890535CA9F80B002310EB15B - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = 6B74495409113A904D4573ACC6598CEB5A1F2986D13E21BCAFDB6F97 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193399FC5A10713C63CDB6BE6EC854E0D62B4 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6B471C389C38EC4688CF80DEFF98A2E818 - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECD295250F2E35344147EFFC4F9B187929 - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3D2DBB5651084C6C596173B06E1C87D8F8 - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F35185515B4550F73497DC0D186B017B3157 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F50F24A549906C783B8DA27854ED447DC - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DB045ED5E70CBC8373873A0BA745000087 - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC45A59A29F113043CEBC428A5DD78A1E9 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673C95F248D26C711133B37210135925986 - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173380AFF6C33BAB43DD774D5B1701B6CE1 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500F17F6AA4D5165D8080E514FECAF848973 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC6478BB3BFB6FDA2D04A27FF0E019C018BE - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5920FDC3E878920653A80185B8F9423FC - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4AFD98DC57ED638962D16022273C2B8747 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6630A92FDCD37286CC56DD431FA05C2E1 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C45994584F24F07AB4B1B9E6C795A15B39B - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C4A13C8A7A2418BAC066919F381BDA9F5 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD78E6835E898800E4981A888D7DCDE4B15 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285ED574FB3A90C2D9D3B1F5A4F89D7585327 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B69268A708ACC13014621EF087F6A4EB87 - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68E9033769EC2D286096E1CB038ADBF571 - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B70E01E1DAF857E8890AB0E772C007D72CC - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = BC73B1C2F3FE0C59A32941714414FEBEB9629C47DE35052C89DA2B7081 - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C36DEA0CB18ABCFA42EC96AA30B5A95 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = FDC957611833EC30511C583BF39599BC7FD198B7AD9C565340020990B2 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E411872F132BE4A9519C38CB858A80668FD5B6 - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207E5E55AF1065F06750170D134450E1A98 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D0BF0E67A049C5526CF40F1FBED80885B - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D1CF4D27E7D500B42DBFA1078809413D83 - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5A77467373DF855826D187C90C2EA3EF5D - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F96A897C61762F22E2D3DA8938CA405AA - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1EDE8D4C37429990F3783510448BD350C - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AD3C67295D62FF1128E536B2B4C50133F - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393CB53C4A3F75301276CFBEF358B277AF02 - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF20B2741EBE09A49C65EBA79976852C5E6 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD117510328384160776EF8C3F01BA8A63 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBB3E04A48D3D6392DEA123B1465C71C551 - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519A5A38FECA31AD255A81B06394E8BDC569 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F4536AEB07E6A796423E8F0EFA897A4764B - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE40EDE1340E83E88A6C204B32F80FA5BB3 - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC747E24C6246FCA3BC09C8391E38CD6312C - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E87C272E8769D61CDCC24B4598D57867F6 - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D6853646464D964E3541A48216686F1E73 - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA6E905577326820404EC7072BAA4DDF146 - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B5B84CA9F9A82F4C828DFA84F6C852BDF - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AE2010FDBFABBE8038A7C57FCA78A733E8 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370B00856729C3D979F6389F54274F659F - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C9B2372CA04E333876B2C7978F5E8BB109 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C4514CC5D10DD07F8CB9057B857E53FE7D946 - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FF9C4CCE725E346EAF06A1B780DD45859 - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0F0BC7BF3C876DFB51C06A0BD4AF49346 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB577B54C10383894E4FDDD180508C6F5DC - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0C9B15197E52ABADB2E696F59CBFA281D - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BDE8D2D29C67DACFD21B880A814F6DECAF - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B70656453DB96BB924BA31D0EF4853680A714 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = BC73B1C2F3FE0C59A32941714473EAF39A7A2E48EF198C26C4089BE027D3 - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C90D9F213A50805A3E1F1AE9140210B7A - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = FDC957611833EC30511C583BF3CB073BD5D4D4A353949BECC753314531AB - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E411879694C9B4FD153BF61B9F7CA030A0EFCEA4 - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B776929CC61FF5A4EC1E417937E73685E9 - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4861F442122CD78748C4D08D52010F7BA1 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193CCBE205C4BC1056BD251C7A50F229739 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE8E9E0975C6A7EA94D97A8281FC503CDB0 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7D07BF394D7B1F3498A6EFD1C3DA8D8DDD - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1032AAEFBB7D062FC3B779A3A30A65B9986 - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB6C5FA7BA00E5A07ED678AB58EAB878E28 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C15FB224FEE175145C5307517C19E6C5D56 - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B2ABFD83FD8F4BF4F469D78CBE7979BFF9 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22B0B858B41AC73784FF5CCB9D9CCB4F6D - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC01E0DB8844B75F722CF56595B6F5D9CC3 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFFF1969980E03C575237D49B924F28F96D - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1AE014786DEBEF11E53410A8649D23E95 - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BFD239638095015E671696A2F2068BA1 - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749DF19D7875F3103DCA42CA625CB002976D - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DA449FF0166DF3494D14B19E6B1C1AB31E - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64AB72E577820BF3EE5086F23FEE0CFE628 - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA693710FF3F37C59320537B195735AB61C4A - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90EBCCB57D3E611A1320F2C9A61E6BD1DE - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDBC61B002FF1DD74D44673053CC08770CC - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370DA83DCAF9576F0532AC1A464044B2B085 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B220B59F0BECCAA383A7BFC5664988B03 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437AC9A5C33B688DBD00D1296BFE7EA5954 - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDFD9538C7D12324E03688874EF326F058D - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF63C40B9DB7A7B09B9F5346299D696936 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535AE344BF30F7DB937D53F27292C3AC9A8 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B011B629C2C8D29BA655AEF6C1D5651DE6DE - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5C8ABFCDD08659E350F48413749455160E - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B3DBA1A30947A7363459E1D44E6408DB30 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = BC73B1C2F3FE0C59A329417144737DBF9EADF52B2382A873F68F61EEB4B1E6 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C827B31E47992DA2F2F9E586487C1A373C6 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = FDC957611833EC30511C583BF3CB663AF367ECB9C9C1965291C1B98A7010E7 - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796073DC545F840757D2CCAF62F547F3FDF85 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4BDD7B2E5EC90CAA58D304D4A6CA36E5A - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858C99CFFD132E5FDCC55C456E462BBE9B2 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE7B08872C49F8041960033969378E0E04 - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870DC924800E37672B419C101400C950163 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB89ADD3A8957E257244DBA5638593D84B1 - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AA86FE9F2A30258F5CFCB6707A39BC04B - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB6617505745A7A72E94D8F1D178827B4B2D7 - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589F89DF5B2B4D5DE3477BE33AEA4646665 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26FCE3E34BF5A0AAD3C5311BFA5FF819830 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D03512AC8357781589B691EE5F6E27C129 - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020AED7B3D70FF9439A9936983EF8395EE - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF292CAFC3BD4195801D7AA68000696B7565 - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D177B9EFFC418CB4CA7D851B183E31085E4C - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD4C6CA4C0CFE2C72C7058221CC727358B - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D464634225206989D61647BC0864DF25E2F - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA11259B0F6817357302C3A8D6178760A6F - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FB6CAFFD331DEBB2123E9271670FF2BC - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307E45758D7F0BE51ABE000379CC0893F1B - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B9022A007EDB4D7559482DF00F4A9515C7045 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88EDF2994F6FF8EC61665CE48A66C2FFEE - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C34EDD8376481278FA4081D265A899CC6 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B138A900ABF67976D03D83E1ED8EC8CE19C - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CD7137EDEAC00182D8D29D3A9E75130B8F - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93C5518C35AF102AB1832B9D03205FE87B - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38276161382202C8F988A3C9630CEDCF2A - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB53556694E0164A2608392E00DA3E62FE0BF58 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E49E9F3AA1FA522A05F04B1A541A76218 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCBBBE3BF26397FEF42EE9F3D9BB5430A6D - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36ED1635C3E105E74AEA863C5F485D16E83 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FBC27F66BA4C739B4C13F7E85D40CF381 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E274E644246D8CE10336162634B9B24D07 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B6ED3E53276F464D7C5912F66B5F47573B - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CE7964ED06F6CE4853E602BF702E9FFBF - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AAE3C87D827AFAEF4AD0CD65D3EA1518CD - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858ED6BB7C693B55C450985D5F82D198FFDC8 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE028A35AD1C7F60C2F2F6CF1CCF54FBC9C9 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C68893F3F2A8DDA2C2919298EE031BF69D - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB885C3C8A3CCAE65B6F0FDDFA758199EE268 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF9B1F0F12D8A9A226C7B8A6D2788AA7BE9 - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6761EBA952939A69653BCF593B4165481 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8DC9204B1CE9D7EA02976AC98DCB74B8B - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F2996AA3E52FB7A87CCE290DFDB8BA69505 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E72F8BCDF4E7842CA0590EEBA76DEFEE6 - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A0F7BF48A4C1AE97006FDEB1FA1B8DDFD - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F08D5CFAC68A38EBA31D716573780F3538 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D177822623D7A63D33E083B1E5CE9C6028BD94 - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C1BC354027E2AC04207756D70D0674F77 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C31C254F2CB18224F7E8D30D24D19FD108 - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A138A5EE479877E909213559980546388A - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCC6D69751C0A4424F0C2942A72F427FA7 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A576613A7F409C3A12D765D155231B87B5 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B902201C1E11F06943E7A86571F1F75A6DE0B6B - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A37DC2EE750D7F282123DB801E050031B0 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C792245BBFC7885EA94E97054615A30FC3F - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368777B1D66D154D14AAF3F54D0021F744F - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1CC6C888E036F5FD6F28DF83915773FA7 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D39B047288ECECA45AD8FF0D41CC4A977C - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF3895E966678F050BF8A622E0E36C1A429758 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB5355666F30F37D5EA8E301EE833ADF7E79E823D - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59A7DC7505608FE3223364EAB0A0BA7CA0 - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB8678D4C3D3F048EE9E9D3BA25AAD479947 - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E47700FFC1B8F7AA3A52695AB9449A89509 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E94965B55CF7C68ACE5BB1155B7366BB - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1B00CF717A2B285A2BD0B5F6ABC07B02D - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61CC71339E3142D6E5657807C293FE78F1A - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD5B433F09FD96A4B946ACE727A0562163 - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA855AD2D11781719D789069FDD9A5A85791 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF75BC04DF41B03B02101BDAE30E6BE9BD - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC781366A8415E7C2525018A686A4C90CE - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1567755746F83385964DAFB27E1C06DCE - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB885591523E456A5CB4954B2E3640290AEA27A - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF9816BBED28A10965A9E1C942313591086FC - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FDC4E336C15BD150F67DB989F58EBD50D6 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BC6309ED917DAEF1B08699560C1966D71D - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAA27FF1EFB38B5B2FA030ACFD6A5097D2 - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E411A75B4C85FD7A9E8957F544AF80E3C19 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A93425CCD824330EDBAE26DB4C16F7700E9 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F07916C2F5F315326EFE519B69455539E3C2 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D17782241F204838259A40DE0013FCF1E9EE4FB9 - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C1250A1D8BC074337DBBF23BA82D9C36C2F - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A839468957E5BBA51496AD832C3861B50D - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A1899A0E93B2CBAAFF6C95C1CA6061343B27 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB530250EAAD81050665D6075237AAA4B9 - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F4816599982CE5036B80CD65AD11B9AE4F - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168C161D14DACEDE617B9DF2EEF6C61DFB3 - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B88AB44E188AE12C98979F6E1864EF8312 - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B5DA97C31E469242751E9D346602C2A415 - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B13686086CAB0A28850C1446CEB5343EC7FF90E - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BB772FC9EB84B1C03D6CE7A026BFA7D0A4 - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D318D870D7A89A4080249C03C1BFE30D10B0 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F1BB343F270B6D5E807CCD9BDA774BA81 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB5355666023BE810873BF13BA3F3B879DED0402589 - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF0E22B520BDB8D5D85575AE92EB83AA72 - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF73A5D03739FA6B3AC942FEBC13044E2C - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E47684129B85172BFCC6E6B9ADB37A9B6DAC3 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E28AF3BEE9B5092D14E69B272D9C4A994D - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C170F488BC956899BB01BCB786D29157D94A - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B36963F452687F5ED975072BBA784B4A7 - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01DE8925A6D36A64CDB1EE73FD760D28F5 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854EB94FB4DE375EDF94A5B470F06774E805 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9F102B514465DC33380294F451C76B9A65 - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC9079912EECCAE995ADFD795DFD764DE46C - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1764ECDFD36A892FF2203F2D05FA45AC1C8 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C06D04754D2FA566054AB4A07A81BE4C9E - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EEBD4267F71E1FD3F5CD4E9DA58A0F5AFF - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A0694173A4160C48BA7D7C2BFBD8E1912 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB31904F12FD12E1F8DE0802316007830D - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD9B8C680D44A4B30D1CA07189AFCF2BCF4 - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416CD8AB58EDEF4673FC07A56EFC751BB984 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B44E15918C817D4D03D8E531AD8AB80F3 - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F07990C77D4B146E305CD8094D2BD81D38FDCB - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D177822409BF0501349A5181635A210ADD7365E640 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123BB4D54B2B3FE883F718F9D58E1AD141DE - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A8396CE3C08237FC3024586EA3DBD036B50A - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C7593777AB5E073F8892B8B824979A4562 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4D3D207D6AAF72D841C87F09C0EA2151BE - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E28BB0A58C53420592FD6AA1B8FCC1D83 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E9CD9EDDFD6C7DFA7B188896F8F76DE5E8 - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B834FD6FA14AB59A29C08E6BD9CF6B1F830C - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B56653F2F71FB527770E69768FFDC302D2F8 - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B13686065D5F49C1F34BD00AE10C6419C92375AE8 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA7C429CC1289C9B7190817840217703F9 - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888916599B7C2CC665566E816BA173928F4 - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F4385F21F8E8CAB99E15B8CEF21FE36B2AA - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D52EC321FB1662EB126F8A4D7827A14320 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A68E0DA37313FC16B550D3F1C394A1252 - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53A38B655629E4C40F0721A20E033A360F - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EEEEA3FB5CADD45164F16B905DB8E1DFC7 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C412186B9693087B6F482DCF38E96E31DF - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F1F8D3966F2FF9B9DE1741674EC38A1E4 - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D0299A367A2285B7B535B46B09B3043A2 - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01477922DC7696B8130B940240E5B1DC57A5 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC733D0EF3BDD6BD203D99294F9504B914 - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEEA5AF90C1F8FB417CC85E797D8F2A8C79 - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC9096E4F6CB948BEC039BC6C0FD38410596C0 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761FE486D86D9682BFC4B2E642D2B89C93A0 - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0C752C3A088FB389C9197F09A1399F235 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F93317BDFDB4818A72DF2D42312A461B1 - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A71930AAFCBB00D251F6D67D5F883CDE576 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84BAD8928E7339654BC881F7E9C75ABAA1 - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B2EC2DD42EA7AFE70CECF57777CADD492 - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16E1C76546C9F0EAAF55105A68F855172B - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95956E582C3435B1194016E54EAE574ED0 - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902E76117AE4741B4C740A967473ADA49CDE - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098F536618659641BA9328147386A21AF85A - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10D87D073C47D6F698F57B23811D899CC7 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989796389BAD48E7EF042E5B5430D00FC68 - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728C7BB4F7C97AA81E121B83D06E8ADD53E - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC4A7C3E3E5CAB0BA73CCCE114803FFC791 - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E877D1E0A823DDFC95E99AAC2A0C6894996 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A760941236BD111A9A5EAEF6A25A3712E - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D76921570C6E702D854693874FCE219C6 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD39CD7C11F55AE4DF4AF4AED4BFB3BB10 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539C87F2C3B3A091313A25ADCAF8563FD59 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0DB97F39B1763BCC0482D83A8356C25C94 - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC356AFD3366BD6386B4D5EB4701139E05 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A177B8532426C624C7B590C9791FA3889A - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E50C92463A0D949BAE2936ABC05AD2B4F - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A14418BD90E81F8E6163BA088E3119951BC - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CCC69FE884E6E3F6ADF881828221CB1566 - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE87D4CBF131CBC58C7B5D975349E2F45CDA - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D0113B39880922B0319CAD951F72E49A74 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2797D89E5625504A6C856013EC3BD6205A - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D721481415AE5630243B9BA0D5677C372AB - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474E1E50A2E4072A59607B7B2A1F73C02F67 - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D2ACB72411A8A0FCED55CB11A9A5A16C5 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECCA3441698ABE9660BB97E2F7D850A168C - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A9AF0B2840B259CB584AB0CE8BDE7AB85 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DCD8671A169B81865499677008587F95 - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BCBA03CD249FF1D87F84F3702CADF8C9E2 - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F4127A60C302CF722FCAE3084F11AE9D631 - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711D7BE33BC4D14ED58C099963E918C9E13A - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84228D685006D9EC12CC2A22FBAA342B2FFC - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B50DA5C3C6971FF1AA3B2016458C8A5BC47 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D07E8268F0F0953AF9EF515EFEED09C248 - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B9535710EFAA5D7C67B93F22E5F119C0E77E2 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC49909104455BAB07A49FFDB0C89B15D8D - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9114A5B2B65057DFCD9F329E6EC6BC715 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBCE3585B384305199C72AC362C37F853B - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989708479BC859BEFF75C7ADB48223100BFD5 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C72898D5FF8FBA03CC4133F027A57BE0901D71 - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423138B870DFDC0833895CAB003AB49ECD7 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E8793A2B448CEE7D4215597283C8D7354EE33 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A6845D7B37C9296A23B1048DE36AF2BCEDF - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D176945CF1E1A767292603BA7CE3EA2273D - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CEE0307CECACD520FDD221209E14DEC6 - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B136860653905F38D47FECBDFE66E89C57C08F1F9ABE0 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D80D217E35B5D0EF71D74BFAC53744E6517 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC10A03A1505AEFBB48BD91B116033530DB9 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CBC003E6BEA17D00EACF718B76D9F11A8 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6AFFF473CDC1991B8D0187717024F71024 - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A14459F502DCE435CAD6F1B4306FBC14A5234 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC90C05FA190827EEF79781B14E625986E19 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE87751884D842D13CAEDB16405270F0EE4D12 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CF98ED89583E781AFF030D39717B82D3C - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F271498880D2C84981089BDD646F73CA0E39A - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D4B0940C85A65FE2CBB5DCDBFF867619A4 - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF79050F8E380B0BD86994E3A73FECC635D - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D95B29FEB98723D14D4A4A39484136DE4 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57DA43F70FD4B7D070F0C45BF8F1F2C324 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75214436047AC70F48621B690A2D424935 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DD38B0821578267EF8F9BE1B58A5B9CE5F - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC24BB253FC42FAE8CD92CE505771B7A4D26 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C21CCC3465F87A4F3D59D431050F6FA9D - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF8D5C07D456DD97BFB915619203B71CA7 - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E08AFCF81AA6CD5448A9AB415847C912B - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E1688285432703BED760F6DC230FD921C - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092FFA8AF72F786636FA19BBA41913E7480 - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB98DDB68154775DC70EA9EB5B56D2062 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431DEF31DCA4F06E42CDE85367EE10E8DC9 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA934114C1AEC88DB6C4713243D08A0739C88 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC461F9241D0492BB1EFE92DA2AF6A7E8B7 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D6404BA3AE7F3BBA733F434078346D919 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986A8E3B85735A6361DC2CE626829DC3EA29 - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDA41D2093A1846321A7EEE21E5343D327 - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E879359936BAC93240C8BED40AE18508190DA2F - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A147F3A3E6004273A78032425DFC5F777 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E748743CAA786F8992D11A440224440EA - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CD7B1E52B72194946EE8E9882015E3D4AB - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054FC057C99DB021E60DD14B2FC46074FFC0 - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802ABA46024FD7A1D7B1512AA2C18F36930D - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103F6AE18681BAE77EB8439E6BCD4EE42E3C - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD6C855F8901AE805DCBB62B6BD7464E37 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5E69913B98CF271FF33FB8EEB243E35F - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF9ED641EDA3F5BA8A467C5616458A3572 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E9430E509E91A7D9E75097AFF4EE605A6 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE8775191ED4EC4148E7075A60CD258104964A2A - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFA40247B72318085A05612400863BBA117 - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A24DF989644C18B38A6CA551C8CBFD7B7C - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B4C01BDA1EF44B721CCEAA30813A4A161 - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B92BF79BA163BA118C9D26AB46EB44954C - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D483A18AA87D56BBC3BF61E926084E71160 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57ECCF9AA1AEFEA056E7D0B0BD1E136FD4AA - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB9B8694E9591740F85EDF5ACF828E6158 - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDA998E5981F5E16DEE607220F9EBB01D55 - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC24903C9481FCC5CCCDB9DF5AB4F1B3230D43 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F5FE614441BC62D3775F63B7463A5073B - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A6379F0EC4E11725F5E6D5F81411E6C4E - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C0069B15F0D1F1E81B57EB089F5065B2E - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F4981BEF3C3469B90E583F71847CA3314 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BB05AB4C5F87F29EEC456E8D2E98FB10C1 - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5C67B9EBFF91D4C28FEC12A97B2712E21 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB68C319FC47E398CC792B11B78F27B51C - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346D747110F8F05A733525A924420623F842 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5A38D245C7FDB1C149E0D9AEDFA691CE3 - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7DD662BC963DB8E50A6297E5DE0AD7595C - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEFE3057252738AB4BA1D59557444DFD63B - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD85B54D7C28A336D20F25EE905BEE8998 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987F802252C47B98E2D8A118013305D99CD - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B59BCEA05C890F6150E27B26D978A73D4 - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E069A23632E2AD5C0630A4B5848FFCDBA92 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA816AA701309164C0374A51128492C2522 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F789732BA7CE2BEA5A336039B3D7DAB9680 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A465F18282A3D04526A7E5C081BC65CDA36 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBA6E1779951D02A3A20680B95BA11517B2 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D60BEEB742CC7C3D4317117D1B073915 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5BA5B01D8CE4272AC5102F5E8C461B459B - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F1305A5938A56884EF5F537750049FF0D - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5EE0B79A0EEACBF185A7E5D5F4BB67CEA0 - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519542FDDFAA2A7CC0ED3BC834266DAD9ED91 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE4C05B3DF4108088C3EC8CF76EBE1A0F2 - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235AD3D5FC843F6514AADCAD00F685385F0 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25041F2974DE5D9BF755721FFD133F87AF - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B81F88A7332E4585F3CB6D8EFC696D311 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D48818C57BA78521D3A44D990525A67A12E80 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC756BC5058DE102BE19CCDD2BD6F9E4B527 - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47B96DB9273B29015A789293E8928DB748 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB237B1645F933F16B034CCE5E2AA4B9B94 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B60FD4D972610CCA178C900D50208AD06E - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F0687CBC2CB8D33D3CF1ADD3A4DD45E89B0 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54D2A61E1A425E1071ECADA8B8736301AC - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C47176CB68A9086B8668D01DBD3BB62DDCE - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DF18E059B656B6721391A3CF590B284A6 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE843C680F818C5BF44D5EE7DE148F88D03 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A29D90B059852313100E4984C805928443 - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82470FC800E4F643E9288447414D98B59E - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC0237D2C81BA1CC81EB04D2A0ECB9F2739 - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B1CBEC93998FA9648B10399A33B3DCCBFA - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2C3A3CBB47C929482A12D3B5FF33F5F4A2 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37CFD59B99E33226FF6757A6BACE2CDA4C - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD70E37D779FDB4E666142840169544D6F1B - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF753E67CA9CF6CC83DABECA7E27635176 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B12B561255FA94DA153B2E1337D8297905E - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DBE57D8DE76680CD596520B08E32B7D89B - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8371D1A03C6EF552A9F187A0AA43635E583 - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D9350F1EE978852C245DBD64E4D65CC1CB - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467F8DA31F651F31172EF87DE006EEF6E16E - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE14347A37582459A03266DE0FC704B1EF1 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9964C29292A1BDCD76F60B37A15EE21D4 - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AF16E0E95759C2B125844E496A7F6457 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F338FDAF94F2A9BCE5DAB7B8733761D4893 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E054FA8221C56A113E989B9F81BD13B9AC7 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541187D81F0CF498BD2317EEEFC1BA09FD5F - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5C67F0BE77C96DCA2D621A3AEDA407DEA9 - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D11F48C67F708E8845985CB19ED6010FFC - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBBB850CE2576C3A57FD18BC3CFF3D6D5B - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B13ED837E5EFA4849EB7979337FD145B1AB - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146B61ED6A49143E54F91090703502E1994 - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753423E518B2703E59075B236CF7FF055358 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47ACF3622DDD5EC2DE97BCF3527921D29107 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E75FEAE2F03FE90BE8C79E2DF75A7265D0 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A17486444F9440434133FD04142925C8F9 - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F0688FD48546BBF1B67D67AD413A9CD157CEC - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B31BC7DAB26D903950EE5379C743AF8C93 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C47094B57F09AB7A21026B142ED6436497EB0 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD57B6405C3808CF25A26AE2289DD85CFF5 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9596AE06506D4CC33DB0AA22365304C5C - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28D9590AC4E915251A024C50D1FCE31EB02 - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A70106161BC3FC4891CB3356597BFFF6A1 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC096229D9E1715514902B61AD4DFBD1F602A - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B1086E20396B5783A8A60603081317C54133 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE14B78BB63FFEA6B6E4F481501C9D996CF - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA7AEE5C1D85068F993515875FBF7A7BF8 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062363D20E31A91526E7160F6B601FD01AA - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F2B9A1E102B8F3CD486D2A6FDC6E9759D - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DFFF225FB61FEE1E4F26AE8DCD4F1878 - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0760F957BC42E1C22E1958F3B6D4512AD2 - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA83797D8E2E17A03E076AF09822CAB762FD0DB - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D9876F17F9D98F60D64EA9E44201410ACD38 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FAD1E7FFCBFB4BF5F94518E18A4C6AD9316 - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CF47D09B679011A91DC89F8500A4501523 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9008B28E58871C9E3004693A0775A13CD19 - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC1AFE850F982EC5B9003210AE09126E80 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5406032F3C5D380105DF5166364FA1475 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8098254D4EE8BD4CCF2DC396FA157C1EE - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE8775195411326928BA5B34AFB44961A8408B703CF143 - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD1A328F2DA944A30866E2C778C5E95EDD - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148BADACE6929F188CE8BEDA20D89DD8182 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE457EE363381C08EFDF4E65E20C24DF0D - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B13089E7FA7A7320BE3297F6F27C2347D887F - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E25EDC3E3A1DAB8EB03BD858BDC4F7A6DA - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC75345757E57DB012D0E680069B1E14D1126917 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC439AC527F2DE1C8D6A18B933E8AC263035 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FEE75830F01559C9A3BA94C239518DBBE7 - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E0EC5DAD3C4D5C224262F028982F26E799 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F06883828972F98A20D5011D28F59E0F984DCEF - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4BF379E805EDF1A7B4D397B7459BA5718 - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A41925A95E9B9FE8FDA0A420548DD6A54C - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55D3061AFD32777529C28183635D83B4D25 - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A15CFFF1D05BFB471D00775A6FC930164C - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD2A7F42ACAF8062A2029D9EF3668305772 - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DEF38464B5F749E708EACDA920288AAACE - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611E7E3D6883C458501FB52815F52AE5554 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAAEBB224FFCD62E04951A1A8531D32B99 - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE1170B221523F97A2A98F432435283F99BB7 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA521E0EACB295C968BA3F87A193C3990C3C - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD70620519AE922C7C7C4BF5CF0F1101F9806A91 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4800DE4425BDF6368485CA20F81E3F4D60 - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DEB2EA7E199359D938CF814309FB0E99CF - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706ECBECFA8A7EE35014CACEEFD26C8CF83 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712A11B5C1CB67C82B78DBF412E3693DD21 - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F6BFA05EA06D3F3515EE9D711D706A6436 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAAD3B2BEF833E5F38536187DB0597A3447 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB3F1C13FCDF731E1611A97003C51D02DF5 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003849348A22DFE14CF80ED7BCEAFDE82CBA - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC166B38D203C6F6457C985218AC2BAAC92B - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E8C42139763405A8CAB204EA387D989999 - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E8F8611E4B7B955D93887A846980ACA855 - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132810CA2912F085BE7211EA4B9A4C54D1928 - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD702CCBDC49E6C41D59A793CB6237EBD574 - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA004B07344C351F3C515A61249574F732 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9474EBCF7DA8687A5266224589E483D36E - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACFEB7CEA01529837AE39D3061CFC3A6C - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23CC6441B2E6DD94802C3B7753F3B751729 - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F18B7F22BA655B0A57744EB435A8906B56 - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC4305D8F6B1426839447C71FFDA676A8F8674 - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1133E36DE2A7567D26CF4C12C292E5786B - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D1577111D13A75C3618E91AD0A064E935 - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1C03B07F0AC6E4818AB442CD5BFC4CB07 - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D430DB56E19E0C0BE73F8C78465271F2EF26 - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42F19030DD2D00DEE467426945536D63F0E - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6F520C5ED096CF8A6AD1EFDD26E48F509 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A200B594DD5C8D4126649ED6C5062D834A - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275FE566DF26A986DA8BC6241C560FADD1C - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02DBDA9AA76CE11A4149CC0BA41CBA3197 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA6B993D6C9988129DE0E97A389832EF93 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4BF0709E2ACDF0357269DFC97832C09F0 - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797007B57A1462C7B76ECF0C39DAA7B5EAA - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D0A166C3B01220B64400C60881AA333A81 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD70620527DA9C1507DEB367A6E4942B7FB9144156 - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A7627FE5F0DE5D1CA10BFE85F5175EA0 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE72FE366C661B92C8329CE4D46BC27326EB - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3EDEAE04029AC0CDA42C47B3823298835 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D292ABF9F210CFDA2E6DFDB4855F7AB6D6 - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E82E13F4201C03AF9342EDC7512ADA457 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6AAF51AC52FD83BD36220705B97A0F3CC9 - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CB13DFA77756B20E59562DE6B945EE218 - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D90038071C37298E1538B746EB58A7F4DF059F35 - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC16216771C65BE9D0D623BD0366EC7CFB6A70 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E8354835273AC250509FB81AC2EA814B392D - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89F2513DDB129DE9078F72539A65D6BE30F - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818BE3A76D23A9FED6A5633B1236833668E4 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD7056BD4D93D5933524D84B3B47FA173C84D2 - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22B29558B2F6B63758DA7562AF91E3EAE1 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE942550466D1728EE7CD56B1391FA3F7A2239 - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB60D2D5D36D4BB68A1A8623C84993DF90 - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0C6BC5333D56C869DED469C06AD41394C4 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DD54E9B5C97DF8EFD5D7AE1B8D2BF4F5D - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC43056127CC49C3A05D9936DF7A35AC705AD6B7 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE11402E5AF3C0D6E1FEB0E3E79A77A65D8CCA - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D63FBF8D98A8478435380BB9D69B9216BFB - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB055FF825B9989676A64D4C48C2422E4D - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308AD274165A05E6B1728312090C066CEE3C - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF17578BA57C60BCBC91289F43A5CF49572 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC612DA6D3E1148BD7123887827C68D5EE9BF - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A28228F6C281C59045425DD55AE359ACE76A - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5EE27EB88191B25A0CEE3C42CE4821583 - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C34F3CBB69EBFB7BDCB197012AF9566ED9 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA55EB8E7C5175684057F5F87A283EF57577 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EE5AB165F564313475DBC06475DDB97B2B - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F05CBE0A9A0ABE554B2F1E4BA768CCE5E3 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D04781D1C75E1C03F538119D420D2E3B186A - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732E146AA248CABB989E4B7BCF7288F89CA - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A410102E6A95393F951F6864C49A243BA3 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720AF7EA7BE1AA2ABF3A5023375C9FA42869 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F12DDAB57EE5FBA1CE483857EAD3972113 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B5D072FACF3B082FFD6D4FE8134CCD6657 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E762A3F3497C83A447AE51972EEC409257F - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C431CDAB5B61CA8A8DF8552A198887BA7 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC4BC17F3E71F3C63ACA6BE85061A8F1DCC - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D900380764E2C08534E89D545BB0EFAE485EFAADD0 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC162161ABBC64A1ACA295A71B992D124686333F - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6FCA22E779EDD264113B0A5FE7F1BA1CC - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC116522F921F79BCFC6A1ED085381062D6 - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5F30C6CA1B069F6335F9EE5196C8CDA94C - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD70565BE9D4DF7CA6A1DBD4BAEFF25E3025C1EA - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22AFC2A1C93EFFF96C55FEABBC4F8B0D9E69 - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9425B9B431F0943619D94997B209D49CB3F65B - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB7BBAD79045D7C458C04CF36D59CEFE18E0 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0CF2A22CB2EA43C8EACEDFBD43B90F5FC1D8 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DEDA269CB3429B91BCE6FFC72109BE1A6F2 - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC430561E144062F91E09DCA8F69493B31B2697B0F - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1140BE649A7A03B8A5F94776B854097E1E7D0D - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D6334002A70BB35D2046976933A1220EB08C8 - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB3EF9098E54C9C1D00D82E62460D449C423 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308A444213557E65E663960291592F3DB91C37 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF1B4475F7CA87AC9BA66E2A39465C4FE4434 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6124F27567B9306BD44266EEC3B497188A0C6 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A282FA34605E368965835FDA1DFE96C751B9D7 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5E1FB7FDE8D19AEF4CEC1EE1031E6E170A7 - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C3DDCF8EC059653192F7BE923BC21F4250EB - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA557AD8192FB3C30B3C66BCC1EF1AC7483121 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EEA3FE3F2805D390869542CD1B1B3794DDB0 - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F090DE5606F1C64C713F12CE942F0F5AB33A - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D047410DB1F8837123BD8094EBEFBA2A15AA43 - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732C18D390F1109D53A0115181C98EC2BE23E - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A428F51A411BE005076F4574FD0AD25AFAC1 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720A1FCE7592B19E1236AF0EB3B7399B0F506D - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F101B7DA55D58D244CCC4BA3859BB4DA9F92 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B514D5B065030865553E2068D516D5508307 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E764D2477CC96B0510D1C6CEC8B1B5F3F229A - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C07952AF75499E7A247CB96C608917EA215 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC47C6A0F02B4CDB8247287AB31BC35C79975 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003807643B0696A98D88CC4BED26B20D400378350F - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC162161514E3B5D9DC558E08F4046C7F37E391712 - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6010F8370F5DAD7FB5B2EB1D190D220A380 - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC1FD21447594EC2960D016A1F60261F2CA4E - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5FA4F255C8F1907D4526C25BA2A69DEB6601 - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD70565B5AD989ACD5D1DC50D912CE204BB77E8CBC - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22AFC93F7854D40745119AFD75BE131CF1C5F7 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9425B9F9B2992833E40F138AE4C95E0A479E39EB - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB7B55B01B001001B05FC382E9417C76956ABC - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0CF22914F3F5D9E99AA29EE9D58A199B7D4565 - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DED177F26F7FE27E6044D7568A38927A547DA - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC430561E13D29C9DF3034F2F83E16C3D96EB9D3AFBF - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1140BEE3C80D247A9DBDB8FE702846CF6578155F - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D6334C31063D6E31DA1842F8507A6B9A3750075 - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB3E02505B48DE01252065B680ED49D9EAC0B5 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308A443BE60871C77ED8AC7EA40D94A291485A8C - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF1B49B0DD0B2471E6D534F920DF5ABC1319980 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6124F346B335B88DC008BDA84F06B4558DB8C5B - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A282FAB93A5D4BEEDAB45D8770EF6989C60AF8BB - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5E1938F249EADEDFB09B8CD40CD05B4488B9F - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C3DDD8E624A6A5EB4C4C1F566588CA942B3429 - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA557A760FA7FDABDDBD223DB8981D0AEA112003 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EEA3C19551FB885FC471C9924E060370AE6A58 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F090C1F4F17E7721D27DAE1FC54B2853BDE6B4 - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D04741B024F017C21E9F40C24B7A0705B2A6F747 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732C15538EF5DB4FEB13F9BD2CA608C9B238ADC - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A4284DC35478396EF18AF4D20439D23F7C8718 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720A1F2057CCDE9D31322E27D9C63D3024741066 - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F1014C0D37DE00ED97A43C3FFC912CBE72293F - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B514372545B4B9F8B2CF598AC3ECC39EC1FEEC - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E764D7625A5518167DAD1004E55587AE8F666BD - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C07F2FB3C9F7626E8C86AAF9CAA39C3799602 - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC47C513FF570F5F6AAA1EB4804520AE233183F - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003807643B427A0A5635E44FBD1B84DAFDD2ACADF97C - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC16216151336AC1D93FBAEB376578A956F9AAC2B223 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6016A502599249DAF426F7DFD13FE028FA12D - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC1FD500880A78FD6DD22ABFD2F90E9DCDAE525 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5FA4F4027B3A9CA4E541AF383A9B89342764CA - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD70565B5A8692C1D93A7D4C06B413794552C18A0420 - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22AFC9C353299A16F4AAA278EB34094D03508D75 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9425B9F91448DE7C92526DB588D5B78FCE13433715 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB7B55E9399917571A55510B1DAE01B4450AD76B - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0CF229B9037E2EA4A165C708014BF304C8F253FA - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DED17A416F9C60712759EAEC46AB34B3563193B - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC430561E13D3E084142FFF50ED99AA93B04F5B0435548 - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1140BEE3DFAA12704DE1EC881448234A056D5E151D - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D6334C37E1D473E4DD7CF92A5ECDDB1D6EE77A88F - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB3E023F6C59210A97891ADB1825B1CB7850D713 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308A443B90A68B9C5AB205AAAD569FDD416C8D58D7 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF1B49B351A28BD1754C231E0CBBF4EADA4F0AE66 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6124F34C80CD434A2FFF6CF7EBB7056B42A4B3239 - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A282FAB9087DEC7700CA90875AA3941565AC8D4CA0 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5E193AEA069AEF5E677DC6F69F4322385846D24 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C3DDD8EE4F19DBB7F3A6E69E2C7FE04BD6ECF36B - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA557A76F4A1A886F035EFE5F95FBF257EE9D715F9 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EEA3C17097B764A75262E27A810B8CED29440403 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F090C1B3F7B9325BDF2DDDFEB3638AE010B8507C - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D04741B082475F9D3D096A7A17947FDE09A2FB2A16 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732C155D3D714D4A472895BE660A0D5C42C4E724D - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A4284DBC7750CC872C0097DA34590040C58BA755 - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720A1F20D7C757DA8EF720024B914719C83D4C9A41 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F1014C0B0645716EDE563CE4F0B7B6243919B4CE - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B51437D80E88D205B828708FD4C3F19809279B05 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E764D766E3F39E72DF75F902B813F57AEF7010A80 - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C07F22C85332793D9FC3D9AC2A642A31444C344 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC47C518AD10A512C058C2686D2157E5FA817130B - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003807643B426B830A1076A45963A3DC582FFD457324E4 - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC1621615133E422E5F1CFD4ED43F7265E0F1FED8C22B6 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6016A7ED52B1C3B3A443657DFDB294548598A50 - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC1FD504D0473BB3DB95D29D1B343DC092B134990 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5FA4F4540537BB8289E3A90DC1BDB389E0321DAF - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD70565B5A8616D152FD781147C835A21EB48A2D4A4CF7 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22AFC9C302D539CDD2CF9914F71A5E9E558CFF6602 - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9425B9F91404E6432D0C49C9ABAC7A6EAE613E0C40DC - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB7B55E95E7F6377E22DCAFBDC7E8D75BB17C30E63 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0CF229B9E4166233E28CA9C7D4E2ED990A1C93CBAB - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DED17A4AD2B59C673AAB966AF1F175A27A0045E1B - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC430561E13D3E6F93891309CB5018E95D820532362767A2 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1140BEE3DF1A7A61575BF6E83316336671232E484CBB - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D6334C37E732BA195DBB35D7C1DC7C1DF48FF28F728 - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB3E023FE8983C662B9C2C1A1C98D1798FD147747D - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308A443B903FB5024CBDB9711BD605BA9D6F281A7543 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF1B49B35BB1AA4E5514291E2DE15461BDBE80F3A6F - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6124F34C87EB2AF1DEC95D0B7B78D0B7ADC5D9666E7 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A282FAB90847EE2CDDA8455B9C7A87D432999CB59267 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5E193AE450724509037966B7AE09779860083A460 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C3DDD8EE41260FDB15DCC1DA866E85547C6A459951 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA557A76F4ABEDE96139585EB47FE6F7A36E02665F05 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EEA3C1702773A80EC8FAAE89202FB531DF71C4F294 - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F090C1B33AF087C7DBA4991FA708B63E45E851E6F2 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D04741B082B8614EB3B6582D365D77CB7300E53A9BAD - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732C155D3866277C8D94AF9434DEEB8D6BDFED2DEE3 - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A4284DBCB722117EE305974F19002AE769ACA52DC8 - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720A1F20D7B3CFB0A9B5090E3E2A9604DCE7F9BC8FFF - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F1014C0B2785DFA90016ECE0BFEF100CC2F6BBB411 - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B51437D86EB1877AFA3439202DD99B30403812931C - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E764D766EC549E0A9C011EAAE2FE67081CB04FDC0FF - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C07F22C1CF9EDBE5EF1847162D8082269B2741738 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC47C518AE18DD0684D6C7521A099BFB83419CA311A - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003807643B426B66DC5F4C6597257FA7B2E64D48B8A46F36 - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC1621615133E4E2F1098607FED906E0347422AA44F72820 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6016A7E30F085D72EB6CDB18F25702BD9BED830B4 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC1FD504D568C7062B5A095442750AF76AA7AA4B375 - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5FA4F4540252AE42F2674C35CC1D8512B835BDDCF3 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = BC73B1C2F3FE0C59A329417144737D0FA3E2C4D09CFABE5CBD70565B5A861694E9260A97977F7CFBA2E38866E417865F - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = B1A8DFB192FA2C1BD978DE3A0A1C82E2C1709F2714A235D148FA22AFC9C302B389B2A0797B684149860B701339291A9C - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = FDC957611833EC30511C583BF3CB66B61C4B0D72D47B25DBDE9425B9F91404F452BA320397C57F48284D4668C10FB732 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = A2EEF13FA0EA16BA67E6E4118796071CCD01474EF7B90B1308AACB7B55E95ED532E9FD3123E998CEAAA913E3A8BC9FEA - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = 3ECF2C0B164EEE0B9D655C5207B7F4AA854ECC9D6D488146E23C0CF229B9E44472C4C02E5C32FA12B5DE012D2DBF5FE1 - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = 7EA0A67026AE738620E369B96D4858EDBF9FEECC57EC753457F19DED17A4ADBC45D55FE672BBC93FD1A15B09CF1536CA - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = 1A9471657230C2272C4192D9D193FE02DC90965A75DB47AC430561E13D3E6FD0FA5D83635D20D7CC668B07BC24B23A1B - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 1F6D4FBAA595F14B9918C01A5AE870C6D1761F68DDDAB2E7FE1140BEE3DF1A96685143C4C443B87C1DF2C4A140A8C5D7 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 86A003A0C56CDDD7A9853AA70F7DB88559C0E0BC2490B6A1E03D6334C37E73EBF59FAE6CD125DB5DD0EA1839F0ABFFDB - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = 5840C9CD51283BD1D9096E4CC1039AF981EE5F415C6F068838E1DB3E023FE828B9A7ADB189A8AF510DA214612DE09E2D - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = 6B74495409113A904D4573AC8AB661F6FD4A711DAF4A54B3D4308A443B903F38F199626D9D2551E6B4C24C98EA1B30C7 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = 5BA1831D487F8E249C9193393C1589A8BCAB84224E6C4709A42FF1B49B35BB4428F2D363A7A5CBEC5FAAC54980A03681 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = FEB6AB5F168A5792A88D0A6BF2B26F29CAD93B504E2F8DD55DC6124F34C87E00C0D30654082F390C8188023F6EF9DEB7 - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 028697CF285B46BFDA13BCECAD22D09E416C16D092BBE8B9A1A282FAB90847CF7D67ABE237C4923533B101B5CC44A381 - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 681E88ADDF4178136693CD3DBBC0020A935B95350FB5A28DD275E5E193AE4532E5A3C036F5462932878EEA64F134B834 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = E43AF8F55790660AB0B7F3519AFF29F079902EC431CB82A7DE02C3DDD8EE41BF1A910A55B59BDF30B300AEF1997001CB - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = DF0CA1114F2E0051AC6E347F45D1778224098FA9346DC09611FA557A76F4AB789F19C668E13EF77882A397A88494E821 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 5411119D71ACCC5D9A10F0DBE4D8BD5C123B10FBC4B5B108FAD4EEA3C170276445484C94A0BDEB4BA4DAAC9B8F109F24 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 36CE88BC57F948B6D81B20AC749D46C3A83989704D7D2CE11797F090C1B33A61021D5659A0CCE6C823741182B7E3F8FB - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = C171586599C0292C87A35673E8DAA1A189C728986AEF37EA52D04741B082B8FD9E98A61454CF438686061BCB5E840A0A - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = 01E47467EC5F81AD224EE173D64A14FCBB4DC423DDFD7062052732C155D386B1DE798B12E23E0489F9E9B5C2EF28C0BA - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = FBAACC649496A650F85A500FA69307A5F49E87935987AF3F4816A4284DBCB72A58A80B83535E6F3E877F138D534C8EBC - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = EE7B6FEA6D4E6CE7C175DC649B90220168E94A687A1B1244DE720A1F20D7B3132EE82F86D18EBE74F37690E649F37853 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 95AFA27D4D8CEA68B2D46DF5AEDB88A3B8348D174E06DB0706A3F1014C0B277F2824FD088F1A0FBE597A366FFA14983D - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = CF2FB7E73873BE2A926E3B4A370D0C79B566BD95CDA8379712D2B51437D86EFF7C53325D4D5ED52D3B3321E0A5C94D63 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = A5AEC98AA860CE17F00838C6C94B1368606539054F78D987F67E764D766EC5F0599FECB7C244939FC90787D50283B983 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = 4E7F9F0B45CB9DC4DFFA2C451437CDE1BBFA0D802A467FADAA6A4C07F22C1CDA7AD9CCDAF50C1C73F563406418DE3751 - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = BB85E2FF036A7EE15F49548C5FDF93D31888FC103FBAE1CFB32CC47C518AE1A3D9E19ABD4B236D115102681353FC215A - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 545D8C7B15744B9AB0638AD7C0CF38950F43A12CAD52D9003807643B426B662AC7601A33402FBB748780D2A831E12CF9 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 2284612C4744BFB1E36285EDB535566602D57E6A4E5B29AC1621615133E4E2305430E9192987F15523F02B366CAB47E9 - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 05F8B0EDB034954E085389B6B0117E59BF7A1445EF1F33B5E835F6016A7E30009535F82D5B177B4425934DF831FD8EEA - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C019C29603C1E1ED3D94BA68BD5CCB86FF53CC904E5E05D8E89FC1FD504D56BF3852F3441F46E9B6E461D37AF7A8332E - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 13B625E5F4DF92DADDBC6B7065B36E4768EE877519541132818B5FA4F4540260E0A668020917870083DB460F80CC524B - diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/encrypt.c deleted file mode 100644 index 275a53c..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n2_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n2_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn2v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128-avr.S b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128-avr.S similarity index 100% rename from skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128-avr.S rename to romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128-avr.S diff --git a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.c +++ b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.h +++ b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-util.h b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-util.h index e79158c..e30166d 100644 --- a/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-util.h +++ b/romulus/Implementations/crypto_aead/romulusn3/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/romulus/Implementations/crypto_aead/romulusn3/rhys/romulus.c b/romulus/Implementations/crypto_aead/romulusn3/rhys/romulus.c index be1c0fa..bb19cc5 100644 --- a/romulus/Implementations/crypto_aead/romulusn3/rhys/romulus.c +++ b/romulus/Implementations/crypto_aead/romulusn3/rhys/romulus.c @@ -116,14 +116,15 @@ static void romulus1_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 1, 0, 15); if (npub) - memcpy(TK, npub, 16); + memcpy(TK + 16, npub, 16); else - memset(TK, 0, 16); - memcpy(TK + 16, k, 16); - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the 56-bit LFSR counter */ + memset(TK + 16, 0, 16); + memcpy(TK + 32, k, 16); + skinny_128_384_init(ks, TK); } /** @@ -138,14 +139,18 @@ static void romulus2_init (skinny_128_384_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - unsigned char TK[32]; - memcpy(TK, k, 16); - memset(TK + 16, 0, 16); - TK[16] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - skinny_128_384_init(ks, TK, sizeof(TK)); - ks->TK1[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[48]; + TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ + memset(TK + 33, 0, 15); + skinny_128_384_init(ks, TK); } /** @@ -160,10 +165,16 @@ static void romulus3_init (skinny_128_256_key_schedule_t *ks, const unsigned char *k, const unsigned char *npub) { - skinny_128_256_init(ks, k, 16); - ks->TK1[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) - memcpy(ks->TK1 + 4, npub, 12); + unsigned char TK[32]; + TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ + if (npub) { + TK[1] = TK[2] = TK[3] = 0; + memcpy(TK + 4, npub, 12); + } else { + memset(TK + 1, 0, 15); + } + memcpy(TK + 16, k, 16); + skinny_128_256_init(ks, TK); } /** diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/LWC_AEAD_KAT_128_96.txt b/romulus/Implementations/crypto_aead/romulusn3v1/LWC_AEAD_KAT_128_96.txt deleted file mode 100644 index 384bc3e..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/LWC_AEAD_KAT_128_96.txt +++ /dev/null @@ -1,7623 +0,0 @@ -Count = 1 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = -CT = 8F13641C9EB6C1307C40947E0326D8F2 - -Count = 2 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00 -CT = B12064E6DBB7BB6D081436FF7CA65AE1 - -Count = 3 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001 -CT = FEA10D48FB277672BF47C3FCE4EF4966 - -Count = 4 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102 -CT = 2E7A74514D401CB194AC2EFCF7B7396A - -Count = 5 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203 -CT = 1FFC1E07934B4F00053444B8BF58A700 - -Count = 6 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304 -CT = 71BDF3AD797D3EEF55CE82D4BDBB9140 - -Count = 7 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405 -CT = 6258DE1707590A93B4ABE1D506B405AD - -Count = 8 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506 -CT = 7FC140A0827E94FCA4CD6DF8552CAEF8 - -Count = 9 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 0001020304050607 -CT = 6E358D0AB1F662110E9575108DED9B04 - -Count = 10 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708 -CT = 45A2EEAC0C64962B560A6566C9CEC8F5 - -Count = 11 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 00010203040506070809 -CT = AD7762A892816389E47AE51A7A3AE083 - -Count = 12 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A -CT = A946DFBBDC58BB2FAFA332DD489707AE - -Count = 13 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B -CT = 2AB43C90761D20C916B1E1CFA34BB851 - -Count = 14 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C -CT = 1D74BF88344350B9A3F19B01A467B964 - -Count = 15 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D -CT = A73C27CEC4C90A60657984ECF14F4311 - -Count = 16 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E -CT = 9492A26AF193AC8795460141CD63860B - -Count = 17 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F -CT = 2252E574D9AF87121148FEFFA823A7AA - -Count = 18 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10 -CT = C72F18D2C55EA6D7334F49A96965345E - -Count = 19 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 6E8AAF32A94307A8908CA6324D236D4D - -Count = 20 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 20575D481A84E1AB52E0FBEF9AE4A236 - -Count = 21 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = CD46846451099CE17833D585648AE086 - -Count = 22 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = C6637DA570A27EDB37352D9139D68253 - -Count = 23 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 856DEFC827B515CB9BF5345968668ED8 - -Count = 24 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = 13342A12C7E66227EACD20799E63D4FD - -Count = 25 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = FE1D77D9A2DB00DF11D49BE96EE17C6B - -Count = 26 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = EC825A7D1E7EBC0317C276FCEF297014 - -Count = 27 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = E2A36A4CCE59A358AA8D26DBAE8C20FF - -Count = 28 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 599292757F1270FE618818F69EC27C2E - -Count = 29 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = B80C2E6054ECCEEADBCCCF1F71556704 - -Count = 30 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = CDE9D19136EC000F6164EF8D1744061C - -Count = 31 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = 2A2C6F891B3A800D0356D2ECE2A8CBE2 - -Count = 32 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = C420CE77311CA0F1651173628C42B8A6 - -Count = 33 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = FCEECFBBE9CA6C7D94ABE3D5F33175F9 - -Count = 34 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = -CT = C9B1E62EADFA676C59497D904C1BA69015 - -Count = 35 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00 -CT = 237EC5AC4CA64DB10EAFC536CC8BE626EF - -Count = 36 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001 -CT = FEB3AED937210D5425A543ECC77DFA16AD - -Count = 37 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102 -CT = EC1A7F90FFE18A7384E6B5F30DA547C954 - -Count = 38 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203 -CT = D10AB523132F0DFCB7F89D5EB80148C942 - -Count = 39 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304 -CT = A76BAF7ABBA866296578E827F56F060BE3 - -Count = 40 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405 -CT = DB0B51C1A9303D74F559CB938DC3B396AB - -Count = 41 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506 -CT = 1D087D03E6CCDE88F034EF779F4936F136 - -Count = 42 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 0001020304050607 -CT = 4E8F4AC460F0A14D3632095232905E89A3 - -Count = 43 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708 -CT = FEB1BA6ED7015CE1A2A17D88866D280A39 - -Count = 44 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 00010203040506070809 -CT = E9020BFFA16CA0145C98C9C7BD917FCC97 - -Count = 45 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A -CT = FC57116EEADA77BD9781452F2C3EC1BBCE - -Count = 46 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B -CT = 02268235DA395874709E2880A1DC0356C4 - -Count = 47 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C -CT = 82EB11B55495F6AEEA8C31A0BCA68BD71C - -Count = 48 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D -CT = 5D1805D1A0137E94F8C2DF338F3FB33E75 - -Count = 49 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E -CT = F588FC532615510D4246CCAB1347972897 - -Count = 50 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F09A8F8DAEF5BD76705493B0DC01DF196 - -Count = 51 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 18BFDF06F757F217B51778D1231D35173C - -Count = 52 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0A4164F91A10EAEA6B498F69895BF332DA - -Count = 53 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 811116F4DE216DC9A287F2BB86EF85C77B - -Count = 54 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C53E2D862469A730C55147B4C3C3A177FE - -Count = 55 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DDD7A5F896CB859F4AF52CE543507E08BF - -Count = 56 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 80A1B1753382025F8D24115E7A51DF83F4 - -Count = 57 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D840DA3949F2D36AA8F718C9350DCDC81E - -Count = 58 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5FF27C3B0B489AD79AE3BD8DF96C6A9E2 - -Count = 59 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 23979AFF552136775744E6A3E0A8826A30 - -Count = 60 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAFE8A72E5F1373B9FCB820BC89B62D94C - -Count = 61 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FB5657B20942FC69249F15433C0692D38 - -Count = 62 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 93BC612B3A74FD5B4DB79BC42226A23C75 - -Count = 63 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86D7D5CFBE500E50B1630268D8B5993A18 - -Count = 64 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4C763B7BF5974C3178476253183F3090C - -Count = 65 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D40EB14A9264EB34276B2100C8EDA817E5 - -Count = 66 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6E5572161B410A3D8CF17A10D39A0222DD - -Count = 67 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = -CT = C9F982392533D3566DACC5F4210DCE21FA96 - -Count = 68 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00 -CT = 231940C9D3B498A0103361F560B4A6081360 - -Count = 69 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001 -CT = FE9DE0658A4FE39D5A61C460A64E8262B1B6 - -Count = 70 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102 -CT = EC816FAC8F6C562459F5088347C2C18DD303 - -Count = 71 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203 -CT = D1899AC8C34A16A568F537FF59D25EE21EC0 - -Count = 72 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304 -CT = A748EA5F576C15C2B2884AACE65CB6A49113 - -Count = 73 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405 -CT = DB24251352868E5E63F270B7C2313E4BFA7B - -Count = 74 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506 -CT = 1D17BE35E3477E9331D60ADA365B0DB266C5 - -Count = 75 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 0001020304050607 -CT = 4E983B192E42B54C785A32570D7F7ABD37F9 - -Count = 76 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708 -CT = FE62C51E117D0053F17ABF450703A92F6FF1 - -Count = 77 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 00010203040506070809 -CT = E9C2B8078986ACC339F889A7F1F5CE349DED - -Count = 78 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A -CT = FCD0E62BBB8FB51A7F1594A8256E1BE2F9AB - -Count = 79 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B -CT = 02282414BA729A3A960528BB0753A9B4A148 - -Count = 80 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C -CT = 82B64D10719E5B1F43FCF51C63F7A3A39330 - -Count = 81 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D -CT = 5DC078B872210F0FA3FABF9C6F216C9F41BF - -Count = 82 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E -CT = F5E225D7290AAD96EC131CAD0C6251507600 - -Count = 83 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47189BD9D1E44EAB3208C941B15F7D14A9 - -Count = 84 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BC85265A336B277AB7F252442334C17CA - -Count = 85 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E84CC8DA28493C28BD7F20FAD5C4CEA8 - -Count = 86 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E2E5B99CF1E5B4E1E95A6BCC00CFF96EE4 - -Count = 87 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51BF8FBFCE942E4B9C0335EC72786C0DBCB - -Count = 88 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD72ECCD2856B7C0FDD26D4E374EEC879375 - -Count = 89 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079A9735DEB4B0006A4493BDAD56116BFE9 - -Count = 90 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84873327AB0B6237BC00FBCA04A80F1C737 - -Count = 91 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F03AE91B7FBAA7A4A2B54576F13C2DED3F - -Count = 92 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236E1DF60F60A01110832857B416BA82C8CA - -Count = 93 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAECF624A640679ECC5E6BA72FA5CA16DC18 - -Count = 94 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEA7927AC274D13C397337EEE3C0B701B38 - -Count = 95 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 935161C2BA7B6CF304BB1841B6E148238945 - -Count = 96 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 8647ABD44A4D185908F74D3E3FFD16FCEE38 - -Count = 97 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECB9DA15A3633C86F3E11FBE5065B038A5 - -Count = 98 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C89D46AF4546045CA7224B3343F9BF41E2 - -Count = 99 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5A0803A90FB2A1F11B9C68A0E4464EC - -Count = 100 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = -CT = C9F98EDFAB30D37588E2091B11DD3544732354 - -Count = 101 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00 -CT = 2319705BAFF7EBC8AC91D147CD93C4A1A13432 - -Count = 102 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001 -CT = FE9D36B78AF5CC41D79B956C2A41AB44F9FCA1 - -Count = 103 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102 -CT = EC81D55D5F3E073D7E9E0518E65086D07F7B67 - -Count = 104 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203 -CT = D18908D0F0A3367D17089EA5BD757E5909E23F - -Count = 105 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304 -CT = A748A828E28DEB0DE01FAB79411DFFD59AF9C9 - -Count = 106 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405 -CT = DB24D061BE0A04F315D526F9051DBB3DA1C0F9 - -Count = 107 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506 -CT = 1D1756BE37310966A4267EC854E1628C7D4660 - -Count = 108 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 0001020304050607 -CT = 4E9807C7F07380EFD416D9FCBE60ECFC524439 - -Count = 109 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708 -CT = FE628DA0638EC0EC11625A11C530314EA635C1 - -Count = 110 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 00010203040506070809 -CT = E9C2859D9116B31D3DA324D1C28CBCD895258D - -Count = 111 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A -CT = FCD0427833BC178B4DD4778D232BF7A631A4E4 - -Count = 112 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B -CT = 0228F042B0A755AE09EA73BB60CD0E644370E4 - -Count = 113 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C -CT = 82B6B9182831A9B38A012D1D65A88AF4DA6776 - -Count = 114 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAEBE52D166D03E1967E2830B40135476B - -Count = 115 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273CE1863DAD994C1048026202141585526 - -Count = 116 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3C6C231BE30E69852FD544F0B973A3963 - -Count = 117 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCBBC1D3456783267B79B4359A916B7510E - -Count = 118 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E3283EE6F0FA076353CF775B760321AB05 - -Count = 119 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22BA840799993E44284FE542DA4DCC04BAF - -Count = 120 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01B207B3DE64E6459646831521BD5C9286 - -Count = 121 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F6BADA3DD4F789CCBA558A0BBC15ABDE6 - -Count = 122 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED1CAEB76F7825E51E78EFD18225E3DCAA - -Count = 123 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816EB409A228281499542BACA3F29E32E85 - -Count = 124 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F0507F03E3CB94A5885761DE8FE18BAA30BB - -Count = 125 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA8C6FC303ACBA910F592D1E557BDDC303B - -Count = 126 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC6972C544D12674CDE7059F219270D0E794 - -Count = 127 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF78A7D0D3AF00D7352DC85B1D0716466EB - -Count = 128 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D4A1B7435DEA389B4B3504EEB5B23B0168 - -Count = 129 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F442BAB29689DFFDCF7D8E3826179A52F - -Count = 130 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA3C1BA0FBC28D768FAD240BCA22777DBEA - -Count = 131 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C818C3FB7AE4BB0014C977C76861270ED00D - -Count = 132 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5A9090169F8A05326FAF574087660D8BF - -Count = 133 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = -CT = C9F98EB87D2F4FF2E3A1DEEAB6BB679593A771BF - -Count = 134 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00 -CT = 231970384065F6CDD955EE6FB4394D7EAF2542A5 - -Count = 135 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001 -CT = FE9D361C2C22520F4FB0F4EAFB2531C8ABCC3D13 - -Count = 136 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102 -CT = EC81D566715AEBC39B2D009F49212B1E69A5777E - -Count = 137 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203 -CT = D189084BF094FABCF902C09AD7607D1F12E46A0E - -Count = 138 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304 -CT = A748A86562192C5ACCA653789A14B4070DC827DD - -Count = 139 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405 -CT = DB24D07822F0427E5F7E59E3B0D7C3228171747C - -Count = 140 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506 -CT = 1D17560B315CD7DDF1A17357E04AE29A69A636CB - -Count = 141 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 0001020304050607 -CT = 4E9807772A0A414FD8E36899F709C69291048123 - -Count = 142 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708 -CT = FE628D5C84AF0519A8EE13F428A716826EF4E343 - -Count = 143 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 00010203040506070809 -CT = E9C28585340DC1AE4ED2999BDCAD91FBEAC12665 - -Count = 144 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A -CT = FCD0420F268F5728C6A25B4476EC1897A5F8041F - -Count = 145 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B -CT = 0228F0AB240916D33C8CB81E1BC3C4564C590765 - -Count = 146 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC769109CF58079A849C9455A4C1FF2305 - -Count = 147 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA36DC15EDB9403A69C2B66B4D8B1613A34 - -Count = 148 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C07AA1B578A4DE7658A77D4E13E29DED85 - -Count = 149 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0CBAE55319CCEFF894645E96A0BFF2DCE - -Count = 150 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0C2813B63ADE7985F3BB82FB4756A6795B - -Count = 151 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D60AF8D7EC98110DFDAEF0BBBAA15A7EB - -Count = 152 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B728D198E5F5FE3761283A448851F980F0F - -Count = 153 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF4685E55550789F40498DA3E33DFB1416 - -Count = 154 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F3973312E44824FB0686644773ED85CD788 - -Count = 155 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F4ECBEFCEC5CBE7E46C3F050837CEE18F - -Count = 156 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B84972086C7B7732544672F0FF0331717B - -Count = 157 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCCFC7E412DB1D893A8005804D721DE238 - -Count = 158 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861CED78AA960F0D1C8F40E41DBE08BF3C8 - -Count = 159 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C02C262C03417FDDCFF72E821A4F0A7617 - -Count = 160 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790ED59AEBB93421E56D498DC94C53CC031 - -Count = 161 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46C641F16058B806A38F4C904959A0568EC - -Count = 162 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47B0D522807A9434ADF5BAAB7003020EFD - -Count = 163 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C356A65882441DC51EDD09461D74FA33E - -Count = 164 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184C91955C6165194FB088401E8E962C6653 - -Count = 165 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F26EA656F4AEBE733C844A07161DFC835F - -Count = 166 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = -CT = C9F98EB86B382DD8E1D97766A8E05FE143594E02CD - -Count = 167 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00 -CT = 2319703816065507A1019FB7D27B92F07A2D605924 - -Count = 168 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001 -CT = FE9D361C3552E5398CCF5D735C7C2BE33A71C58D87 - -Count = 169 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102 -CT = EC81D566D4BB2E26C883E3D4EAD46E0F835113411F - -Count = 170 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203 -CT = D189084B1257E3A348CF873B5159A1A2F679C37A58 - -Count = 171 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304 -CT = A748A865EC0DB61D31CB0E6E1190106F960587FCA6 - -Count = 172 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405 -CT = DB24D0782A2E5FF25BBC07F46BE4F38EF1E8FA31FF - -Count = 173 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506 -CT = 1D17560BBF2104D2260944386FC692199A976B0982 - -Count = 174 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 0001020304050607 -CT = 4E9807774B7F620D5E24809D595BB597BEC3E844F3 - -Count = 175 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708 -CT = FE628D5C6CBB2FA1B6AC731B315457F4A0B39D1135 - -Count = 176 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 00010203040506070809 -CT = E9C2858529ED986ACE480222C61E3A43809E4D7A2D - -Count = 177 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A -CT = FCD0420F6E5F30607911B021883AF713B9692F135A - -Count = 178 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B -CT = 0228F0ABBA9F051BE29A11596314CA6A419CE22E76 - -Count = 179 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC40F146650EC28E75F5A882736F86814E73 - -Count = 180 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E458347C639BB1E3EAAA579DF55F4A533E - -Count = 181 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B8D663B2400D93A5D336394224F7537F4D - -Count = 182 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C6848EEEC60CF952333A04F389607D60A0 - -Count = 183 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE338A80EB6A14CDF51D3DE9FC10B1FADB9 - -Count = 184 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CADA4C20563CED2F59DBFBA287087C43F - -Count = 185 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B726999228CED5FC514A50F3FD4989A7F1724 - -Count = 186 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48D5663C1BF78E89F108AA6E2D93983DE8 - -Count = 187 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED3E20FFC1502678DD497213DE09193BD0 - -Count = 188 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7209BD16B55C8ADB9868CACAFCA7D394C4 - -Count = 189 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878657B36CCB8AFB581AC7705F2187EBBC4 - -Count = 190 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA2E2B078E8F64D24D19BCCB577CCB3FE09 - -Count = 191 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E03D32998A463E2D4EB6AE57B691AC1596 - -Count = 192 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B4BA3FE7D25B2DEFEFC9EA07D364AA3B5 - -Count = 193 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF7907655D5B8933883B0725C5BDD140F7CE19B - -Count = 194 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF95AC5845B92B3217A807EC5F82EF7F082 - -Count = 195 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B2533CA44A3002F2990448E909F7FCC3 - -Count = 196 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C1842F03E6A562A25F44AD63AD5FFDD42 - -Count = 197 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC290FB669C716222CA16DA7E90215D5836 - -Count = 198 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F2232B22882A89DBE5BDA59EBACB9F1862E2 - -Count = 199 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = -CT = C9F98EB86B5565C45D664E887985C6F8D427057D637A - -Count = 200 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00 -CT = 23197038165DBB4B16F8CD78EF490629B79896D984E4 - -Count = 201 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001 -CT = FE9D361C358B6C6649FAE887FB986A01F2D208E26F3B - -Count = 202 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102 -CT = EC81D566D4E374C0558D95FBEFE2F466DD587C957CE8 - -Count = 203 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203 -CT = D189084B12BEE8097E483D636342E69F6C2713209BA8 - -Count = 204 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304 -CT = A748A865EC8E2D64D88E56F5E2036814ABDE49BCC3A6 - -Count = 205 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405 -CT = DB24D0782A7B8A4A5171D80E217C19CAEE74A04E78AC - -Count = 206 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506 -CT = 1D17560BBF8D61BAA6CDDB10D62EE25943683A9064EE - -Count = 207 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 0001020304050607 -CT = 4E9807774B4EA105C1B4C5AE48793D9367FEF8B8CD7D - -Count = 208 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708 -CT = FE628D5C6C63FE91963DC89D226FE1F2302DFDC0C4AF - -Count = 209 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 00010203040506070809 -CT = E9C2858529D6A761C238FE747745022909F526B293BE - -Count = 210 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A -CT = FCD0420F6E341B084BCB1D4EF1E35BB414EB34AD40B0 - -Count = 211 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB1D126368CAB5D6E3731CFCAC5F80883 - -Count = 212 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC40977C48FDF9AACC3372B58636315A79845D - -Count = 213 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48EE91830D08E89FD8A5A953776D8FB75D2 - -Count = 214 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85F90E5B23FABEA4C54AAB4731D01B74620 - -Count = 215 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630105F92E61BA66702C18B74B632DB717E - -Count = 216 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30876B669CB645FE1F443D2D5B912CCB24C - -Count = 217 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB1AF3AB42A22E8A058F697CEA1E9CFE8F - -Count = 218 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECD70CA9099C105761B19109C0698FD4F5 - -Count = 219 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E7BCFC55008C5C143F1751BAE91F0EEF1E - -Count = 220 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7499827D63F9716F9DBDC458565530A0C6 - -Count = 221 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239437922C797BDEA105A5C88CC301694ED - -Count = 222 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7927F0776CE06A0F16F5E1E45BC87C55E - -Count = 223 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298591F584B3FE86B1994FC7986968B05B7 - -Count = 224 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F671BFF301826750BDAD9F69969F2C55AB - -Count = 225 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B738B36890ADEC41942E34913422326E3C3 - -Count = 226 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766470011844D422F4B37EBDDB1D8FE0C323 - -Count = 227 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE9DA6BA69A43319763B5257DA065EEDD4 - -Count = 228 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B332BD6E245FE9CD9A8D02E48D03159D7E - -Count = 229 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C64812A3FDEB803AF287C8F1C07B0371F62 - -Count = 230 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC25687E958262AF7325934D3C01DE34DA1DB - -Count = 231 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F2233984B2D0FDE45161FE5517368731DD8166 - -Count = 232 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = -CT = C9F98EB86B55275645FF9B67FF6F6C093F4536963F7FA6 - -Count = 233 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00 -CT = 23197038165DFAD597DE1282BAB261D5AF895E8C6B5E8A - -Count = 234 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001 -CT = FE9D361C358BCE6A6FB419FF31E0D7CD44130AAFA5FDC7 - -Count = 235 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102 -CT = EC81D566D4E35B131DCDD7E95CE7C8F9F74C03FE59CE52 - -Count = 236 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203 -CT = D189084B12BEC8E81C95874C5A091E5BAD4FDF42216EA8 - -Count = 237 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304 -CT = A748A865EC8E7714DEA5465FA0286FE9EE4CD4163FA06A - -Count = 238 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405 -CT = DB24D0782A7BB0DE9CA577C8960E04A4851730533811EF - -Count = 239 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506 -CT = 1D17560BBF8DC949066398482FF82E6AC6C45E310340E5 - -Count = 240 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 0001020304050607 -CT = 4E9807774B4E1421C304BD85908648BF239C99CE8F2B02 - -Count = 241 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708 -CT = FE628D5C6C63477186F8699775D6188418B9FAD6D69DAB - -Count = 242 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 00010203040506070809 -CT = E9C2858529D6FE30E55D578379C80EF7B4EAE8EEFE3DD6 - -Count = 243 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A -CT = FCD0420F6E34CE83AC5020950A57848CEE6CBA19C369E8 - -Count = 244 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB3D8B9728E06FAFD83478D7895D8E461B5 - -Count = 245 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC2D4E2B8CB34618971F709545358D7769 - -Count = 246 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E7216A3E5C6CB388EF254EBC4F4598FDA34 - -Count = 247 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF67668630037DE107A5A570E3970967DB3 - -Count = 248 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE4A7789F5618B98A65119C742F2911B83 - -Count = 249 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE308719E54480BB8D4DEB9888D678E6254017B - -Count = 250 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C1967DAF995F8CDB3B09FEC2925EEE326 - -Count = 251 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5C93C6320FEA3D60079412ED9075F1A2C - -Count = 252 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764AA6FF70466E26BF096D77E1A931ABA01 - -Count = 253 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED749720DA3420434385F865032064A130A3EE - -Count = 254 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C782421D722D0554F31411B1E5473409E8 - -Count = 255 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7164C6FA25C684694A926C3AD5E9FB940D7 - -Count = 256 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6448D3B3B059FC94F88AC78F449D7F0EB - -Count = 257 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625E0A4F0F2B9069826E0AE70E07053A087 - -Count = 258 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733ECF9B9DE3198C57E244BEEB42770C15D5 - -Count = 259 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419034893D4BAD35C267D4B8B8C6978AD35 - -Count = 260 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE443E868432850AD7827A70C7A8E096550B - -Count = 261 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AAC79FADC6A01CBE120F5A3D22021D09C - -Count = 262 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BCA646074CF31092F5B8C393AD9EF4F31 - -Count = 263 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC25612F55CA3CDBD98E4053268CCF49B9016E2 - -Count = 264 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391BC250288F9E16FEF9C68EADE2A44923E7 - -Count = 265 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = -CT = C9F98EB86B5527F8BDA81A5B539A64081EE0B27B15BED3F1 - -Count = 266 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00 -CT = 23197038165DFA2E532972E2B3E4F5011FBA7E852F5DF258 - -Count = 267 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001 -CT = FE9D361C358BCE63FF096B5224A96C34EBF79C8B770AEA70 - -Count = 268 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102 -CT = EC81D566D4E35BC94772BF45CD0FADE0597760CD94258F13 - -Count = 269 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203 -CT = D189084B12BEC8FC6DAE6001B5BFE5977C4376B1CD74A542 - -Count = 270 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304 -CT = A748A865EC8E77BF3D1D081D474087689ADEB148B3CCACE3 - -Count = 271 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405 -CT = DB24D0782A7BB0A96148D8B25E91E192DE147D3096E89101 - -Count = 272 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506 -CT = 1D17560BBF8DC97238B8BDDCAE4443BE8C9B16D65F80480D - -Count = 273 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 0001020304050607 -CT = 4E9807774B4E14B5D00E283AF3710DB01A86B6FFE110429A - -Count = 274 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708 -CT = FE628D5C6C6347FC88C4C8BF373370D698D0EAD50AA6B8A5 - -Count = 275 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 00010203040506070809 -CT = E9C2858529D6FEB545A063F7D56DAEEDFEC0B83436E2A76E - -Count = 276 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DEBD6A9219DBEC0C4C736B48986A0D4B3 - -Count = 277 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39F45DB6EFDA61612C97C5E99F5BBCBB52B - -Count = 278 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E46DB165EDCCC8443C21A9E02F7A0EA28 - -Count = 279 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728DB5689505F653B9882156BA8A561AF9F5 - -Count = 280 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF6299797CDDD486A5DB010388CF5A18A688C - -Count = 281 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE5985C97AB434E7CF00BB6F55BFE17192C4 - -Count = 282 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A0B106129273B103713FB6E7BA2353F197 - -Count = 283 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46BE4AB61D90D94275ABCDA50C86033D92 - -Count = 284 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA8D8C5E9CF2B81BDE8953EF163563EEC4 - -Count = 285 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE9C881C90703BB8BE60FFE3B266052EA3 - -Count = 286 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7CA43523DC2EC21357CA92B6DE88E87ED - -Count = 287 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C79363AC70E4F77CC466CA23208E24D14FD7 - -Count = 288 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162D50403240BC1BC9E107D6CF4DDFA329C0 - -Count = 289 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D3F46973518B62E5504AA1879B948C7A1D - -Count = 290 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC990B4AD44E020ABEA246DDA55C01CDAE - -Count = 291 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCAFF9538851D5335702570AD2EB2F2E9C - -Count = 292 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D173EA8E105C5D17BD96081D5AD33021A1 - -Count = 293 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C8FB19FE1BF3EE8F5C7C4782F97970E8EF - -Count = 294 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7264ED9AA13C206B48F060E58A7F1D37E - -Count = 295 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC41C4E1AF065B3CC115ACDCA319C81497F - -Count = 296 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC256126422FD989731159CE0B02DFF488C2E91C1 - -Count = 297 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 0001020304050607 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C971D7C710433FF3A56D70FB546A567C4 - -Count = 298 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = -CT = C9F98EB86B5527F8DB95850398FF83DD043097648FEAF6C378 - -Count = 299 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00 -CT = 23197038165DFA2E59B7E359D44E7E0149451A36A0CC9F41DC - -Count = 300 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001 -CT = FE9D361C358BCE63BA684BE77956A508CF1382F63564FFF112 - -Count = 301 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102 -CT = EC81D566D4E35BC9F915B598246433E1E5C71A11C0F203FD98 - -Count = 302 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203 -CT = D189084B12BEC8FC8F18F8CE7E798C7164288F50BF5666B43F - -Count = 303 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304 -CT = A748A865EC8E77BF1540D38E0037C8863E64E88156F240F991 - -Count = 304 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405 -CT = DB24D0782A7BB0A9E21A602F2274A2F0C27D25115B6125D5C5 - -Count = 305 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E516A3E78B2B53D2D149FE9CFAA84C80A - -Count = 306 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB12B96438F3FCF1914E335DE185151D7E - -Count = 307 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE5D3719FAFC07A60F468F18014E543FC9 - -Count = 308 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52E023C4A7163CC60A343C4C9EF98382ABF - -Count = 309 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5ABE004F7F4DC89FB3B30E29BAC513E12 - -Count = 310 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD75143CC35577D088A1A6CC851443414F9 - -Count = 311 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E724874B0EF40EED1556841ECE46C959EE0 - -Count = 312 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0A389FF0B8CD432972CFA5CA6EF51339E1 - -Count = 313 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E731B534B0E2427BA98772B637ACA1B1FA - -Count = 314 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE590098911C9579C86E035871418B7E85B7BF - -Count = 315 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A0923AB955552645ACF77A78671812B55E8B - -Count = 316 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED0DA4CC12347E74ADD6B220C9637FBE99 - -Count = 317 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA727DC098C3996138BA0437E8837797B7DC - -Count = 318 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B0A3AD06FA48CC01497123502D9906DE3 - -Count = 319 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C68B1C2824C3F535DD18D1BC8CAC4B70B1 - -Count = 320 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F85138C5BBA4B92BA3838CF32F0F434116 - -Count = 321 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF539DFD12765BFBF35B6010F8E1C2FB957 - -Count = 322 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D361C74D8D08914BAA7368098D5DD26529F6 - -Count = 323 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F0EBF098F4455205D44BD18D16E552C61 - -Count = 324 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD0CD0357965C87D32B2B883E10D317AA6E - -Count = 325 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BC115E09ECBE834DE08996491A8ECFCD5A - -Count = 326 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C123F7619B49E54B54C844FC3F88BE6AB - -Count = 327 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B8D3D333E2377DE906E6F69CD57263E7E2 - -Count = 328 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7D7315A83C5610EF79FADCF2228BBE25D - -Count = 329 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CEB262B1F07FE895D5BFAFC78B9890A303 - -Count = 330 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5F5272CB045A5CC2BBAD616F207BFB6865 - -Count = 331 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = -CT = C9F98EB86B5527F8DBF6510EC6CFCB5320357D9F0540949C0739 - -Count = 332 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00 -CT = 23197038165DFA2E594A4F4846A4EAB117ECED95B66022369275 - -Count = 333 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001 -CT = FE9D361C358BCE63BA1044440F7BBFA6E51574482E9A6AECB09C - -Count = 334 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102 -CT = EC81D566D4E35BC9F945B977DC230447617DB1780D477922F1D8 - -Count = 335 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203 -CT = D189084B12BEC8FC8F96508A7427815238280C9FA9DA7A9EB2DF - -Count = 336 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304 -CT = A748A865EC8E77BF15431BC0CE0B89BA753D7F54ABCA9840E583 - -Count = 337 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405 -CT = DB24D0782A7BB0A9E2246316F1D28448B705C6E9591830169A4D - -Count = 338 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E27FBD7A96D99757BA4CDDC065CFB4FDD0E - -Count = 339 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E4B8805F3953AC97F3B109FB338A18A39 - -Count = 340 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE2520270F4B989CDDBCDDE1C6EC235673D2 - -Count = 341 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF4A1425C4E74F47A6859A5BB9CEAEF6595 - -Count = 342 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E1641F51D53E5C7F73EE0A4906AE600ACA - -Count = 343 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D8094D4ACCC2B74F460D50C5F56E93150D - -Count = 344 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EAC80B30DBC2279DD40E11C3107040A6A5 - -Count = 345 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB96D259D105A6C1AFF806A0AFA630C784E - -Count = 346 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E703FEE6662C67A32A80E05866EDD9AC81F9 - -Count = 347 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE590058D7DAE959802FFCD4F0C6AEAC90917F7F - -Count = 348 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A0920950631EA4B12FD863BA289BABB8E1022F - -Count = 349 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED51538C82438EED4CDF12AF9FE004FFCF85 - -Count = 350 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D62E9858E67C364EFE9448A17E27CE8013 - -Count = 351 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B064ECF65F830D5F2305DB4659A821443FB - -Count = 352 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0909B3CD6AC7CDFB1D4E98ECA3C51FD26 - -Count = 353 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F61695555BCB1E898AEA7D78DFED1E4BA4 - -Count = 354 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF5599483671D4B8A3004E05C40D5FAEB14EF - -Count = 355 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106F5813202AB368C8E0903BE575E8E2D8B - -Count = 356 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7C1E7D6DF0A2FA6DF3D27558E8984FB2F0 - -Count = 357 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04B4C0470B1DC5FE5776368C8674220ED59 - -Count = 358 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE591EC307920710D53CF7DF260FA67C57 - -Count = 359 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C4907AF8DC2762E0D40AA1E8F4B00E0B89B - -Count = 360 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C6ED7EBDA2D25A3A35E8CA840B4E4A177 - -Count = 361 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C8D36A6374AA48F0908EFBD63C0C949ECF - -Count = 362 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE338CBD4728578C342893C69B8E856A1573 - -Count = 363 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 00010203040506070809 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBF51929594DC98DDEB77D8C0E8E6022D73 - -Count = 364 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = -CT = C9F98EB86B5527F8DBF63ACF0E816185B1CA571203DCAEA251B874 - -Count = 365 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00 -CT = 23197038165DFA2E594A328A5262B43CF7262BFDD99D4DA4E7FC56 - -Count = 366 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001 -CT = FE9D361C358BCE63BA1032A8D6687A7940107AAF87EBD3CB7EEF72 - -Count = 367 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102 -CT = EC81D566D4E35BC9F945B1CB3A315A3355B636E2A58F729182453E - -Count = 368 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203 -CT = D189084B12BEC8FC8F96483C9F71F1124B76DC648047726CD1C616 - -Count = 369 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304 -CT = A748A865EC8E77BF15434B69AC4ABA83AC7D2226C21CDDD1FC3D28 - -Count = 370 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405 -CT = DB24D0782A7BB0A9E22421F517E911FFF648169AA8144F6CE3B837 - -Count = 371 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506 -CT = 1D17560BBF8DC9720E271247E7599B6227655583977271FE036CBB - -Count = 372 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E56BFBE888679A5B4B0C51320FC65B3193A - -Count = 373 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258BA539B9E80D0C9E09B2DE1EABBDD24203 - -Count = 374 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49F8821CDBF1941E57C8A33A783E05705CD - -Count = 375 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EC21550515C6B7129B2A866D4A3B8D67B - -Count = 376 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B7DDC3F5A985A7274381EEB194C59E6F5 - -Count = 377 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4EFEC8832FDB55435B738A674A92D22D62 - -Count = 378 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB9716C54ACC339616A90EED101E669690627 - -Count = 379 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350E6FEAACC4610E23E23915B14E7DA3F8D - -Count = 380 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875E8F27E31744616EC72D91776C2020CC7 - -Count = 381 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FA4C188C9EE4D045FB3704ADCA85C3E268 - -Count = 382 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED519284C43C0D61A309764C90A98B2BE3F80A - -Count = 383 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FCB0257C6DC0C4B71D333987969279A63D - -Count = 384 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF7807B2C33785E74EDB3753CBA2B9EC8C - -Count = 385 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CCACF09868C4605B7066F9B6B3802F89D8 - -Count = 386 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69C3AE7D0D887D943390D6F2C0AAC00E52A - -Count = 387 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF5594124759816B18DA79C694416C5B74B32CE - -Count = 388 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B04CDFA1F2B0E427CB00B8C495A794CC51 - -Count = 389 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC0F430BA4613725148E01C42B37EF17A46 - -Count = 390 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5ECD358ED0A71446A0BA601A639A8A14F - -Count = 391 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F45C13715973E406ACF4C71348B6B4076 - -Count = 392 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C0AEC571CEA60945621554280E1B75572B - -Count = 393 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D48AFAB4181355D9013A2A0C0795C2309 - -Count = 394 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83D82F45F11D129B76A4BFC2363EE7429B2 - -Count = 395 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33285F6F4FD0CEB34931EEBAEA43F5AC2457 - -Count = 396 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDCE56E4CE153E3BF914A70FEFE3AC7FF37 - -Count = 397 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = -CT = C9F98EB86B5527F8DBF63ACBDA30F68481D54A323C05167029DB2A4D - -Count = 398 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00 -CT = 23197038165DFA2E594A323B924D6E0B3F39133D689B0E6D90CE30CE - -Count = 399 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001 -CT = FE9D361C358BCE63BA10321CB09ACB70A45391A9BE91A81D31C2A17B - -Count = 400 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102 -CT = EC81D566D4E35BC9F945B1C7457D62DEE693D0361F289EE60C4B4066 - -Count = 401 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203 -CT = D189084B12BEC8FC8F964867806AD6FD4CFFFC768518C3C2D4245372 - -Count = 402 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304 -CT = A748A865EC8E77BF15434B10CACB795E9CDD941C291B1BD4F10610DE - -Count = 403 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DD94BA13DD0368728D2807396C723FC56 - -Count = 404 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712624768A48895E251035023FF5946BB66E7 - -Count = 405 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CCF7AF50FC6122398C32E0B7742C86930 - -Count = 406 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B215B9F9EE04910B692696B2900C7AB5EF3 - -Count = 407 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5F42E5492568FB805E7D8DF08AF3BAA26 - -Count = 408 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDD1CF7D7FC2985F383FD045D465A86D356 - -Count = 409 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B18196D4B77DA34FDEAC4A7AAF0C8370CDA - -Count = 410 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E52D6051538B68E06279CBA11669F25CE7E - -Count = 411 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3EAF5C218949FE981FD2797493E2E862B - -Count = 412 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E7035055A522BFE53086B2E7A020699047AB3C51 - -Count = 413 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D9452F39FCE1377E59D6F442107CA206FE - -Count = 414 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFFA9A24C82E24FDBAA64F3B8EDC5D6B7AD - -Count = 415 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D732A91894E26ED9440B7838A056FD9C33 - -Count = 416 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC2691D6642AB3EEED5B62E0186B5293806E - -Count = 417 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF487E36105E2DE0EE1F67F6E9D8751E04B0 - -Count = 418 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC396D910D880CB41D11102975F2C87F95C6 - -Count = 419 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD55F19AF6AED913F32EB9CA52678EC3C6 - -Count = 420 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419B73ACF3EB2694087ADC9A10EAF0076DA8 - -Count = 421 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B020229D06194B7B5A08ABB8512625F93754 - -Count = 422 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043485F62F90D1C491549D08C9A3BED3C58 - -Count = 423 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA5767AD6CBC75221CA65C4C9EC0003D51 - -Count = 424 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16D9431004186D00BCB90C19F8CBD287A0 - -Count = 425 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08BB36FE30272EA2AB6FABB16B7297E5FB0 - -Count = 426 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7B0F036F81ECFBBF7CF4A97975BADCE7 - -Count = 427 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5F401340B1D1E5B0696180AA6C9F8C1AE - -Count = 428 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284B5909D91B42C0FD2392998D0443101D9C - -Count = 429 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8F758132A98B03B144276669D8F1A6941F - -Count = 430 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = -CT = C9F98EB86B5527F8DBF63ACB57DF00D2427859F33A932751CE8A8C1D2F - -Count = 431 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00 -CT = 23197038165DFA2E594A323BEE6F8415F69A7731214210A7D020F7C2C1 - -Count = 432 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001 -CT = FE9D361C358BCE63BA10321C6CF651CCE2A93F031FF09E750ACB499C41 - -Count = 433 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102 -CT = EC81D566D4E35BC9F945B1C73698C8A299555A77B017EB56304FE56C1B - -Count = 434 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203 -CT = D189084B12BEC8FC8F96486759533E7D9C8FF9A516B6FA9FE000D612D0 - -Count = 435 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DCF5AA4E75B073778E028A68B4D6769271 - -Count = 436 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1BFDE707BFA7971BDBE3E183C4D7FB66D - -Count = 437 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623A4719B1D8113597F971F35F49399F6850 - -Count = 438 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB52E00AB1C8928D7E9AEEC68A2A0515342 - -Count = 439 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F949B792C2E133578A8318BB51D126F340 - -Count = 440 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D5274B8A22D3336B59F4508E3BCE675924 - -Count = 441 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE5DFE573C3549EB8E6A9E6FB7E731DAB4C - -Count = 442 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189B7619B1F1BDDD32260EC2B2CEB32BEEF3 - -Count = 443 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E522415D2ADEB646FC35ABD04CACD996E00E0 - -Count = 444 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B42444F592C83FB174E0ECB79C01B594AD - -Count = 445 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E7035055363BE74462D84FE1E291D4D677CE3F6676 - -Count = 446 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996839754A1705EEBA97908975621B79C74 - -Count = 447 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6D297D577C782CCB6D17694147B186C34B - -Count = 448 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71A96CE2318813B16E4BEAFD948AAC822E7 - -Count = 449 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266EDEB0C685E9E149664F867842BB1D277E - -Count = 450 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483C534F79B578CBE908DA0BAE763820F2EE - -Count = 451 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC39703DD49232260E889234C081E480827D7C - -Count = 452 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD417E086F80336F71DB8165C3C2A741CC41 - -Count = 453 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC3B5ED53322A88DAB86B2C820E03021605 - -Count = 454 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209CB5B0C114611CFE8E66E76B053D32B2AE - -Count = 455 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F2EB8D39167CBDDFD5D00B09D13B233209 - -Count = 456 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9AAD0F9F3B8EBB97F3BE9837079AA06C8F - -Count = 457 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F1669C33EFF3203AE5E60751E6207706544CB - -Count = 458 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2E65FB2C410CDB3235BCDCB5094656A641 - -Count = 459 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7E5CB65A6581AEB95A56279279929D3622 - -Count = 460 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD37D5A994388AE049359ECC428E30A267 - -Count = 461 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB96BF4A2FDFD1CD547387EF0D1F4ABDFC1 - -Count = 462 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9BDF3034C6A1F5CE5A5B2C99A1C7B7CA0 - -Count = 463 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = -CT = C9F98EB86B5527F8DBF63ACB57B1DA4DC8FD74D91045BF24FCE0BD51E10A - -Count = 464 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00 -CT = 23197038165DFA2E594A323BEEB3D610B631605C23486B8FFF0B87E18057 - -Count = 465 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41D9F4FAC77F7683A7E171EA46CB8DC5D5 - -Count = 466 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102 -CT = EC81D566D4E35BC9F945B1C7366524931E0A3DE9B94D57FD5BDF06F9FA8B - -Count = 467 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FED2803E2AE66A253AAF0CDC2B5C5BC63C - -Count = 468 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC18301F3096F7CBD9608B29DEA8909B4E17 - -Count = 469 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A18E41CDCB33FB5DB1D76AD7C06E2CC881 - -Count = 470 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3B7B0620FE51DD5EB3C6DDB48E0096C08 - -Count = 471 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB577D87AE29AC9DB3F58A16A52861AC5B23D - -Count = 472 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93E4B43B8274FE55887FEEC0E769141633E - -Count = 473 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EFAD4812FD1FBEAA611D87D690F3559F8 - -Count = 474 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE537E6FCBEE7B0558B93E3F0D84416409C0F - -Count = 475 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9E54D9DB9D5DB3AA5122799963576F564 - -Count = 476 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7C97FC2E2FC0DC49C2BEFAE940E94DE59 - -Count = 477 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C193589EBC49851E8228C6A589055A6F2 - -Count = 478 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620986A05613E97F14831F73EDA548145A7 - -Count = 479 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA0E0BD5CE71FA235720E108D946B793DA - -Count = 480 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD8EE48DFF45CEFED5A35C9882611E0C55C - -Count = 481 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABD5199836847DCF77F177D768BA929F976 - -Count = 482 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED3567F2F3EC62B101D7C62B20FB52231DD - -Count = 483 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD382D9C5EA67A675234C5D5BEEE27936D - -Count = 484 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E9B919A4DE8389DCF460AD41ABEF65FE20 - -Count = 485 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D8B609727C8E1EED37C0970C67880AE8 - -Count = 486 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC38836B6F1273B9471E05C396622EB94966F - -Count = 487 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7B2EAA38F69C86C9877323A02803731851 - -Count = 488 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F2488818090BBCD375DF55048F8BDFE53F04 - -Count = 489 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A429D0FEA30FCE384E1FAD4EC72A135821D - -Count = 490 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690890B47FC40C672B9E02520F9B81BC74BC - -Count = 491 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA1F40F3F3A6A6071685B59B16EFBCE32B6 - -Count = 492 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF26250A6966A872B83D2A14BD2C6D798C4 - -Count = 493 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87BD4001FE451211A9EE97546EB49E3332 - -Count = 494 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9264CFFB8048AD472D1E0497D631DF0270F - -Count = 495 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DB2316BFD268A3EC9FDD3EC6B8A288E171 - -Count = 496 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = -CT = C9F98EB86B5527F8DBF63ACB57B17444510FC8C1CE9A316D7D4F8B59BADC40 - -Count = 497 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00 -CT = 23197038165DFA2E594A323BEEB397E9AB7EE43889B8C93754730F643832D1 - -Count = 498 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CCEF9E17111FEB37C589ECDB7F7A5FAFAA - -Count = 499 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650E843F0CDC1C67FC85A6CCFBB8A1D86F27 - -Count = 500 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DAE7D33828B36DF83899AAEAC67576C57 - -Count = 501 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187AEA1AEA18B17DD5DB151854289F4E38D4 - -Count = 502 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AC7F579F67B0AB53F16B7F2D9CD509ACF - -Count = 503 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3412B9B7D59D3A26D89689C9BF02525E713 - -Count = 504 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771AF2D89F19A9DF52589E2161314E3EC40C - -Count = 505 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB432C0E81C752E71DB8267C54E56093358 - -Count = 506 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA53407AC7BF6259CFD38F1A8D4331E59CF - -Count = 507 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE537955C9D3DF75802E341416CE65A2616E138 - -Count = 508 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA953304F8CF2B8F05D31F126503EE6E96976 - -Count = 509 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E7B9A4480C61F24F0DC1E1293A0FF7138A - -Count = 510 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E6537D20F3F9346263325B2D5E1E823D3 - -Count = 511 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E951B89C7930A2214F9BBA3CFCBDB629AF - -Count = 512 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA128346A74ADE1DC03CEB0CC4DD14440928 - -Count = 513 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831DC333C013F409D43F3EE90A0D9C56A31 - -Count = 514 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA74D7900768553E478F14503DED2121FFC - -Count = 515 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D8CDC4EF098A1C20D9A1AA10D81AA517B - -Count = 516 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD2493FB841414F02AFD09C6DEEB544D6B47 - -Count = 517 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93E60978C2458E0EF1C565737F3EA7A8090 - -Count = 518 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D63F77CB571AAC584929C46EE25BF24507 - -Count = 519 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B127923658967F63189269EC13A457F5C8 - -Count = 520 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBEADB521740086C4F2810F8A796A63E295 - -Count = 521 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3844D42DFE8D6BC031225AB117795AA96 - -Count = 522 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422BE474E7345A60349880098B9CC73CEFCF - -Count = 523 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883C6387DF26BF0495FF98AE6EE426B797C - -Count = 524 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198BD561F9E8FCB1949924F534F9D2000B9 - -Count = 525 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236611630F87AFC9552A5CE7FE59D43A8D4 - -Count = 526 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87265BC92CB41CE75D607FF792E210FA1892 - -Count = 527 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C3B952CAC3D8BA81C324816A49F581905 - -Count = 528 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD47D4F66ED2849F5C3562967F82A883680 - -Count = 529 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DE5616DF353013DD94D33D7300867C1241 - -Count = 530 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973AB01B11EE81F3A896A702B347064A8798 - -Count = 531 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC7602D2EED44604C600CF7F2ADA5EE1F7A7 - -Count = 532 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA79011357B177750A47D40B675341F099 - -Count = 533 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DEC6CCE9D154222DE7E929AD02458C08157 - -Count = 534 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4022DBFF28D27A819937F055742056DAA1 - -Count = 535 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF6F7292395F07C15BAA36501C8BDB544E4 - -Count = 536 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416C9E4D4FC11C4C2CBFCD7026167D49DE10 - -Count = 537 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A70B1ADFFA76E574C0E43610147C1AECA96 - -Count = 538 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48E6D2901944CE4A8A687041800B81401FE - -Count = 539 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA58893C23BA77EFDEF1244E09CB26EC77212 - -Count = 540 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE5379570826607720477BF5D03A10F4288741D25 - -Count = 541 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534BA1F7AF3706800E5A43153EFB798C9861 - -Count = 542 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BA944DFC6F5E29077A4F944134EB5123F - -Count = 543 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E754FFB5F3192F32BDAC5E38BC5935B2F41 - -Count = 544 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B09F75AC04037748DC6D63B4487FB940B0 - -Count = 545 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207ECA4083541524376886CD1DB30016B2C - -Count = 546 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB2773C46432C0621AD8992347902E1123 - -Count = 547 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77A19C87647749700B60B257F42F282D24C - -Count = 548 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15C8231198E1AD1443B7E3E7F6B5C28CF6 - -Count = 549 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B62DAD7836BB8AD559B75967D1E58239B1 - -Count = 550 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAFFE1F9497FC1441A42EA79513A4B12A76 - -Count = 551 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F25953BCCCC7833EF451C720DACD910CC5 - -Count = 552 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E2AD3548FD2EA9FE2CC9B6D9E410A4029 - -Count = 553 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE36A67FE170C5B3E40BE41173466B1D986D - -Count = 554 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3163FA1AA1115F8FCA10F20E4649A911BE3 - -Count = 555 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92A8AB259F885F761CBD44E814521CB9B0 - -Count = 556 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBA2ACBB62663034593FC6DE1F69C78070 - -Count = 557 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC749402A15B9C306939588FC2B9488A84 - -Count = 558 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A0F48A330929F77E2894E2BE8E7C64A655 - -Count = 559 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F76A35D299251F95B431F4FED39E531DF - -Count = 560 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C97800ED46590A73F583BD34CA649B995EB - -Count = 561 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD4825E23BD4B138FDA0E6772916E8AF1DD50 - -Count = 562 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC945DD5542393590389AA08608BAA3647A - -Count = 563 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A56F81D2887F4B591BC3325293AA7073727 - -Count = 564 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5693370660C507E75D61F18DC8685592E - -Count = 565 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA4382887994F9067C04AC69F4DBD9AD6EBA - -Count = 566 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCFBA8EEC5F84047B0D14689DCDE53FC41 - -Count = 567 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094CE7C859C2230B0650D485D27872EB9E6 - -Count = 568 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61CF76F760A6EE2E1DB94188E61ED89F1E6 - -Count = 569 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9C25DA3A5CECD7A4FDFFA8D8DA9DAEE23 - -Count = 570 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706E06473BF331F1778C2676D2140273BEFB - -Count = 571 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD456ADE2B896566AD02E9B4B45E236118 - -Count = 572 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A7B6B0ACBBBC1FC0C948137FC78BB9FA63 - -Count = 573 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707DF3B5FAF39097659692917610FAD8C8AF - -Count = 574 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76A1588C3E87CD072660834DBED7A9CF2B - -Count = 575 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBCB83814D85A37F26592CDBB5DE41A58C3 - -Count = 576 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F1FE882F235A32CB30D3BBF9E2B4FF299 - -Count = 577 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C26F4126C9932DDA88D2947092E7FCEBD3 - -Count = 578 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA120759AEFA370112EF06D5537E95014136972F - -Count = 579 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A5BAAB112BDB0972926FB3AE12A7F988B - -Count = 580 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF76B9F36977B7158F1E286FBA83499B271 - -Count = 581 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D1517C0800691DD84AC15F3979C271A273578 - -Count = 582 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620E7AAD2BB3C9353E5353AB1CC21DF8EBC - -Count = 583 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF17FB31EECC1DFA4BDB7365DC0C18E91940 - -Count = 584 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F2000C63C7D19AE59D5F4C059B95625C761B - -Count = 585 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96CC77B0038B20B214D16DD0D9968C95BB - -Count = 586 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BF378EDD840ADC9F39B2C65E021D14154 - -Count = 587 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FF0781FC2F4C720A1481A95AAAB8A37BD - -Count = 588 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FD2D9E5004C3497CE014BE56400281AFDF - -Count = 589 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF23D63C0828F67D4157ADF23DE835D7BB2 - -Count = 590 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77D031AA0A5F950F129C08EC3115A927C1 - -Count = 591 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07DA30FD9FA53527291509653DFAAF148CF - -Count = 592 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F46583AC0D2991296413220A9F5B379678B - -Count = 593 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974AA9174DC9490E0389819DDAAF6E4E3711 - -Count = 594 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0225A021215185C3B11DFDDFE18749BB4 - -Count = 595 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC9538F1FB5F7EDF0654B05BCC2923C994116 - -Count = 596 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568FE1B216B70B6E164532847BAD2F2742FB - -Count = 597 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D46A8980622D82DAA320870CB4DF6FD19A - -Count = 598 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E83038C757442200E48A6E02CB029B8D76 - -Count = 599 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD41455130DC1610C6A358E7B775E40C2B7 - -Count = 600 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FA14EA928ABAFA65EF439F429DA3D596CE - -Count = 601 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C123C28C36B0FCC44AE145B98CC4F854C2A - -Count = 602 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B72464E97083AA477574DA6FD3640C5165 - -Count = 603 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1D43B1BD6FD6AF24CED53C24638A624D3 - -Count = 604 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD045910BD2536A294FF4C8926B06A8D106F - -Count = 605 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73CA11CA4058832A5527B440A1C3173E4C8 - -Count = 606 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B0A8F34BDD8C6207122251FA6F1F5D1FC - -Count = 607 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C446DD39EF655413399D847517E1AF46AA - -Count = 608 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC13A6375558EBF42CA9E2CDF518017A7466 - -Count = 609 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C7E0DF29C011CBD5CEFAE5B4BE80429DB - -Count = 610 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C2068F5DD5AC9252575E97E794AD98E1D6DD - -Count = 611 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A0790C79E7A7177834CEC12BCCF89C9F9 - -Count = 612 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A96065577377996B8AC480806A6C82C66FE - -Count = 613 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2F57C29A1CAB60DBBA5276BF2CA3BD4C3 - -Count = 614 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FEED1DEE49A33D750A902CF465FB3D541 - -Count = 615 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B6200511E16840C21B66FDC24E9360FDA1EDE4 - -Count = 616 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF17934C6BF59E728C632A3D76EC4A38BA0ED1 - -Count = 617 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005BAC06FF41AF32CC81DEE31CCA168D5BC - -Count = 618 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E964292936B9180AFB0EE29F9EA36D2788710 - -Count = 619 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC517D52FF585D1FBAD681CD693A7D3362C - -Count = 620 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDE04B97360379F84F753CBC6F9B0E69803 - -Count = 621 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD00BFC2D5626E53422FD66CF9C85192AB - -Count = 622 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF21580F795B5C871C5636BF998C19F6EAE7A - -Count = 623 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C814AC4766C231429C5E4C3335FA218115 - -Count = 624 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D1D2C0D26C1A62F0AC7CFEA0C3EE40591 - -Count = 625 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F46687D86B3657181DE8E9D9A35DC69A04EBA - -Count = 626 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D4C410CE3B9A0F85A0D50E1A85675F963 - -Count = 627 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA86908DB4D1DB0216EFCEB2A88334BAB6 - -Count = 628 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EFF4ED34E921B0C534C713712EC984FA03 - -Count = 629 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C2219B8A0C1B88FCDA0AA086C4C6CC51F - -Count = 630 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D4472DCD3E830B9072F6EDF3D5AEC35F924A - -Count = 631 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8888B529E0956E1CC7F1825908EBA71B884 - -Count = 632 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD493D3A6849FAC15B24D2396AF1C4F4ED6EF - -Count = 633 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB32C6B988388440644082F1A6F4A0AC02D - -Count = 634 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE0A1F92EE539F21D206119A1AD04A89A9 - -Count = 635 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786E051D266F874477521DA01701450E60F - -Count = 636 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA183D5706B5EBEA63E67E625D7A23E8DB2F0 - -Count = 637 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD04635F39F11530084E7F61F8E1C6D8E4757C - -Count = 638 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B40308CF8BFCDD07DCF9DA70067BD4E99 - -Count = 639 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6A825A6F8C54DDE7492F314980A3C03FDE - -Count = 640 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48ADC12A0ACBA06C16922C75BC4DEA0E5EC - -Count = 641 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FD464F33D2AEBC7CB644EC7040187B159 - -Count = 642 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B2AF542953A076CA1A2BA5DA70CD01DCE - -Count = 643 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206468CC67CCA55C81324613A8B4EB2E2CFD2 - -Count = 644 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E5A8C97D782EAABD1F05DA7230B0FCED4 - -Count = 645 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A96618CB370D35F74960773CBE5BC0140AF74 - -Count = 646 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B1E29FABAA216CB3BE1E956030B1682CFD - -Count = 647 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB2380577AE1E54E1D59C9346170153657 - -Count = 648 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B215AEC4473C93D79934EEB33066ED8BB - -Count = 649 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF17939032A81BADF260166D5A0870A1F12A4499 - -Count = 650 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005179F628276ED9E046EE6312BE0CC400CA0 - -Count = 651 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BE7C50E3FB14DFBF6183EEBB6196401A0 - -Count = 652 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC5340E315D158A6E313C8C0086726CD6CA46 - -Count = 653 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCB7CA7D3CD7784D45653C170CC9ED2867 - -Count = 654 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD306D26EC9518EA47E73A9F25B935090B4B - -Count = 655 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154E88B27C163669B95614BA61106B195339 - -Count = 656 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B67ADFD4F66560F27C89F83847C670B94A - -Count = 657 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E82F6E2895D332136544B70C9DF798CC1 - -Count = 658 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A82E02E6C29B66BB466EF223A0F1547B24 - -Count = 659 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D85DE9503E01C6E81BBFD076D3BC9FC2F4E - -Count = 660 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05F4581BF68B8B49746925D335424ED23D - -Count = 661 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF56BC734FC7716FE1F318C64BC39140BF98 - -Count = 662 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C95DDEB9F8E18B372D5D6BB6AF211AF51BF - -Count = 663 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A764071D9D776C9E8B7BF11DA51FFA4A3B - -Count = 664 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C0A07B30D24A79B8FB2246E8432A5C37B - -Count = 665 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CDE5145EE86ADFE98B311EB2A518D1DD8 - -Count = 666 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4AD70C6E293DD6CFCC5CBBB2CFC5E4D4C - -Count = 667 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE9684B826699859C69BA177869677B025A4 - -Count = 668 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9E252963483AC8BED6B320FCFEDB3BEBC - -Count = 669 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833CF37ECA1F6CE98D78A48B8B639735295D - -Count = 670 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F52D0159284C881A4E4D1AB67C53E50A8A - -Count = 671 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3D567B81AEBEFFF64AA5F87D80FB39D5FC - -Count = 672 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF10D0E9A00503738FF087946F01B8590D3 - -Count = 673 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4C1B739987E48EEE4E6427FAD474AB6972 - -Count = 674 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFBD680EC386EA65A48B987433C8AED316D - -Count = 675 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5F64B7BF2E71BC1D9B6482A24D3C630F39 - -Count = 676 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469FB8FF43A5086E5FA37B4904D143792609 - -Count = 677 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E353F66742E5893890E8AE1E87B588A7408 - -Count = 678 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D421F6B16D533AFAD596AF98BBC6AF3980 - -Count = 679 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C2F866643A5934C85ABCB85DFE9F22CE0 - -Count = 680 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB04F990117BCC6C33C9EF00944F4323809C - -Count = 681 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B261F7625892D2103811099A4E8006E0330 - -Count = 682 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D9DA29E78D00A826371100551DEA885897 - -Count = 683 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D6CA580E1434CBE6E7A2C56A2EA600CDE - -Count = 684 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF59A76E412BCD31FF952F406EE0A1DE847 - -Count = 685 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E710579BB779D400B59FB66C98DDD6E26A - -Count = 686 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF21C0F62CA603E46C859B76A44DBF1DA9 - -Count = 687 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301FFCA3B757CB93D1899CB85B90C503EE92 - -Count = 688 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA04C9117F14A3A7068041A451A86F8CA43 - -Count = 689 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E69A52DE16AF6CA8671DA302C9145D999 - -Count = 690 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C30FD19151A2776E922F8ABDFC107F99A - -Count = 691 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D50121E22F96A7E7EFE973D724FDF8D193 - -Count = 692 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D85872B6956B0611375E3160ED6526718C3A9 - -Count = 693 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFC989A838AEACCE47FC62B6E17D39BD23 - -Count = 694 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF563317D8CE0230822F499E9A5138CDBD2F25 - -Count = 695 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C952570AAA1453620EA20C28A85FA569B855E - -Count = 696 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A7060E75CFF298363A3489177F5C43B328FB - -Count = 697 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C27FC458CDB664E47E431AB887267FFE3ED - -Count = 698 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBDA3F56E3DF9A87FA1CD66727C54D7035 - -Count = 699 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4802B1CD63D1F29760E05DCCC3FB3CA9D81 - -Count = 700 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C628DB083071161CF5EAA15919D6442BF7 - -Count = 701 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED742280F1DE41BCF94D0843CD8FB3EC65 - -Count = 702 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C33CD5F5A3C57609EC751B771E6F9D5E844 - -Count = 703 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F54972B3C5682F4C26B933C7324A04D1D93B - -Count = 704 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4BFBC3E0F0EB18D8ADAD9947136BB042A - -Count = 705 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF1148014AF70D24464328255ABE113C51533 - -Count = 706 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC20EF37D463400263AE235D0BFC164270 - -Count = 707 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB77EAA4FE85FF69CBECC31F600B39BE001E - -Count = 708 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61AA18B7F8557B18F872D18EE549D3CA0 - -Count = 709 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F830A8F49503271D3F33CB977F2F1E67C95 - -Count = 710 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E3550C7F5B9F38DC604A94310755EB5F33E04 - -Count = 711 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EEAFBF787CCEA79F2D5161D3E8C186CB54 - -Count = 712 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C47CCC72EC3BDED9ECBC09B090A12EA9701 - -Count = 713 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041BD48FE382C3E67430711D88CBF7D2576B - -Count = 714 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B12AAD43EEC304A19D5141A23B3715159E - -Count = 715 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CC55C410D3D7B4C5389D37DF2B1380CFB - -Count = 716 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D510278AEBA32048479B7E4376D5884A253 - -Count = 717 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA2191E5B1FFF6934BCC8E7807FBC52806 - -Count = 718 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E748B8D1C1953755098663474EDAF4912FD3 - -Count = 719 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF796281E32D8C0C5F037B36A23D7397182C - -Count = 720 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F71F4CF17733849F6B2FAC8DF0A9E234C0E - -Count = 721 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D45D9E63F930F9A26037ED43071902ED1B - -Count = 722 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E024380FB61E668A756CF7462B2B5B5E3C0 - -Count = 723 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C262096DBDE2E15A032E3051D22D2580838 - -Count = 724 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573BE51A560656EB548776F887440AECBB2 - -Count = 725 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8456598582DA403F5FADF47C6A04321F1 - -Count = 726 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA28FAE7A81C716837767BAC64380180482 - -Count = 727 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B12057FABAA3320578816E47BB1B99C5FB - -Count = 728 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E676208C2034654E87C6A15CDD6524D535 - -Count = 729 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A70648D4C3D5BF865DABB92F88C3D7D2B19AEA - -Count = 730 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275C0C6BEF3B3AFA4DC5BF05AC29BAD51383 - -Count = 731 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE213140ADC9F8DF705EAE296AE73C99284 - -Count = 732 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A39809A879DEAB49E01BAEB03EE6E5AC3 - -Count = 733 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD720D2F5400126CB0B1E420F1182292FE - -Count = 734 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B5C705B05B5ECAD94B0294617E911336C - -Count = 735 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C33008BE515CA3472EA328FAAA1C990D27734 - -Count = 736 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495ACE8F74D904A058B99B91EC571B64EE97 - -Count = 737 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7E411CF4D36FD4046F532B86B60C4A23B - -Count = 738 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF11415B2C2FB105B6800A8B9255757C8D9AB68 - -Count = 739 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC02AFC1062B863E322889057A81D794D277 - -Count = 740 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB77065DE2B1BC1F7C2CA36BA1EE2A10C0C0FB - -Count = 741 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F8AB2AD7B214B35AD0050FC351CA4FE17 - -Count = 742 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8317EB8C333428360B8F6CFB91E7C0375 - -Count = 743 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E3550016977AF4B1D0DA096A03B2067CADAE615 - -Count = 744 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E966F9C8F3404C3A85AD8A252AA7CAB1A - -Count = 745 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BD8582A333858BF06F9318D099290037B - -Count = 746 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B067631467B017714A7C680EF559D760A41 - -Count = 747 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D6BE8E83078065BCC24BA0405D0A53AD3 - -Count = 748 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6FCCAB479883C6C7786E8A8F270DE2F84 - -Count = 749 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC8AD80042A797C6705D99DEF4CBD6163E - -Count = 750 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA40C987DA02227BF1B5C29A69333ECC8801 - -Count = 751 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E748550EDA251E2A1601A6E6081A26CCF668D6 - -Count = 752 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790DEE6BBA683030DAF526E24C442BE7D709 - -Count = 753 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F7167994AB35BBF8EC760908271A060C1B502 - -Count = 754 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5B92C0AE5715EF559919CDEFECDF3B25 - -Count = 755 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8C692DA02C590D414B11A51ACD1020940 - -Count = 756 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C263372C5ADE71F0BAE283E366EAB2E6A9694 - -Count = 757 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBC19E09DCF84F06A31FC15794F2FE2FD8 - -Count = 758 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A896F241287E9CEB93CBFFA0A88F0D32EB3B - -Count = 759 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A69B67D8B97671BEF07DD73FBF30DA074 - -Count = 760 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156E09CDA071F41CE6394566EA56921073E - -Count = 761 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C0F95C33A75DDE3682B2D1BA7ABD08FE2 - -Count = 762 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488AED488A9770E3A620FF697CE54F7AE6C2 - -Count = 763 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA59D7B768A7552CFB1CED8DDCE257D4908 - -Count = 764 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE23998CCC6CD5C55D63D03F453D1C35B1C47 - -Count = 765 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5CF3C2301E972E243BD83DFE91D5C2E52F - -Count = 766 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9529CD25C5FC976443016CE6A7154F62D0 - -Count = 767 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B289B35577BBD106505CAD196359812D732 - -Count = 768 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8B56F05D0E90530EC5AF99F5E5C48BFCA - -Count = 769 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CEBAA575001577C688AECFC376BAB6139 - -Count = 770 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CF7F90D8B4F59D20429688297D853CEBBE - -Count = 771 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF1141588FC0CFF293ED1556435DC55B8C9BD85CF - -Count = 772 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC021972C1E1337C074065BCDAF9E552C1EFA4 - -Count = 773 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F397E48768C4B651872F0744B76851A4C8 - -Count = 774 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0E4ABCD1E921010DE7D06659D2D128B4DF - -Count = 775 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CB3BC2CB79671AF3605893D8F5758A9F9B - -Count = 776 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D1799F7518EF53427C7A6051114B2FC31E - -Count = 777 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5EDA89ABE09E33FBF5EAD46579B7841E01 - -Count = 778 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF7FD83D4D9531005E98C2164DDC99B192 - -Count = 779 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633065E6A3897CAFD8E15F1ACB0128393BD - -Count = 780 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00815040806E7D623AFD2C097BB46C0C9B - -Count = 781 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4D0A82671F86C75B309AAD455B147EFA0 - -Count = 782 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FE2516D90778B8197B27C3F628918DDE7 - -Count = 783 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044A6F7233A7B38641A1B35775EB5DD13E8 - -Count = 784 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577EEF0B80EE0DEE4FFE7642E134B1EAADC - -Count = 785 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7ED6F8BC789E47BEBC45FC881298E375DC - -Count = 786 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F71677846156F0577AF04D08B84646B646CC180 - -Count = 787 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF544775A07D54D5FB347E31466CB68991E4 - -Count = 788 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A09C9A87231C112056775AFF1935759110 - -Count = 789 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334EDB97F0FABA57B3A5876DE3184EBFE9E8 - -Count = 790 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE708EBC1F39F26097B9CE67A40BBE8A74 - -Count = 791 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DB9CCB9F69FDC74E8653F6C15F0F7D1D1 - -Count = 792 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A3716EDC1F3F39EC5AE2C10E1E64548C95C - -Count = 793 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA9AE59290B68599BA4C8766B092ED1DBF - -Count = 794 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C695B9E2CC714FBDB84C80C2E3A2DDACD51 - -Count = 795 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96564B70DF207052CF34403510AE3B8AE9 - -Count = 796 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93FDF111795C6A906BC2CA1CA4C775B74 - -Count = 797 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239883A5D5368B370D29EAB723A1F07403D3F - -Count = 798 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C8207A0D9D175D05B46FB242BDA49069492 - -Count = 799 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561E908E52610E5B364B406954B12474717 - -Count = 800 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B39CF5835B6CFF368188AD3AFA43B7D7D4 - -Count = 801 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8186BA6159681BE6FB44E20EB7E0D974B5C - -Count = 802 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE5F54B301ECAAEA75F6B68A9F47162CD63 - -Count = 803 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6A3D0CC5DD82808A7A0B57F2728AFC610 - -Count = 804 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879E72EDBFACA233323D39200F6831A1689 - -Count = 805 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC53058C24293CE1F55A0FAC112C5A2521 - -Count = 806 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F39493116C64EE15BECC54B69249DBA963F2 - -Count = 807 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2FAA4BE2E4CBE2DDA0202A0E9DD74644A - -Count = 808 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC4A242711C02960EAAF62182D619CD4A0 - -Count = 809 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13A22CA9D381CD7B1B557444559CA5DBB04 - -Count = 810 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E14CB4F2BF7BAEA40BD0F6B3B25330EB060 - -Count = 811 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5316ABAB983339E493147149EB211EC7D6 - -Count = 812 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DBDBC3379A50F44A6BB16B72E25F6887A3 - -Count = 813 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B64136A73249189D8068CE5F5DF0F6074D - -Count = 814 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F749025C3494AA4499D5D338DE0ADFD435 - -Count = 815 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD20C18FDE916E0B1C355E8C2C95F57532F - -Count = 816 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA40447817B131BCC8371BE053327302FBF81BFF - -Count = 817 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D96C6F7EABBE692C162F6A48F49C951B1C - -Count = 818 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E97E886024C0C93A50F44428009B1FC32D8 - -Count = 819 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F71677841ACEFDE890BA9A36BD0E1C898A038E33B - -Count = 820 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432C0BA26B073F0C1ED8ABC5C8E9BC36ED7 - -Count = 821 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B6974CD5C34B2B62754050E4CE89DA80CA - -Count = 822 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D22A4047D5B4A838AE796733005C79A92 - -Count = 823 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8F9282F3A06F8AC6D701D7CFAB3F33B559 - -Count = 824 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF068432288AB5B6FE77A81E530F4E7F666 - -Count = 825 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F1011121314151617 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37589B9DF02B50C503A1D34A8894EF8B9A3D - -Count = 826 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95EB1A27F864129C59A0593593DDF4144E - -Count = 827 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697098DC8F891581B9FAE4CAE6664A0FE7A1 - -Count = 828 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96240DB61E54F3AF6BF1A36B3B9844FA7B79 - -Count = 829 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93AA83CA958A11B8910A80FDCF75BEAD5F7 - -Count = 830 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881D46D74D0743072F832544A051B853B984 - -Count = 831 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C82932A53D510691FA60D60F33F336FF36F46 - -Count = 832 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C682F63506450011B04745CBF35967D2A3 - -Count = 833 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33DFBCA7AE17610E4BCB70476DF02620B2E - -Count = 834 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A81806B4252AF349DC11ABA60302E935F7BFF8 - -Count = 835 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE5953A19582A40141903324D229A13AFA307 - -Count = 836 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B79380084770FC2C03AC334D32BCA2F45A - -Count = 837 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A387DA9AB0E04A1EACDA8FED018086D09A - -Count = 838 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC30F629BA9ED59F64F0096EF919DADF5E6D - -Count = 839 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942F0373E08E3DC41F62E4A190CC0ED2C2C8 - -Count = 840 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE25313B7FC5FD7434BF4D66E6BD9CED905AD - -Count = 841 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC59C169AE65D4CEA94675E557824B41C05F - -Count = 842 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF74054620CECA335E11229B115DA0C03C7 - -Count = 843 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C42D266AFB1F847354D2E122D325F377E - -Count = 844 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394B6236A45E1A4B35B51C229099565D0E9 - -Count = 845 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB30E75041505E1CC042D85CB41473C51568 - -Count = 846 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B673E17478DE9747A33CD222E8FC331958C8 - -Count = 847 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CC557E0A491DB9CF146B8F2853231E8BD - -Count = 848 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A943631A549ECA7C87FF1F6C5DE2E70505 - -Count = 849 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C929EE8926F040104368055A46C912551 - -Count = 850 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E59BA17FA0F541B8E33A5AFD965737085B - -Count = 851 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971DADC14D30809C5B6299F5F01D92A07F97 - -Count = 852 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F71677841180A1FC07556079B35F303E67E44DB83F9 - -Count = 853 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A419EC3FA38003767099D35D8271329603 - -Count = 854 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E75353902332F6C508A6F943497898C6A - -Count = 855 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D275D171B435E425F48D3E0351F0D862144 - -Count = 856 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE86408758E2DCAF2EA0B2FE362FCD4502C - -Count = 857 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2A3F55FBB89B2D7013B60413D6B8F616B - -Count = 858 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583BCA965CCFF24465DE9DA502F80640FD7E - -Count = 859 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4D7CFE1DF979E6673AB62B4E3C4EB06BD - -Count = 860 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059583EB2475AFDC080C2C8C4B8D7826609 - -Count = 861 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96248546A14094D44BD3F337581EB6F2926728 - -Count = 862 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A92B9520CD6A23F7E9D071B2A2485695C1E - -Count = 863 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4BAAEDA517D5232777F8E6BFEE1C403ED - -Count = 864 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344921C0C53FB535E6EAD28DBD67082A69B - -Count = 865 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67AFC542B2916246378B360F80107CC397F - -Count = 866 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84CE573CE333F0D8840873600E09491B15 - -Count = 867 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A818060160A044633CF3B82EB63794F0E7771E1C - -Count = 868 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449D494AA386F7FDC426FAA038AE03BD2E - -Count = 869 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B79479B5F8CF42D14551D9385A60A1E6105C - -Count = 870 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36C2DCD81CC15723883895F20B0C12AD84D - -Count = 871 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308A10462A086B2B31E9654664C88025DBF7 - -Count = 872 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1D3B482F246796EED5A501526F792C20F - -Count = 873 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E581E3D8A2995ADF0E9EE95844618E43F - -Count = 874 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A1175FD5F9CAA0B3D0422EE62B817F970 - -Count = 875 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF7956338354623A494B1B0A70BF40BE729C2 - -Count = 876 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38F98627FD8A4B670DF4991D165474A35D - -Count = 877 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF539428DBB4BB50A5433D8D5F3B67987A99613C - -Count = 878 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB30405540F48ADF760F06E4D547FD1F70B982 - -Count = 879 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376E718819BF87E291941B27766F89F4C0D - -Count = 880 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF730238789BA6C2FB2DEF0658A4AA0731 - -Count = 881 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91BC3E67CFB63FC7E57198FBA86D80952D5 - -Count = 882 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E1A248E107C1511472C32CA29BC315EC5 - -Count = 883 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E583FBFC3A21FA4C589F57A755D101DC9002 - -Count = 884 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B35D507E92F9F2CE9947E1A2186318855 - -Count = 885 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F7167784118916E571E6FCF54BD4D22BF266B563111FD - -Count = 886 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B2CD54B3F84D365E45DA6457E9FA3249DB - -Count = 887 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53CEB71CFA042371AB3BE526C51D40D4AF - -Count = 888 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27041F3A4A0C5FFD2A8DF82E3176071B6F37 - -Count = 889 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C86A2829809635BF2A7BC57DE3CBDB123C - -Count = 890 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C999FF341286243E4389FB66FF901228EB - -Count = 891 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F10111213141516171819 -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B189B47E914FCCDE044EEED62D452707690 - -Count = 892 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B410BACA38479376CF47F6A864D1607EBF2B - -Count = 893 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647CBFC3EB77BF1D7454E7AE84DF49ABA0 - -Count = 894 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96248520D859191AB2D491C056EE2B6F732445BB - -Count = 895 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C6E5097C1D28E0670625764D9D24B940A - -Count = 896 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8CBCBA6211FB13334C3A9BFAD8FDA3253 - -Count = 897 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E0EA2CF9A3CF91D4916EB7DA4E9B3746D0 - -Count = 898 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A63193418BC2692898AB17BE90B840F2D19 - -Count = 899 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BEAFB578C59D7690B880322A10CB02B5A4 - -Count = 900 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D2DA291A44C8A07A576F66BAA6CF857B56 - -Count = 901 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E90110F447C180CB4882E0924BABD5404 - -Count = 902 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942AFAC7F7222077EA117580341200676300 - -Count = 903 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC952770AD21DFB305A54EDB13AF61E3C09 - -Count = 904 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA2083BA23C813B82F4BC58628FF983CC12 - -Count = 905 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C08A85E511FFCE96970CCA7B66F07B4D77 - -Count = 906 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6FB133959EFA6FDAB1A3AB1F9C1D8930CA - -Count = 907 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A28A86CBF40F1C53A7D0350949C90F6AF44 - -Count = 908 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C90B5EC84619231BB284DFBCDF2347EF41 - -Count = 909 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E209100082EC954407A0E17BBF7EE6FB31 - -Count = 910 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285DE74EE9F55AB4450738F5F1F853BA7C69 - -Count = 911 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC2E99B90B9ACF97BE0256C0CB5D972604 - -Count = 912 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B56B698911F82C1D24E04AF120846C6466 - -Count = 913 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF28023912D8965DF61C6F0514DD2CA2F085 - -Count = 914 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C92939AE5A4B659DA92D0F66DB20E5C40 - -Count = 915 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E506A52F307AD101F2FB598C6A022904C85 - -Count = 916 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E58337B4559EAF36B992991F51D571A183AA31 - -Count = 917 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16971040815372B40C46F0CEB6F5C42476 - -Count = 918 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D18C1496B448440C9A3A1404C5FD1CDED3 - -Count = 919 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B243CDCFB826D2F53A8200E17EDB083BD466 - -Count = 920 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E99653D0C19B170F2BE5399AD328D42592 - -Count = 921 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFBC7AF33F9C8589E56FDDCFD2CC02C32 - -Count = 922 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A853C4B641E611E9E0695F52EBEE5377BF - -Count = 923 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C97386392A3DE63A06D561724DB898BB981C - -Count = 924 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C8366015E65B9BFCEEA22EDDCFB5E3267 - -Count = 925 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4100B31D263C4A1D84EB3BBBE2AB130720ADF - -Count = 926 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647D003176B6840B13E31E4F12E0ADD96B0D - -Count = 927 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96248520493C3CADD9D1DAB9CC47F72DFD09FF44A0 - -Count = 928 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C13DCA84BCB74CB3D4A581D41160B33CCF8 - -Count = 929 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8767135C8B0A98F97C74996003B61935908 - -Count = 930 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E091F038C5855B2D0B8625AD0D1068031F0A - -Count = 931 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A6310B3FBFAEEE06CD9200D3B04A10E9BD3EE - -Count = 932 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BE01D7262C92538F2A35AB898CEB201B5212 - -Count = 933 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D21DAE15C244471209AD06E764184D2AC94F - -Count = 934 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E6D94BE3860910D181E829D59C1A64712F0 - -Count = 935 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942ADBC877A619EB113F0C7CA858205E19D360 - -Count = 936 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC910C366A032C32380784234E4A68D4AA484 - -Count = 937 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA2806F94B145376D3BB1EAF45A24238B8B56 - -Count = 938 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C001202D0E2EE021A41536A5AB25435BDC74 - -Count = 939 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6F1BAB0DEABD07ADBA7B88D8400EE5308B7C - -Count = 940 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A2884814C846E16F45CF93BFCF6E507540BDE - -Count = 941 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C975F64DBCD3D7A2F182F04150D30C560464 - -Count = 942 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E2DCBDB73FE899AC777A3E0E2CF84909829E - -Count = 943 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285D8B0143F907FF3ADC0C6E4BD58051A7F31C - -Count = 944 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC965DC41AC6EA44FE58DC7D5919FC76C68F - -Count = 945 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B5C4972C2EDB71B7833545FD0DE74ACB6395 - -Count = 946 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF28559615D12E70EE9491DBD4C3DFCBCBCEF6 - -Count = 947 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C16E6BDECE8EC22C62A01BE06F6ADA586F8 - -Count = 948 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E502C71E0E7D9B64BB1EB42867896D6317E16 - -Count = 949 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E583378852C4B86E8F19994A186BB761848D2395 - -Count = 950 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16D82F2C2915A09ABD6895D36C5E55638D7C - -Count = 951 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D1B6E1301CD1DEE35B33E7CE96DCEA5C1748 - -Count = 952 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B24329944F56C2A391F0D9D736759F1343E5A0 - -Count = 953 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E9EFF3DE3AE889617D0223C2C4063D4250B3 - -Count = 954 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFA5CDE45D448B231F96C9371D27B63E96C - -Count = 955 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A89E4788F0B11FDFAF5CE6C805AE40F2295A - -Count = 956 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C973EC2601285507FA4FA4B54AD0087DD1831C - -Count = 957 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C393555DACCDEA294479E13DA9180CB2A6E - -Count = 958 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4100B9F48939AEDDA8060DFD0AA340E603FCBC7 - -Count = 959 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647D8CDC8E64F98A5DFBCA7F4AF376D7B5DC13 - -Count = 960 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A96248520499007788476F56704C0D2531FBBD47EB4EC - -Count = 961 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C13DA2AAC6A069824C79790A4F0DE49FA7508 - -Count = 962 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8767267DBE7E03A00B196A82931242EED379A - -Count = 963 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E09138EDD78A5AC736B237F13A73DD881E6894 - -Count = 964 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A631063E91F53F99B5D07BF05C2EE47D4628A05 - -Count = 965 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BE01FDA042737073304C9D646F336B931957E5 - -Count = 966 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D21DDBA124FA85F8C4DAA22D4552B4EA3BA22A - -Count = 967 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E6DB15D5AB8365275274C6E6802B151AFF417 - -Count = 968 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942ADB7CE1D1286D740DC8179F71EF1D29CEBE5B - -Count = 969 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC91003ED059C1A23B998DB933B7C0A6FA2F053 - -Count = 970 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA280EA63E0663CC9F35D4CA2A1B4E45083779C - -Count = 971 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C0018EB0E22AA31B7D5CE3E50E0A6605B56D3E - -Count = 972 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6F1BD793706EB6EC581A90A1684B33D65F2979 - -Count = 973 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A2884E65834BD33AA16F191503349FBC711960E - -Count = 974 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C975706D6F7D2F013FEDAFCE582348A18F40B0 - -Count = 975 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E2DC6D80618A2692594EE4979822074AE07AB9 - -Count = 976 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285D8BF7C28B102E7E9F6017A2B4FF6EF22AE15D - -Count = 977 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC9620C308532C650B79AD634CA79256FAB213 - -Count = 978 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B5C4642A14193CCF06FBE882A5F58F6D270E7B - -Count = 979 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF28554162973BDA725B90A3DB8F3E472EF9E925 - -Count = 980 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C16C2417E827DA0645AD8E063DEA63C2765AF - -Count = 981 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E502C44AFEEADD697BDC32FDD9A9CF20EA50575 - -Count = 982 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E58337884F56D501947DFDC2A8DC1395528113EC70 - -Count = 983 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16D8092B49CA34B25DD29C7C4E9D9E9A6FA260 - -Count = 984 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D1B6B97832563E076F75D0F1F286CA40E7B0FE - -Count = 985 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B24329D75D25D62B0F3D05E34F853F77B05B9845 - -Count = 986 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E9EF6BD52E4CFA1E3D496C2226EBE182D4A949 - -Count = 987 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFA28727E0C130395D7AE3B3C0DACBA40C9E3 - -Count = 988 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A89E4DA9A8C6DB93FADB624A7692C14D902CD3 - -Count = 989 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C973EC7997C5B4B258E03ECBAB4540474C64BE69 - -Count = 990 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C399900CFCDB5375348C989CA4F5563B6AB98 - -Count = 991 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4100B9F3E4C3D389DE1B4EF8DF215C8AEFFB3D15B - -Count = 992 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647D8C2211C2CD0DE03BF9792240491098C82A24 - -Count = 993 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A962485204990B851E239A4ADE91ECCE694F7E707E287C6 - -Count = 994 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C13DA32C34017E9967D98F817EE86822A2D3088 - -Count = 995 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8767221A799A40E2196B49AFFF9B02C2D7B7994 - -Count = 996 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E0913815F5F4CCDE746AF7E60D67823C727D7EE5 - -Count = 997 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A631063A270BDEB13DB66AF3C023695EAE4EB661C - -Count = 998 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BE01FD335E2BC966298F7273D954E941B7FABAAA - -Count = 999 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D21DDBF74EC67CC256A6AE20C86557977B2B8D41 - -Count = 1000 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E6DB19AC229446946A2D0F657BFD013073BC1C7 - -Count = 1001 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942ADB7C07C91585DA708AE1BD752B1FAB584C0D98 - -Count = 1002 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC91003DD075FFC1E373F9F18AA200137EBD460D5 - -Count = 1003 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA280EAA22BBF2C6D3ABA10F411E296D95BB42B3E - -Count = 1004 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C0018E2C8D7198300109BC2F19E994746B95EB57 - -Count = 1005 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6F1BD71745D145E60A0376CBB4C6BB20F48CBCA2 - -Count = 1006 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A2884E6E6964401D883D7C629FCB8F6CB6A2B48FC - -Count = 1007 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C975701A29AE43883DE845A1D28920C8AD23A363 - -Count = 1008 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E2DC6DE5766EE570C150D9B8AA36AB17D3F03352 - -Count = 1009 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285D8BF7C76B2DDA9149C19C8AC5FEC3DAC51D3DC2 - -Count = 1010 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC962082578727343DC313B9C28FF863A6738616 - -Count = 1011 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B5C4641F721FB5E95B8B7D92C687B19A20B6247B - -Count = 1012 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF28554121CB718D1DCF05E3C0885EADE74B0C889A - -Count = 1013 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C16C2722606C1B929878E3CFFE9AFE60AD05477 - -Count = 1014 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E502C446932C9AC398E2CDF2BADBF6B44DE97B30B - -Count = 1015 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E58337884FC9892BEE89794C898048AC4FE8BF789DA3 - -Count = 1016 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16D809FEDEC6AD206EE6B7D3C806B8BF5E82044A - -Count = 1017 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D1B6B9060416870014C827EA7BDB3C00FADD63E1 - -Count = 1018 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B24329D79D80E793E2751842620E14D27FDAD3286D - -Count = 1019 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E9EF6B72269D5C79DA42035BCDCFBFB0BD1F927D - -Count = 1020 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFA28ACACBE9497A65A195EC890BA44486C8166 - -Count = 1021 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A89E4D384E9F2F05CB923956547153164623214F - -Count = 1022 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C973EC79124838CD94297BEC7DB8EC08B8CC944298 - -Count = 1023 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C39997DB1DB4201A919D82E2DC9BFA9390BB8D8 - -Count = 1024 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4100B9F3E225D63F33EACF403232EEBC877504BA945 - -Count = 1025 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647D8C2256A3B0E5C269BEDD5428AF7BADE56C1BFB - -Count = 1026 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A962485204990B82BEA8ED355B2010004E70B9F073A1A9A1C - -Count = 1027 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C13DA320699AA1EFBBEDEA5C015EB60438BF55BD4 - -Count = 1028 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8767221DAC6EBC711A9AA0FCD4E6F6FF3DF67CA0E - -Count = 1029 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E0913815DBA20979A65A25A4BC056103DF3325605D - -Count = 1030 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A631063A2E1749214FB99E52E98EF6D55746C2FE209 - -Count = 1031 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BE01FD338C8DA6F565A362793AC146F239B3E6079B - -Count = 1032 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D21DDBF76DB9E4A7B2E664CD26D4E76A60B78BCFAB - -Count = 1033 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E6DB19A9EB7D0249D7BB37AAB6038D6853F77A386 - -Count = 1034 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942ADB7C072FAFADB6E4CFF1B3B37A155B276E391F02 - -Count = 1035 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC91003DD4206FFEDC11EEBC364ADB53CA143E5AF78 - -Count = 1036 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA280EAA2A7FB55CA8DFDB00E0543A7CC87341C4AA5 - -Count = 1037 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C0018E2C92ECA8FF12367E079FE28EAD0EF0F6FF78 - -Count = 1038 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6F1BD7176BE279083445350C4DAD1418C818962934 - -Count = 1039 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A2884E6E67CAA6716E46D26EBF628A7A45A333EC745 - -Count = 1040 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C975701A4C0A42D6CDE3E7591DEED47B5D37193697 - -Count = 1041 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E2DC6DE54D199DBA21411E4EF9695F369E37C02E8D - -Count = 1042 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285D8BF7C70DF31549EB3D1324560FED36C91A05BB10 - -Count = 1043 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC9620829FA8C0F2D0C794D9F2E9AE415617013091 - -Count = 1044 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B5C4641F7DB89DBA4D144147BD2E94FBB5A496092A - -Count = 1045 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF2855412113D048352141034AA42279987863E766FC - -Count = 1046 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C16C27254249819406824E775526930282883169E - -Count = 1047 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E502C4469B5781D6A6FC6F099C0E2A255A151317FAE - -Count = 1048 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E58337884FC99CDB6FD2BC10616D2FD2D2E638B2C52160 - -Count = 1049 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16D809FE6E6C7936D74CE656DEFFDC45D9B0D61278 - -Count = 1050 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D1B6B9063A212C81D87FB4E073C2E824FE3F3F2A64 - -Count = 1051 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B24329D79DCCB68C9AF906D4E6C98269A8AEE0E3C8FD - -Count = 1052 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E9EF6B725CC7FBBBBCE7A4632D49BA3D0EF4D481DA - -Count = 1053 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFA28ACC16E6B974DE65A72AF78DFE1213896A6A5 - -Count = 1054 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A89E4D383B37294D0C856FA466FA6B36F6A1A431F0 - -Count = 1055 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C973EC7912E6DF1121421948B14017ED93DC7F5459FE - -Count = 1056 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C39997D055AA94B5E468CE63DCD44F541DBD53BF7 - -Count = 1057 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = -CT = C9F98EB86B5527F8DBF63ACB57B174DEC953EF5633B156AA95B4100B9F3E22E627D5F27F10BB11DD268E4CA0F3EF8F1F - -Count = 1058 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00 -CT = 23197038165DFA2E594A323BEEB3973A568F6C9525E62C697059647D8C2256B7AAB5DA2D2C00FE4C61B7D7E1A0EEB4D2 - -Count = 1059 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001 -CT = FE9D361C358BCE63BA10321C6C41CC76B5D447A706488A962485204990B82B505232C898672CA796CE4BE13406D95F36 - -Count = 1060 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102 -CT = EC81D566D4E35BC9F945B1C736650EDA43E8880C275CA5D93A924C13DA320602F0EEC7EAADEC7F14BCFE33584C7A9C33 - -Count = 1061 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203 -CT = D189084B12BEC8FC8F96486759FE7DECCCD4936CCBE239881DA4A8767221DAF247C6CDCBF48AEFA2BB40DF12B43282BB - -Count = 1062 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304 -CT = A748A865EC8E77BF15434B10DC187A4094FAB3F4809A5C829344E0913815DB261254FDE44786D1E0AC0B85C692733B5A - -Count = 1063 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405 -CT = DB24D0782A7BB0A9E224210DE1A13AF61C12AE96C6AD9561C67A631063A2E19430110413609C20EEAE9ACD1B4D00D345 - -Count = 1064 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506 -CT = 1D17560BBF8DC9720E2712623AC3416CB9B786F9ED7B28B33D84BE01FD338C41A05851554FB3B05453374A28F18CA714 - -Count = 1065 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 0001020304050607 -CT = 4E9807774B4E14B5DB8E562CB5771A706EA1833C3300A8180601D21DDBF76DED0B8840AED7AC6A1B356D2A850EA7EE62 - -Count = 1066 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708 -CT = FE628D5C6C6347FCBE258B21F93EB48EFD0463F5495A3CE595449E6DB19A9E44513023DE104FD23765125C9B07EEB165 - -Count = 1067 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 00010203040506070809 -CT = E9C2858529D6FEB52EF49FB5D55EA588A73C6B3DE4B7CFF6B7942ADB7C072FDFB6E624875209FC1F1AA766A1F3167ED6 - -Count = 1068 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A -CT = FCD0420F6E34CE1DB5E14EDDE53795707D1B6AF114158879A36CC91003DD421BEBDFB45734B39D7F5410D844C2CA0F28 - -Count = 1069 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B -CT = 0228F0ABBA1AB39FD7D86B189BA9534B76C48A4CEC0219CC308AA280EAA2A7B45E3FE76D37CFBFC6E1ADF13B4D12769F - -Count = 1070 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C -CT = 82B6B9CC4097AC5E72EA4E5224C7E73BBC136FFB7706F3942FC1C0018E2C927742A49E33CEF5E95359840BE33402B23C - -Count = 1071 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D -CT = 5DC0EAA3E48E728D0AB971A3B46C5E756F0C4B5FC61F0EE2538E6F1BD7176B8B6FD00CBE2F2BF4EDC2B149905FCA0260 - -Count = 1072 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E -CT = F5E273C0B85FF629E70350553620E9B0C206469F83C8CBAC592A2884E6E67CA8DCE12BD377F770ACBB8CB38576B2C839 - -Count = 1073 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F -CT = 0F47F3B0C630FE59005875D996FA1207599A4E355001D13AF795C975701A4CD6DCEA25311A9960BFBE8CBD76D1F266C1 - -Count = 1074 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10 -CT = 183BCB0CE30871A09209FAFF6DD831FB4A9661D4EE2E5E141C38E2DC6DE54DB89F00DF2FBC59FB5B37717E31EAD6B8D5 - -Count = 1075 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011 -CT = 0AD4E35D0CDB5C46ED5192D71ABDA77AF7F2B11C471BBF5394285D8BF7C70DAC60387EB03694EC34D2E694F42AAE9840 - -Count = 1076 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112 -CT = 81E22B7269ECB5CA72D6FC266ED37D15173FDB041B0633DB3040CC9620829F35A47A3D32337F3C2BBA61067460478857 - -Count = 1077 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213 -CT = C51B01EF48E764BE4B06DF483CFD24B620050B26B19D00B67376B5C4641F7D041AAB72249613C4919D6205C6F7C1BB2A - -Count = 1078 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314 -CT = DD724F39ED7497B7C6A0CC3970E93EAF179390D95CA6D4F70CAF28554121131E17ED438E81B0C576F021FE612CCCABFE - -Count = 1079 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415 -CT = 8079ED0F7239C793F8F69CAD41F5D6F20005173D51EC9FD2A91B7C16C2725473882A01E9FA10C71E44CFCF2C175E8164 - -Count = 1080 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516 -CT = D84816B878D7162DF559419BC388B19E96426BF5FA4044780C5E502C4469B5CB91DB73D585EF87464A5661FFCAF1C5F5 - -Count = 1081 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F1011121314151617 -CT = A5F050BCA298C6D36106B0209C7BBE364BC534E7485577D9E58337884FC99C0BAE01800E0952827006097847213C3766 - -Count = 1082 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718 -CT = 236EA861E0F625AC0F7CC043F248E3168FDEBCCF790D7E971D4B16D809FE6EDBB100FC8CBE8473AB3C2D4CE6C2A37627 - -Count = 1083 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F10111213141516171819 -CT = BAEC69C08B733EDCD04BF5AA9A422B92FDFD301F716778411891D1B6B9063A06F54C239C0AD9B98F6C9189008BB6B4CB - -Count = 1084 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A -CT = 6FEAF790766419D1BCFE9F16690883CBF2154EA0D4FF5432A4B24329D79DCC239168FC2FFDCEC2A6459B905D62BBAB87 - -Count = 1085 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B -CT = 9351D46CF9BE44C89C49C08B2EA198AC77C8B63E02A8A0B68E53E9EF6B725C75DAA33200662451E9729DFAEB78708C32 - -Count = 1086 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C -CT = 86474F47C9B37AA7B81C7D3A7EF236A07D2D7E8C26334E3D27043CFA28ACC19669B1FF57E581F95F443D7D51DA2FDF1A - -Count = 1087 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -CT = A4ECA33C0C646BC4B7C83DE5CD87262F4668A8D573DBBE8FE8C8A89E4D383B5D19DC9E6765C9DD28D73489C7C5C4068D - -Count = 1088 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E -CT = D4C8184CC2561264CE33284BB9262C974A1D8587A8966DF0A2C973EC7912E6F72CF80EFB9E9C6C96669915420552D810 - -Count = 1089 -Key = 000102030405060708090A0B0C0D0E0F -Nonce = 000102030405060708090A0B -PT = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -CT = 6EF9B5F223391B7C5FBFDC8FB9DBD482C0CA05BFA23A37583B186C39997D05A09C3F443CB093A9A7B4918D21D658F29B - diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.c b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/api.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/encrypt.c b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/encrypt.c deleted file mode 100644 index a522291..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "romulus.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n3_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return romulus_n3_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.c b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinnyutil.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-util.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.c b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.c deleted file mode 100644 index bb19cc5..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.c +++ /dev/null @@ -1,1974 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "romulus.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const romulus_n1_cipher = { - "Romulus-N1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n1_aead_encrypt, - romulus_n1_aead_decrypt -}; - -aead_cipher_t const romulus_n2_cipher = { - "Romulus-N2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n2_aead_encrypt, - romulus_n2_aead_decrypt -}; - -aead_cipher_t const romulus_n3_cipher = { - "Romulus-N3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_n3_aead_encrypt, - romulus_n3_aead_decrypt -}; - -aead_cipher_t const romulus_m1_cipher = { - "Romulus-M1", - ROMULUS_KEY_SIZE, - ROMULUS1_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m1_aead_encrypt, - romulus_m1_aead_decrypt -}; - -aead_cipher_t const romulus_m2_cipher = { - "Romulus-M2", - ROMULUS_KEY_SIZE, - ROMULUS2_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m2_aead_encrypt, - romulus_m2_aead_decrypt -}; - -aead_cipher_t const romulus_m3_cipher = { - "Romulus-M3", - ROMULUS_KEY_SIZE, - ROMULUS3_NONCE_SIZE, - ROMULUS_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - romulus_m3_aead_encrypt, - romulus_m3_aead_decrypt -}; - -/** - * \brief Limit on the number of bytes of message or associated data (128Mb). - * - * Romulus-N1 and Romulus-M1 use a 56-bit block counter which allows for - * payloads well into the petabyte range. It is unlikely that an embedded - * device will have that much memory to store a contiguous packet! - * - * Romulus-N2 and Romulus-M2 use a 48-bit block counter but the upper - * 24 bits are difficult to modify in the key schedule. So we only - * update the low 24 bits and leave the high 24 bits fixed. - * - * Romulus-N3 and Romulus-M3 use a 24-bit block counter. - * - * For all algorithms, we limit the block counter to 2^23 so that the block - * counter can never exceed 2^24 - 1. - */ -#define ROMULUS_DATA_LIMIT \ - ((unsigned long long)((1ULL << 23) * SKINNY_128_BLOCK_SIZE)) - -/** - * \brief Initializes the key schedule for Romulus-N1 or Romulus-M1. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 16 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus1_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the 56-bit LFSR counter */ - memset(TK + 1, 0, 15); - if (npub) - memcpy(TK + 16, npub, 16); - else - memset(TK + 16, 0, 16); - memcpy(TK + 32, k, 16); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N2 or Romulus-M2. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus2_init - (skinny_128_384_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[48]; - TK[0] = 0x01; /* Initialize the low 24 bits of the LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - TK[32] = 0x01; /* Initialize the high 24 bits of the LFSR counter */ - memset(TK + 33, 0, 15); - skinny_128_384_init(ks, TK); -} - -/** - * \brief Initializes the key schedule for Romulus-N3 or Romulus-M3. - * - * \param ks Points to the key schedule to initialize. - * \param k Points to the 16 bytes of the key. - * \param npub Points to the 12 bytes of the nonce. May be NULL - * if the nonce will be updated on the fly. - */ -static void romulus3_init - (skinny_128_256_key_schedule_t *ks, - const unsigned char *k, const unsigned char *npub) -{ - unsigned char TK[32]; - TK[0] = 0x01; /* Initialize the 24-bit LFSR counter */ - if (npub) { - TK[1] = TK[2] = TK[3] = 0; - memcpy(TK + 4, npub, 12); - } else { - memset(TK + 1, 0, 15); - } - memcpy(TK + 16, k, 16); - skinny_128_256_init(ks, TK); -} - -/** - * \brief Sets the domain separation value for Romulus-N1 and M1. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus1_set_domain(ks, domain) ((ks)->TK1[7] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N2 and M2. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus2_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Sets the domain separation value for Romulus-N3 and M3. - * - * \param ks The key schedule to set the domain separation value into. - * \param domain The domain separation value. - */ -#define romulus3_set_domain(ks, domain) ((ks)->TK1[3] = (domain)) - -/** - * \brief Updates the 56-bit LFSR block counter for Romulus-N1 and M1. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -STATIC_INLINE void romulus1_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[6])) >> 7); - TK1[6] = (TK1[6] << 1) | (TK1[5] >> 7); - TK1[5] = (TK1[5] << 1) | (TK1[4] >> 7); - TK1[4] = (TK1[4] << 1) | (TK1[3] >> 7); - TK1[3] = (TK1[3] << 1) | (TK1[2] >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x95); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N2 or M2. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - * - * For Romulus-N2 and Romulus-M2 this will only update the low 24 bits of - * the 48-bit LFSR. The high 24 bits are fixed due to ROMULUS_DATA_LIMIT. - */ -STATIC_INLINE void romulus2_update_counter(uint8_t TK1[16]) -{ - uint8_t mask = (uint8_t)(((int8_t)(TK1[2])) >> 7); - TK1[2] = (TK1[2] << 1) | (TK1[1] >> 7); - TK1[1] = (TK1[1] << 1) | (TK1[0] >> 7); - TK1[0] = (TK1[0] << 1) ^ (mask & 0x1B); -} - -/** - * \brief Updates the 24-bit LFSR block counter for Romulus-N3 or M3. - * - * \param TK1 Points to the TK1 part of the key schedule containing the LFSR. - */ -#define romulus3_update_counter(TK1) romulus2_update_counter((TK1)) - -/** - * \brief Process the asssociated data for Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - skinny_128_384_encrypt_tk2(ks, S, S, npub); - return; - } - - /* Process all double blocks except the last */ - romulus1_set_domain(ks, 0x08); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Pad and process the left-over blocks */ - romulus1_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 32) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x18); - } else if (temp > 16) { - /* Left-over partial double block */ - unsigned char pad[16]; - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, 15 - temp); - pad[15] = temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x1A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus1_set_domain(ks, 0x18); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus1_set_domain(ks, 0x1A); - } - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus2_set_domain(ks, 0x48); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus2_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x58); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x5A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus2_set_domain(ks, 0x58); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus2_set_domain(ks, 0x5A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void romulus_n3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char temp; - - /* Handle the special case of no associated data */ - if (adlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all double blocks except the last */ - romulus3_set_domain(ks, 0x88); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Pad and process the left-over blocks */ - romulus3_update_counter(ks->TK1); - temp = (unsigned)adlen; - if (temp == 28) { - /* Left-over complete double block */ - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x98); - } else if (temp > 16) { - /* Left-over partial double block */ - temp -= 16; - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp); - ks->TK1[15] = temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x9A); - } else if (temp == 16) { - /* Left-over complete single block */ - lw_xor_block(S, ad, temp); - romulus3_set_domain(ks, 0x98); - } else { - /* Left-over partial single block */ - lw_xor_block(S, ad, temp); - S[15] ^= temp; - romulus3_set_domain(ks, 0x9A); - } - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Determine the domain separation value to use on the last - * block of the associated data processing. - * - * \param adlen Length of the associated data in bytes. - * \param mlen Length of the message in bytes. - * \param t Size of the second half of a double block; 12 or 16. - * - * \return The domain separation bits to use to finalize the last block. - */ -static uint8_t romulus_m_final_ad_domain - (unsigned long long adlen, unsigned long long mlen, unsigned t) -{ - uint8_t domain = 0; - unsigned split = 16U; - unsigned leftover; - - /* Determine which domain bits we need based on the length of the ad */ - if (adlen == 0) { - /* No associated data, so only 1 block with padding */ - domain ^= 0x02; - split = t; - } else { - /* Even or odd associated data length? */ - leftover = (unsigned)(adlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x08; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x02; - split = t; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x0A; - } else { - /* Odd with a full single block at the end */ - split = t; - } - } - - /* Determine which domain bits we need based on the length of the message */ - if (mlen == 0) { - /* No message, so only 1 block with padding */ - domain ^= 0x01; - } else { - /* Even or odd message length? */ - leftover = (unsigned)(mlen % (16U + t)); - if (leftover == 0) { - /* Even with a full double block at the end */ - domain ^= 0x04; - } else if (leftover < split) { - /* Odd with a partial single block at the end */ - domain ^= 0x01; - } else if (leftover > split) { - /* Even with a partial double block at the end */ - domain ^= 0x05; - } - } - return domain; -} - -/** - * \brief Process the asssociated data for Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m1_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char pad[16]; - uint8_t final_domain = 0x30; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 16); - - /* Process all associated data double blocks except the last */ - romulus1_set_domain(ks, 0x28); - while (adlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - ad += 32; - adlen -= 32; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 32) { - /* Last associated data double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - skinny_128_384_encrypt_tk2(ks, S, S, ad + 16); - romulus1_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(pad, ad + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - romulus1_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus1_set_domain(ks, 0x2C); - romulus1_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - romulus1_update_counter(ks->TK1); - m += 16; - mlen -= 16; - } else if (mlen == 16) { - skinny_128_384_encrypt_tk2(ks, S, S, m); - m += 16; - mlen -= 16; - } else { - temp = (unsigned)mlen; - memcpy(pad, m, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus1_set_domain(ks, 0x2C); - while (mlen > 32) { - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - romulus1_update_counter(ks->TK1); - m += 32; - mlen -= 32; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 32) { - /* Last message double block is full */ - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - skinny_128_384_encrypt_tk2(ks, S, S, m + 16); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus1_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(pad, m + 16, temp); - memset(pad + temp, 0, sizeof(pad) - temp - 1); - pad[sizeof(pad) - 1] = (unsigned char)temp; - skinny_128_384_encrypt_tk2(ks, S, S, pad); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus1_set_domain(ks, final_domain); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt_tk2(ks, S, S, npub); -} - -/** - * \brief Process the asssociated data for Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m2_process_ad - (skinny_128_384_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0x70; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus2_set_domain(ks, 0x68); - while (adlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus2_set_domain(ks, 0x6C); - romulus2_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_384_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus2_set_domain(ks, 0x6C); - while (mlen > 28) { - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - romulus2_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_384_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus2_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_384_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus2_set_domain(ks, final_domain); - romulus2_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Process the asssociated data for Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param npub Points to the nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - * \param m Points to the message plaintext. - * \param mlen Length of the message plaintext. - */ -static void romulus_m3_process_ad - (skinny_128_256_key_schedule_t *ks, - unsigned char S[16], const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *m, unsigned long long mlen) -{ - uint8_t final_domain = 0xB0; - unsigned temp; - - /* Determine the domain separator to use on the final block */ - final_domain ^= romulus_m_final_ad_domain(adlen, mlen, 12); - - /* Process all associated data double blocks except the last */ - romulus3_set_domain(ks, 0xA8); - while (adlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - ad += 28; - adlen -= 28; - } - - /* Process the last associated data double block */ - temp = (unsigned)adlen; - if (temp == 28) { - /* Last associated data double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else if (temp > 16) { - /* Last associated data double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, ad, 16); - memcpy(ks->TK1 + 4, ad + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - } else { - /* Last associated data block is single. Needs to be combined - * with the first block of the message payload */ - romulus3_set_domain(ks, 0xAC); - romulus3_update_counter(ks->TK1); - if (temp == 16) { - lw_xor_block(S, ad, 16); - } else { - lw_xor_block(S, ad, temp); - S[15] ^= (unsigned char)temp; - } - if (mlen > 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 12; - mlen -= 12; - } else if (mlen == 12) { - memcpy(ks->TK1 + 4, m, 12); - skinny_128_256_encrypt(ks, S, S); - m += 12; - mlen -= 12; - } else { - temp = (unsigned)mlen; - memcpy(ks->TK1 + 4, m, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - mlen = 0; - } - } - - /* Process all message double blocks except the last */ - romulus3_set_domain(ks, 0xAC); - while (mlen > 28) { - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - romulus3_update_counter(ks->TK1); - m += 28; - mlen -= 28; - } - - /* Process the last message double block */ - temp = (unsigned)mlen; - if (temp == 28) { - /* Last message double block is full */ - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, 12); - skinny_128_256_encrypt(ks, S, S); - } else if (temp > 16) { - /* Last message double block is partial */ - temp -= 16; - romulus3_update_counter(ks->TK1); - lw_xor_block(S, m, 16); - memcpy(ks->TK1 + 4, m + 16, temp); - memset(ks->TK1 + 4 + temp, 0, 12 - temp - 1); - ks->TK1[15] = (unsigned char)temp; - skinny_128_256_encrypt(ks, S, S); - } else if (temp == 16) { - /* Last message single block is full */ - lw_xor_block(S, m, 16); - } else if (temp > 0) { - /* Last message single block is partial */ - lw_xor_block(S, m, temp); - S[15] ^= (unsigned char)temp; - } - - /* Process the last partial block */ - romulus3_set_domain(ks, final_domain); - romulus3_update_counter(ks->TK1); - memcpy(ks->TK1 + 4, npub, 12); - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Applies the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - */ -STATIC_INLINE void romulus_rho - (unsigned char S[16], unsigned char C[16], const unsigned char M[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } -} - -/** - * \brief Applies the inverse of the Romulus rho function. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - */ -STATIC_INLINE void romulus_rho_inverse - (unsigned char S[16], unsigned char M[16], const unsigned char C[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } -} - -/** - * \brief Applies the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param C Ciphertext message output block. - * \param M Plaintext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_short - (unsigned char S[16], unsigned char C[16], - const unsigned char M[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = M[index]; - S[index] ^= m; - C[index] = m ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Applies the inverse of the Romulus rho function to a short block. - * - * \param S The rolling Romulus state. - * \param M Plaintext message output block. - * \param C Ciphertext message input block. - * \param len Length of the short block, must be less than 16. - */ -STATIC_INLINE void romulus_rho_inverse_short - (unsigned char S[16], unsigned char M[16], - const unsigned char C[16], unsigned len) -{ - unsigned index; - for (index = 0; index < len; ++index) { - unsigned char s = S[index]; - unsigned char m = C[index] ^ ((s >> 1) ^ (s & 0x80) ^ (s << 7)); - S[index] ^= m; - M[index] = m; - } - S[15] ^= (unsigned char)len; /* Padding */ -} - -/** - * \brief Encrypts a plaintext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho(S, c, m); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus1_update_counter(ks->TK1); - romulus1_set_domain(ks, 0x15); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus1_set_domain(ks, 0x04); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus1_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus1_set_domain(ks, 0x15); - } else { - romulus_rho_inverse(S, m, c); - romulus1_set_domain(ks, 0x14); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho(S, c, m); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus2_update_counter(ks->TK1); - romulus2_set_domain(ks, 0x55); - skinny_128_384_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus2_set_domain(ks, 0x44); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - skinny_128_384_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus2_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus2_set_domain(ks, 0x55); - } else { - romulus_rho_inverse(S, m, c); - romulus2_set_domain(ks, 0x54); - } - skinny_128_384_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no plaintext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_short(S, c, m, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho(S, c, m); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-N3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_n3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - unsigned temp; - - /* Handle the special case of no ciphertext */ - if (mlen == 0) { - romulus3_update_counter(ks->TK1); - romulus3_set_domain(ks, 0x95); - skinny_128_256_encrypt(ks, S, S); - return; - } - - /* Process all blocks except the last */ - romulus3_set_domain(ks, 0x84); - while (mlen > 16) { - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - skinny_128_256_encrypt(ks, S, S); - c += 16; - m += 16; - mlen -= 16; - } - - /* Pad and process the last block */ - temp = (unsigned)mlen; - romulus3_update_counter(ks->TK1); - if (temp < 16) { - romulus_rho_inverse_short(S, m, c, temp); - romulus3_set_domain(ks, 0x95); - } else { - romulus_rho_inverse(S, m, c); - romulus3_set_domain(ks, 0x94); - } - skinny_128_256_encrypt(ks, S, S); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M1. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m1_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus1_set_domain(ks, 0x24); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus1_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M2. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m2_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus2_set_domain(ks, 0x64); - while (mlen > 16) { - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus2_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_384_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Encrypts a plaintext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the buffer containing the plaintext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *c, const unsigned char *m, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho(S, c, m); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_short(S, c, m, (unsigned)mlen); -} - -/** - * \brief Decrypts a ciphertext message with Romulus-M3. - * - * \param ks Points to the key schedule. - * \param S The rolling Romulus state. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the buffer containing the ciphertext. - * \param mlen Length of the plaintext in bytes. - */ -static void romulus_m3_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char S[16], - unsigned char *m, const unsigned char *c, unsigned long long mlen) -{ - /* Nothing to do if the message is empty */ - if (!mlen) - return; - - /* Process all block except the last */ - romulus3_set_domain(ks, 0xA4); - while (mlen > 16) { - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse(S, m, c); - romulus3_update_counter(ks->TK1); - c += 16; - m += 16; - mlen -= 16; - } - - /* Handle the last block */ - skinny_128_256_encrypt(ks, S, S); - romulus_rho_inverse_short(S, m, c, (unsigned)mlen); -} - -/** - * \brief Generates the authentication tag from the rolling Romulus state. - * - * \param T Buffer to receive the generated tag; can be the same as S. - * \param S The rolling Romulus state. - */ -STATIC_INLINE void romulus_generate_tag - (unsigned char T[16], const unsigned char S[16]) -{ - unsigned index; - for (index = 0; index < 16; ++index) { - unsigned char s = S[index]; - T[index] = (s >> 1) ^ (s & 0x80) ^ (s << 7); - } -} - -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n1_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n1_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n1_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n2_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n2_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n2_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypts the plaintext to produce the ciphertext */ - romulus_n3_encrypt(&ks, S, c, m, mlen); - - /* Generate the authentication tag */ - romulus_generate_tag(c + mlen, S); - return 0; -} - -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_n3_process_ad(&ks, S, npub, ad, adlen); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= ROMULUS_TAG_SIZE; - romulus_n3_decrypt(&ks, S, m, c, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m1_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus1_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m1_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus1_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m1_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m2_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus2_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m2_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus2_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m2_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} - -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || mlen > ROMULUS_DATA_LIMIT) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data and the plaintext message */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, mlen); - - /* Generate the authentication tag, which is also the initialization - * vector for the encryption portion of the packet processing */ - romulus_generate_tag(S, S); - memcpy(c + mlen, S, ROMULUS_TAG_SIZE); - - /* Re-initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Encrypt the plaintext to produce the ciphertext */ - romulus_m3_encrypt(&ks, S, c, m, mlen); - return 0; -} - -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char S[16]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < ROMULUS_TAG_SIZE) - return -1; - *mlen = clen - ROMULUS_TAG_SIZE; - - /* Validate the length of the associated data and message */ - if (adlen > ROMULUS_DATA_LIMIT || - clen > (ROMULUS_DATA_LIMIT + ROMULUS_TAG_SIZE)) - return -2; - - /* Initialize the key schedule with the key and nonce */ - romulus3_init(&ks, k, npub); - - /* Decrypt the ciphertext to produce the plaintext, using the - * authentication tag as the initialization vector for decryption */ - clen -= ROMULUS_TAG_SIZE; - memcpy(S, c + clen, ROMULUS_TAG_SIZE); - romulus_m3_decrypt(&ks, S, m, c, clen); - - /* Re-initialize the key schedule with the key and no nonce. Associated - * data processing varies the nonce from block to block */ - romulus3_init(&ks, k, 0); - - /* Process the associated data */ - memset(S, 0, sizeof(S)); - romulus_m3_process_ad(&ks, S, npub, ad, adlen, m, clen); - - /* Check the authentication tag */ - romulus_generate_tag(S, S); - return aead_check_tag(m, clen, S, c + clen, ROMULUS_TAG_SIZE); -} diff --git a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.h b/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.h deleted file mode 100644 index e6da29d..0000000 --- a/romulus/Implementations/crypto_aead/romulusn3v1/rhys-avr/romulus.h +++ /dev/null @@ -1,476 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_ROMULUS_H -#define LWCRYPTO_ROMULUS_H - -#include "aead-common.h" - -/** - * \file romulus.h - * \brief Romulus authenticated encryption algorithm family. - * - * Romulus is a family of authenticated encryption algorithms that - * are built around the SKINNY-128 tweakable block cipher. There - * are six members in the family: - * - * \li Romulus-N1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li Romulus-N2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-N3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li Romulus-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li Romulus-M3 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The Romulus-M variants are resistant to nonce reuse as long as the - * combination of the associated data and plaintext is unique. If the - * same associated data and plaintext are reused under the same nonce, - * then the scheme will leak that the same plaintext has been sent for a - * second time but will not reveal the plaintext itself. - * - * References: https://romulusae.github.io/romulus/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all Romulus family members. - */ -#define ROMULUS_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all Romulus family members. - */ -#define ROMULUS_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N1 and Romulus-M1. - */ -#define ROMULUS1_NONCE_SIZE 16 - -/** - * \brief Size of the nonce for Romulus-N2 and Romulus-M2. - */ -#define ROMULUS2_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for Romulus-N3 and Romulus-M3. - */ -#define ROMULUS3_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the Romulus-N1 cipher. - */ -extern aead_cipher_t const romulus_n1_cipher; - -/** - * \brief Meta-information block for the Romulus-N2 cipher. - */ -extern aead_cipher_t const romulus_n2_cipher; - -/** - * \brief Meta-information block for the Romulus-N3 cipher. - */ -extern aead_cipher_t const romulus_n3_cipher; - -/** - * \brief Meta-information block for the Romulus-M1 cipher. - */ -extern aead_cipher_t const romulus_m1_cipher; - -/** - * \brief Meta-information block for the Romulus-M2 cipher. - */ -extern aead_cipher_t const romulus_m2_cipher; - -/** - * \brief Meta-information block for the Romulus-M3 cipher. - */ -extern aead_cipher_t const romulus_m3_cipher; - -/** - * \brief Encrypts and authenticates a packet with Romulus-N1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n1_aead_decrypt() - */ -int romulus_n1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n1_aead_encrypt() - */ -int romulus_n1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n2_aead_decrypt() - */ -int romulus_n2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n2_aead_encrypt() - */ -int romulus_n2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-N3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_n3_aead_decrypt() - */ -int romulus_n3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-N3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_n3_aead_encrypt() - */ -int romulus_n3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m1_aead_decrypt() - */ -int romulus_m1_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m1_aead_encrypt() - */ -int romulus_m1_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m2_aead_decrypt() - */ -int romulus_m2_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m2_aead_encrypt() - */ -int romulus_m2_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Romulus-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa romulus_m3_aead_decrypt() - */ -int romulus_m3_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Romulus-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa romulus_m3_aead_encrypt() - */ -int romulus_m3_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/api.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/api.h deleted file mode 100644 index 75fabd7..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 32 -#define CRYPTO_NOOVERLAP 1 diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/encrypt.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/encrypt.c deleted file mode 100644 index 9ce5559..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "saturnin.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return saturnin_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return saturnin_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/internal-util.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.c b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.c deleted file mode 100644 index 734fc69..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.c +++ /dev/null @@ -1,781 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "saturnin.h" -#include "internal-util.h" -#include - -aead_cipher_t const saturnin_cipher = { - "SATURNIN-CTR-Cascade", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_aead_encrypt, - saturnin_aead_decrypt -}; - -aead_cipher_t const saturnin_short_cipher = { - "SATURNIN-Short", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_NONE, - saturnin_short_aead_encrypt, - saturnin_short_aead_decrypt -}; - -aead_hash_algorithm_t const saturnin_hash_algorithm = { - "SATURNIN-Hash", - sizeof(saturnin_hash_state_t), - SATURNIN_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_hash, - (aead_hash_init_t)saturnin_hash_init, - (aead_hash_update_t)saturnin_hash_update, - (aead_hash_finalize_t)saturnin_hash_finalize, - 0, /* absorb */ - 0 /* squeeze */ -}; - -/* Round constant tables for various combinations of rounds and domain_sep */ -static uint32_t const RC_10_1[] = { - 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, - 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d -}; -static uint32_t const RC_10_2[] = { - 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, - 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe -}; -static uint32_t const RC_10_3[] = { - 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, - 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 -}; -static uint32_t const RC_10_4[] = { - 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, - 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 -}; -static uint32_t const RC_10_5[] = { - 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, - 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 -}; -static uint32_t const RC_10_6[] = { - 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, - 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 -}; -static uint32_t const RC_16_7[] = { - 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, - 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, - 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, - 0x386d94d8 -}; -static uint32_t const RC_16_8[] = { - 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, - 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, - 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, - 0x8eef9c3e -}; - -/* Rotate the 4-bit nibbles within a 16-bit word left */ -#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ - } while (0) - -/* Rotate 16-bit subwords left */ -#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ - } while (0) - -/* XOR the SATURNIN state with the key */ -#define saturnin_xor_key() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index]; \ - } while (0) - -/* XOR the SATURNIN state with a rotated version of the key */ -#define saturnin_xor_key_rotated() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index + 8]; \ - } while (0) - -/* Apply an SBOX layer for SATURNIN - definition from the specification */ -#define S_LAYER(a, b, c, d) \ - do { \ - (a) ^= (b) & (c); \ - (b) ^= (a) | (d); \ - (d) ^= (b) | (c); \ - (c) ^= (b) & (d); \ - (b) ^= (a) | (c); \ - (a) ^= (b) | (d); \ - } while (0) - -/* Apply an SBOX layer for SATURNIN in reverse */ -#define S_LAYER_INVERSE(a, b, c, d) \ - do { \ - (a) ^= (b) | (d); \ - (b) ^= (a) | (c); \ - (c) ^= (b) & (d); \ - (d) ^= (b) | (c); \ - (b) ^= (a) | (d); \ - (a) ^= (b) & (c); \ - } while (0) - -/** - * \brief Applies the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - a = S[0]; b = S[1]; c = S[2]; d = S[3]; - S_LAYER(a, b, c, d); - S[0] = b; S[1] = c; S[2] = d; S[3] = a; - - /* PI_1 on the second half of the state */ - a = S[4]; b = S[5]; c = S[6]; d = S[7]; - S_LAYER(a, b, c, d); - S[4] = d; S[5] = b; S[6] = a; S[7] = c; -} - -/** - * \brief Applies the inverse of the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox_inverse(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - b = S[0]; c = S[1]; d = S[2]; a = S[3]; - S_LAYER_INVERSE(a, b, c, d); - S[0] = a; S[1] = b; S[2] = c; S[3] = d; - - /* PI_1 on the second half of the state */ - d = S[4]; b = S[5]; a = S[6]; c = S[7]; - S_LAYER_INVERSE(a, b, c, d); - S[4] = a; S[5] = b; S[6] = c; S[7] = d; -} - -/** - * \brief Applies the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the MDS matrix to the state */ - #define SWAP(a) (((a) << 16) | ((a) >> 16)) - #define MUL(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ - } while (0) - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MUL(x4, x5, x6, x7, tmp); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - MUL(x0, x1, x2, x3, tmp); - MUL(x0, x1, x2, x3, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the inverse of the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds_inverse(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the inverse of the MDS matrix to the state */ - #define MULINV(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ - } while (0) - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MULINV(x0, x1, x2, x3, tmp); - MULINV(x0, x1, x2, x3, tmp); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - MULINV(x4, x5, x6, x7, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); -} - -/** - * \brief Applies the inverse of the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice_inverse(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); -} - -/** - * \brief Applies the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); -} - -/** - * \brief Applies the inverse of the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet_inverse(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Ciphertext output block, 32 bytes. - * \param input Plaintext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_decrypt() - */ -static void saturnin_block_encrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Perform all encryption rounds */ - for (; rounds > 0; rounds -= 2, RC += 2) { - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_slice(S); - saturnin_mds(S); - saturnin_slice_inverse(S); - S[0] ^= RC[0]; - saturnin_xor_key_rotated(); - - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_sheet(S); - saturnin_mds(S); - saturnin_sheet_inverse(S); - S[0] ^= RC[1]; - saturnin_xor_key(); - } - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Decrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Plaintext output block, 32 bytes. - * \param input Ciphertext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_encrypt() - */ -static void saturnin_block_decrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* Perform all decryption rounds */ - RC += rounds - 2; - for (; rounds > 0; rounds -= 2, RC -= 2) { - saturnin_xor_key(); - S[0] ^= RC[1]; - saturnin_sheet(S); - saturnin_mds_inverse(S); - saturnin_sheet_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - - saturnin_xor_key_rotated(); - S[0] ^= RC[0]; - saturnin_slice(S); - saturnin_mds_inverse(S); - saturnin_slice_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher and - * then XOR's itself to generate a new key. - * - * \param block Block to be encrypted and then XOR'ed with itself. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - */ -void saturnin_block_encrypt_xor - (const unsigned char *block, unsigned char *key, - unsigned rounds, const uint32_t *RC) -{ - unsigned char temp[32]; - saturnin_block_encrypt(temp, block, key, rounds, RC); - lw_xor_block_2_src(key, block, temp, 32); -} - -/** - * \brief Encrypts (or decrypts) a data packet in CTR mode. - * - * \param c Output ciphertext buffer. - * \param m Input plaintext buffer. - * \param mlen Length of the plaintext in bytes. - * \param k Points to the 32-byte key. - * \param block Points to the pre-formatted nonce block. - */ -static void saturnin_ctr_encrypt - (unsigned char *c, const unsigned char *m, unsigned long long mlen, - const unsigned char *k, unsigned char *block) -{ - /* Note: Specification requires a 95-bit counter but we only use 32-bit. - * This limits the maximum packet size to 128Gb. That should be OK */ - uint32_t counter = 1; - unsigned char out[32]; - while (mlen >= 32) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, 32); - c += 32; - m += 32; - mlen -= 32; - ++counter; - } - if (mlen > 0) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, (unsigned)mlen); - } -} - -/** - * \brief Pads an authenticates a message. - * - * \param tag Points to the authentication tag. - * \param block Temporary block of 32 bytes from the caller. - * \param m Points to the message to be authenticated. - * \param mlen Length of the message to be authenticated in bytes. - * \param rounds Number of rounds to perform. - * \param RC1 Round constants to use for domain separation on full blocks. - * \param RC2 Round constants to use for domain separation on the last block. - */ -static void saturnin_authenticate - (unsigned char *tag, unsigned char *block, - const unsigned char *m, unsigned long long mlen, - unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) -{ - unsigned temp; - while (mlen >= 32) { - saturnin_block_encrypt_xor(m, tag, rounds, RC1); - m += 32; - mlen -= 32; - } - temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, 31 - temp); - saturnin_block_encrypt_xor(block, tag, rounds, RC2); -} - -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char *tag; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the plaintext in counter mode to produce the ciphertext */ - saturnin_ctr_encrypt(c, m, mlen, k, block); - - /* Set the counter back to zero and then encrypt the nonce */ - tag = c + mlen; - memcpy(tag, k, 32); - memset(block + 17, 0, 15); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); - return 0; -} - -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char tag[32]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SATURNIN_TAG_SIZE) - return -1; - *mlen = clen - SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the nonce to initialize the authentication phase */ - memcpy(tag, k, 32); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); - - /* Decrypt the ciphertext in counter mode to produce the plaintext */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - saturnin_ctr_encrypt(m, c, *mlen, k, block); - - /* Check the authentication tag at the end of the message */ - return aead_check_tag - (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); -} - -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned temp; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data allowed and m <= 15 bytes */ - if (adlen > 0 || mlen > 15) - return -2; - - /* Format the input block from the nonce and plaintext */ - temp = (unsigned)mlen; - memcpy(block, npub, 16); - memcpy(block + 16, m, temp); - block[16 + temp] = 0x80; /* Padding */ - memset(block + 17 + temp, 0, 15 - temp); - - /* Encrypt the input block to produce the output ciphertext */ - saturnin_block_encrypt(c, block, k, 10, RC_10_6); - *clen = 32; - return 0; -} - -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned check1, check2, len; - int index, result; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data and c is always 32 bytes */ - if (adlen > 0) - return -2; - if (clen != 32) - return -1; - - /* Decrypt the ciphertext block */ - saturnin_block_decrypt(block, c, k, 10, RC_10_6); - - /* Verify that the output block starts with the nonce and that it is - * padded correctly. We need to do this very carefully to avoid leaking - * any information that could be used in a padding oracle attack. Use the - * same algorithm as the reference implementation of SATURNIN-Short */ - check1 = 0; - for (index = 0; index < 16; ++index) - check1 |= npub[index] ^ block[index]; - check2 = 0xFF; - len = 0; - for (index = 15; index >= 0; --index) { - unsigned temp = block[16 + index]; - unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); - len |= temp2 & (unsigned)index; - check2 &= ~temp2; - check1 |= check2 & ((temp + 0xFF) >> 8); - } - check1 |= check2; - - /* At this point, check1 is zero if the nonce and plaintext are good, - * or non-zero if there was an error in the decrypted data */ - result = (((int)check1) - 1) >> 8; - - /* The "result" is -1 if the data is good or zero if the data is invalid. - * Copy either the plaintext or zeroes to the output buffer. We assume - * that the output buffer has space for up to 15 bytes. This may return - * some of the padding to the caller but as long as they restrict - * themselves to the first *mlen bytes then it shouldn't be a problem */ - for (index = 0; index < 15; ++index) - m[index] = block[16 + index] & result; - *mlen = len; - return ~result; -} - -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char tag[32]; - unsigned char block[32]; - memset(tag, 0, sizeof(tag)); - saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); - memcpy(out, tag, 32); - return 0; -} - -void saturnin_hash_init(saturnin_hash_state_t *state) -{ - memset(state, 0, sizeof(saturnin_hash_state_t)); -} - -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned temp; - - /* Handle the partial left-over block from last time */ - if (state->s.count) { - temp = 32 - state->s.count; - if (temp > inlen) { - temp = (unsigned)inlen; - memcpy(state->s.block + state->s.count, in, temp); - state->s.count += temp; - return; - } - memcpy(state->s.block + state->s.count, in, temp); - state->s.count = 0; - in += temp; - inlen -= temp; - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); - } - - /* Process full blocks that are aligned at state->s.count == 0 */ - while (inlen >= 32) { - saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); - in += 32; - inlen -= 32; - } - - /* Process the left-over block at the end of the input */ - temp = (unsigned)inlen; - memcpy(state->s.block, in, temp); - state->s.count = temp; -} - -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out) -{ - /* Pad the final block */ - state->s.block[state->s.count] = 0x80; - memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); - - /* Generate the final hash value */ - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); - memcpy(out, state->s.hash, 32); -} diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.h deleted file mode 100644 index 873d950..0000000 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys-avr/saturnin.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SATURNIN_H -#define LWCRYPTO_SATURNIN_H - -#include "aead-common.h" - -/** - * \file saturnin.h - * \brief Saturnin authenticated encryption algorithm. - * - * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and - * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. - * Internally they use a 256-bit block cipher similar in construction to AES. - * - * SATURNIN-Short does not support associated data or plaintext packets - * with more than 15 bytes. This makes it very efficient on short packets - * with only a single block operation involved. - * - * This implementation of SATURNIN-Short will return an error if the - * caller supplies associated data or more than 15 bytes of plaintext. - * - * References: https://project.inria.fr/saturnin/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SATURNIN family members. - */ -#define SATURNIN_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the - * total size of the ciphertext for SATURNIN-Short. - */ -#define SATURNIN_TAG_SIZE 32 - -/** - * \brief Size of the nonce for all SATURNIN family members. - */ -#define SATURNIN_NONCE_SIZE 16 - -/** - * \brief Size of the hash for SATURNIN-Hash. - */ -#define SATURNIN_HASH_SIZE 32 - -/** - * \brief State information for SATURNIN-Hash incremental modes. - */ -typedef union -{ - struct { - unsigned char hash[32]; /**< Current hash state */ - unsigned char block[32]; /**< Left-over block data from last update */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} saturnin_hash_state_t; - -/** - * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. - */ -extern aead_cipher_t const saturnin_cipher; - -/** - * \brief Meta-information block for the SATURNIN-Short cipher. - */ -extern aead_cipher_t const saturnin_short_cipher; - -/** - * \brief Meta-information block for SATURNIN-Hash. - */ -extern aead_hash_algorithm_t const saturnin_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 32 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa saturnin_aead_decrypt() - */ -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 32 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa saturnin_aead_encrypt() - */ -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-Short. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which is always 32. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes, which must be - * less than or equal to 15 bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or -2 if the caller supplied too many bytes of - * plaintext or they supplied associated data. - * - * \sa saturnin_short_aead_decrypt() - */ -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-Short. - * - * \param m Buffer to receive the plaintext message on output. There must - * be at least 15 bytes of space in this buffer even if the caller expects - * to receive less data than that. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext to decrypt. - * \param clen Length of the input data in bytes, which must be 32. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or -2 if the caller supplied associated data. - * - * \sa saturnin_short_aead_encrypt() - */ -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with SATURNIN to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SATURNIN_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() - */ -void saturnin_hash_init(saturnin_hash_state_t *state); - -/** - * \brief Updates an SATURNIN-Hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa saturnin_hash_init(), saturnin_hash_finalize() - */ -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa saturnin_hash_init(), saturnin_hash_update() - */ -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h index e79158c..e30166d 100644 --- a/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h +++ b/saturnin/Implementations/crypto_aead/saturninctrcascadev2/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/api.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/api.h deleted file mode 100644 index 75fabd7..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 32 -#define CRYPTO_NOOVERLAP 1 diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/encrypt.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/encrypt.c deleted file mode 100644 index 29d7d06..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "saturnin.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return saturnin_short_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return saturnin_short_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/internal-util.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.c b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.c deleted file mode 100644 index 734fc69..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.c +++ /dev/null @@ -1,781 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "saturnin.h" -#include "internal-util.h" -#include - -aead_cipher_t const saturnin_cipher = { - "SATURNIN-CTR-Cascade", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_aead_encrypt, - saturnin_aead_decrypt -}; - -aead_cipher_t const saturnin_short_cipher = { - "SATURNIN-Short", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_NONE, - saturnin_short_aead_encrypt, - saturnin_short_aead_decrypt -}; - -aead_hash_algorithm_t const saturnin_hash_algorithm = { - "SATURNIN-Hash", - sizeof(saturnin_hash_state_t), - SATURNIN_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_hash, - (aead_hash_init_t)saturnin_hash_init, - (aead_hash_update_t)saturnin_hash_update, - (aead_hash_finalize_t)saturnin_hash_finalize, - 0, /* absorb */ - 0 /* squeeze */ -}; - -/* Round constant tables for various combinations of rounds and domain_sep */ -static uint32_t const RC_10_1[] = { - 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, - 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d -}; -static uint32_t const RC_10_2[] = { - 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, - 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe -}; -static uint32_t const RC_10_3[] = { - 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, - 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 -}; -static uint32_t const RC_10_4[] = { - 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, - 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 -}; -static uint32_t const RC_10_5[] = { - 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, - 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 -}; -static uint32_t const RC_10_6[] = { - 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, - 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 -}; -static uint32_t const RC_16_7[] = { - 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, - 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, - 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, - 0x386d94d8 -}; -static uint32_t const RC_16_8[] = { - 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, - 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, - 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, - 0x8eef9c3e -}; - -/* Rotate the 4-bit nibbles within a 16-bit word left */ -#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ - } while (0) - -/* Rotate 16-bit subwords left */ -#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ - } while (0) - -/* XOR the SATURNIN state with the key */ -#define saturnin_xor_key() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index]; \ - } while (0) - -/* XOR the SATURNIN state with a rotated version of the key */ -#define saturnin_xor_key_rotated() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index + 8]; \ - } while (0) - -/* Apply an SBOX layer for SATURNIN - definition from the specification */ -#define S_LAYER(a, b, c, d) \ - do { \ - (a) ^= (b) & (c); \ - (b) ^= (a) | (d); \ - (d) ^= (b) | (c); \ - (c) ^= (b) & (d); \ - (b) ^= (a) | (c); \ - (a) ^= (b) | (d); \ - } while (0) - -/* Apply an SBOX layer for SATURNIN in reverse */ -#define S_LAYER_INVERSE(a, b, c, d) \ - do { \ - (a) ^= (b) | (d); \ - (b) ^= (a) | (c); \ - (c) ^= (b) & (d); \ - (d) ^= (b) | (c); \ - (b) ^= (a) | (d); \ - (a) ^= (b) & (c); \ - } while (0) - -/** - * \brief Applies the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - a = S[0]; b = S[1]; c = S[2]; d = S[3]; - S_LAYER(a, b, c, d); - S[0] = b; S[1] = c; S[2] = d; S[3] = a; - - /* PI_1 on the second half of the state */ - a = S[4]; b = S[5]; c = S[6]; d = S[7]; - S_LAYER(a, b, c, d); - S[4] = d; S[5] = b; S[6] = a; S[7] = c; -} - -/** - * \brief Applies the inverse of the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox_inverse(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - b = S[0]; c = S[1]; d = S[2]; a = S[3]; - S_LAYER_INVERSE(a, b, c, d); - S[0] = a; S[1] = b; S[2] = c; S[3] = d; - - /* PI_1 on the second half of the state */ - d = S[4]; b = S[5]; a = S[6]; c = S[7]; - S_LAYER_INVERSE(a, b, c, d); - S[4] = a; S[5] = b; S[6] = c; S[7] = d; -} - -/** - * \brief Applies the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the MDS matrix to the state */ - #define SWAP(a) (((a) << 16) | ((a) >> 16)) - #define MUL(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ - } while (0) - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MUL(x4, x5, x6, x7, tmp); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - MUL(x0, x1, x2, x3, tmp); - MUL(x0, x1, x2, x3, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the inverse of the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds_inverse(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the inverse of the MDS matrix to the state */ - #define MULINV(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ - } while (0) - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MULINV(x0, x1, x2, x3, tmp); - MULINV(x0, x1, x2, x3, tmp); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - MULINV(x4, x5, x6, x7, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); -} - -/** - * \brief Applies the inverse of the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice_inverse(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); -} - -/** - * \brief Applies the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); -} - -/** - * \brief Applies the inverse of the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet_inverse(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Ciphertext output block, 32 bytes. - * \param input Plaintext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_decrypt() - */ -static void saturnin_block_encrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Perform all encryption rounds */ - for (; rounds > 0; rounds -= 2, RC += 2) { - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_slice(S); - saturnin_mds(S); - saturnin_slice_inverse(S); - S[0] ^= RC[0]; - saturnin_xor_key_rotated(); - - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_sheet(S); - saturnin_mds(S); - saturnin_sheet_inverse(S); - S[0] ^= RC[1]; - saturnin_xor_key(); - } - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Decrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Plaintext output block, 32 bytes. - * \param input Ciphertext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_encrypt() - */ -static void saturnin_block_decrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* Perform all decryption rounds */ - RC += rounds - 2; - for (; rounds > 0; rounds -= 2, RC -= 2) { - saturnin_xor_key(); - S[0] ^= RC[1]; - saturnin_sheet(S); - saturnin_mds_inverse(S); - saturnin_sheet_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - - saturnin_xor_key_rotated(); - S[0] ^= RC[0]; - saturnin_slice(S); - saturnin_mds_inverse(S); - saturnin_slice_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher and - * then XOR's itself to generate a new key. - * - * \param block Block to be encrypted and then XOR'ed with itself. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - */ -void saturnin_block_encrypt_xor - (const unsigned char *block, unsigned char *key, - unsigned rounds, const uint32_t *RC) -{ - unsigned char temp[32]; - saturnin_block_encrypt(temp, block, key, rounds, RC); - lw_xor_block_2_src(key, block, temp, 32); -} - -/** - * \brief Encrypts (or decrypts) a data packet in CTR mode. - * - * \param c Output ciphertext buffer. - * \param m Input plaintext buffer. - * \param mlen Length of the plaintext in bytes. - * \param k Points to the 32-byte key. - * \param block Points to the pre-formatted nonce block. - */ -static void saturnin_ctr_encrypt - (unsigned char *c, const unsigned char *m, unsigned long long mlen, - const unsigned char *k, unsigned char *block) -{ - /* Note: Specification requires a 95-bit counter but we only use 32-bit. - * This limits the maximum packet size to 128Gb. That should be OK */ - uint32_t counter = 1; - unsigned char out[32]; - while (mlen >= 32) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, 32); - c += 32; - m += 32; - mlen -= 32; - ++counter; - } - if (mlen > 0) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, (unsigned)mlen); - } -} - -/** - * \brief Pads an authenticates a message. - * - * \param tag Points to the authentication tag. - * \param block Temporary block of 32 bytes from the caller. - * \param m Points to the message to be authenticated. - * \param mlen Length of the message to be authenticated in bytes. - * \param rounds Number of rounds to perform. - * \param RC1 Round constants to use for domain separation on full blocks. - * \param RC2 Round constants to use for domain separation on the last block. - */ -static void saturnin_authenticate - (unsigned char *tag, unsigned char *block, - const unsigned char *m, unsigned long long mlen, - unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) -{ - unsigned temp; - while (mlen >= 32) { - saturnin_block_encrypt_xor(m, tag, rounds, RC1); - m += 32; - mlen -= 32; - } - temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, 31 - temp); - saturnin_block_encrypt_xor(block, tag, rounds, RC2); -} - -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char *tag; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the plaintext in counter mode to produce the ciphertext */ - saturnin_ctr_encrypt(c, m, mlen, k, block); - - /* Set the counter back to zero and then encrypt the nonce */ - tag = c + mlen; - memcpy(tag, k, 32); - memset(block + 17, 0, 15); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); - return 0; -} - -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char tag[32]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SATURNIN_TAG_SIZE) - return -1; - *mlen = clen - SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the nonce to initialize the authentication phase */ - memcpy(tag, k, 32); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); - - /* Decrypt the ciphertext in counter mode to produce the plaintext */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - saturnin_ctr_encrypt(m, c, *mlen, k, block); - - /* Check the authentication tag at the end of the message */ - return aead_check_tag - (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); -} - -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned temp; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data allowed and m <= 15 bytes */ - if (adlen > 0 || mlen > 15) - return -2; - - /* Format the input block from the nonce and plaintext */ - temp = (unsigned)mlen; - memcpy(block, npub, 16); - memcpy(block + 16, m, temp); - block[16 + temp] = 0x80; /* Padding */ - memset(block + 17 + temp, 0, 15 - temp); - - /* Encrypt the input block to produce the output ciphertext */ - saturnin_block_encrypt(c, block, k, 10, RC_10_6); - *clen = 32; - return 0; -} - -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned check1, check2, len; - int index, result; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data and c is always 32 bytes */ - if (adlen > 0) - return -2; - if (clen != 32) - return -1; - - /* Decrypt the ciphertext block */ - saturnin_block_decrypt(block, c, k, 10, RC_10_6); - - /* Verify that the output block starts with the nonce and that it is - * padded correctly. We need to do this very carefully to avoid leaking - * any information that could be used in a padding oracle attack. Use the - * same algorithm as the reference implementation of SATURNIN-Short */ - check1 = 0; - for (index = 0; index < 16; ++index) - check1 |= npub[index] ^ block[index]; - check2 = 0xFF; - len = 0; - for (index = 15; index >= 0; --index) { - unsigned temp = block[16 + index]; - unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); - len |= temp2 & (unsigned)index; - check2 &= ~temp2; - check1 |= check2 & ((temp + 0xFF) >> 8); - } - check1 |= check2; - - /* At this point, check1 is zero if the nonce and plaintext are good, - * or non-zero if there was an error in the decrypted data */ - result = (((int)check1) - 1) >> 8; - - /* The "result" is -1 if the data is good or zero if the data is invalid. - * Copy either the plaintext or zeroes to the output buffer. We assume - * that the output buffer has space for up to 15 bytes. This may return - * some of the padding to the caller but as long as they restrict - * themselves to the first *mlen bytes then it shouldn't be a problem */ - for (index = 0; index < 15; ++index) - m[index] = block[16 + index] & result; - *mlen = len; - return ~result; -} - -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char tag[32]; - unsigned char block[32]; - memset(tag, 0, sizeof(tag)); - saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); - memcpy(out, tag, 32); - return 0; -} - -void saturnin_hash_init(saturnin_hash_state_t *state) -{ - memset(state, 0, sizeof(saturnin_hash_state_t)); -} - -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned temp; - - /* Handle the partial left-over block from last time */ - if (state->s.count) { - temp = 32 - state->s.count; - if (temp > inlen) { - temp = (unsigned)inlen; - memcpy(state->s.block + state->s.count, in, temp); - state->s.count += temp; - return; - } - memcpy(state->s.block + state->s.count, in, temp); - state->s.count = 0; - in += temp; - inlen -= temp; - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); - } - - /* Process full blocks that are aligned at state->s.count == 0 */ - while (inlen >= 32) { - saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); - in += 32; - inlen -= 32; - } - - /* Process the left-over block at the end of the input */ - temp = (unsigned)inlen; - memcpy(state->s.block, in, temp); - state->s.count = temp; -} - -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out) -{ - /* Pad the final block */ - state->s.block[state->s.count] = 0x80; - memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); - - /* Generate the final hash value */ - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); - memcpy(out, state->s.hash, 32); -} diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.h deleted file mode 100644 index 873d950..0000000 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys-avr/saturnin.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SATURNIN_H -#define LWCRYPTO_SATURNIN_H - -#include "aead-common.h" - -/** - * \file saturnin.h - * \brief Saturnin authenticated encryption algorithm. - * - * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and - * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. - * Internally they use a 256-bit block cipher similar in construction to AES. - * - * SATURNIN-Short does not support associated data or plaintext packets - * with more than 15 bytes. This makes it very efficient on short packets - * with only a single block operation involved. - * - * This implementation of SATURNIN-Short will return an error if the - * caller supplies associated data or more than 15 bytes of plaintext. - * - * References: https://project.inria.fr/saturnin/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SATURNIN family members. - */ -#define SATURNIN_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the - * total size of the ciphertext for SATURNIN-Short. - */ -#define SATURNIN_TAG_SIZE 32 - -/** - * \brief Size of the nonce for all SATURNIN family members. - */ -#define SATURNIN_NONCE_SIZE 16 - -/** - * \brief Size of the hash for SATURNIN-Hash. - */ -#define SATURNIN_HASH_SIZE 32 - -/** - * \brief State information for SATURNIN-Hash incremental modes. - */ -typedef union -{ - struct { - unsigned char hash[32]; /**< Current hash state */ - unsigned char block[32]; /**< Left-over block data from last update */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} saturnin_hash_state_t; - -/** - * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. - */ -extern aead_cipher_t const saturnin_cipher; - -/** - * \brief Meta-information block for the SATURNIN-Short cipher. - */ -extern aead_cipher_t const saturnin_short_cipher; - -/** - * \brief Meta-information block for SATURNIN-Hash. - */ -extern aead_hash_algorithm_t const saturnin_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 32 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa saturnin_aead_decrypt() - */ -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 32 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa saturnin_aead_encrypt() - */ -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-Short. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which is always 32. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes, which must be - * less than or equal to 15 bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or -2 if the caller supplied too many bytes of - * plaintext or they supplied associated data. - * - * \sa saturnin_short_aead_decrypt() - */ -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-Short. - * - * \param m Buffer to receive the plaintext message on output. There must - * be at least 15 bytes of space in this buffer even if the caller expects - * to receive less data than that. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext to decrypt. - * \param clen Length of the input data in bytes, which must be 32. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or -2 if the caller supplied associated data. - * - * \sa saturnin_short_aead_encrypt() - */ -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with SATURNIN to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SATURNIN_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() - */ -void saturnin_hash_init(saturnin_hash_state_t *state); - -/** - * \brief Updates an SATURNIN-Hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa saturnin_hash_init(), saturnin_hash_finalize() - */ -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa saturnin_hash_init(), saturnin_hash_update() - */ -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h index e79158c..e30166d 100644 --- a/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h +++ b/saturnin/Implementations/crypto_aead/saturninshortv2/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.c b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/api.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/internal-util.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.c b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.c deleted file mode 100644 index 734fc69..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.c +++ /dev/null @@ -1,781 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "saturnin.h" -#include "internal-util.h" -#include - -aead_cipher_t const saturnin_cipher = { - "SATURNIN-CTR-Cascade", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_aead_encrypt, - saturnin_aead_decrypt -}; - -aead_cipher_t const saturnin_short_cipher = { - "SATURNIN-Short", - SATURNIN_KEY_SIZE, - SATURNIN_NONCE_SIZE, - SATURNIN_TAG_SIZE, - AEAD_FLAG_NONE, - saturnin_short_aead_encrypt, - saturnin_short_aead_decrypt -}; - -aead_hash_algorithm_t const saturnin_hash_algorithm = { - "SATURNIN-Hash", - sizeof(saturnin_hash_state_t), - SATURNIN_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - saturnin_hash, - (aead_hash_init_t)saturnin_hash_init, - (aead_hash_update_t)saturnin_hash_update, - (aead_hash_finalize_t)saturnin_hash_finalize, - 0, /* absorb */ - 0 /* squeeze */ -}; - -/* Round constant tables for various combinations of rounds and domain_sep */ -static uint32_t const RC_10_1[] = { - 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, - 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d -}; -static uint32_t const RC_10_2[] = { - 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, - 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe -}; -static uint32_t const RC_10_3[] = { - 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, - 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 -}; -static uint32_t const RC_10_4[] = { - 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, - 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 -}; -static uint32_t const RC_10_5[] = { - 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, - 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 -}; -static uint32_t const RC_10_6[] = { - 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, - 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 -}; -static uint32_t const RC_16_7[] = { - 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, - 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, - 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, - 0x386d94d8 -}; -static uint32_t const RC_16_8[] = { - 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, - 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, - 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, - 0x8eef9c3e -}; - -/* Rotate the 4-bit nibbles within a 16-bit word left */ -#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ - } while (0) - -/* Rotate 16-bit subwords left */ -#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ - do { \ - uint32_t _temp = (a); \ - (a) = ((_temp & (mask1)) << (bits1)) | \ - ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ - ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ - ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ - } while (0) - -/* XOR the SATURNIN state with the key */ -#define saturnin_xor_key() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index]; \ - } while (0) - -/* XOR the SATURNIN state with a rotated version of the key */ -#define saturnin_xor_key_rotated() \ - do { \ - for (index = 0; index < 8; ++index) \ - S[index] ^= K[index + 8]; \ - } while (0) - -/* Apply an SBOX layer for SATURNIN - definition from the specification */ -#define S_LAYER(a, b, c, d) \ - do { \ - (a) ^= (b) & (c); \ - (b) ^= (a) | (d); \ - (d) ^= (b) | (c); \ - (c) ^= (b) & (d); \ - (b) ^= (a) | (c); \ - (a) ^= (b) | (d); \ - } while (0) - -/* Apply an SBOX layer for SATURNIN in reverse */ -#define S_LAYER_INVERSE(a, b, c, d) \ - do { \ - (a) ^= (b) | (d); \ - (b) ^= (a) | (c); \ - (c) ^= (b) & (d); \ - (d) ^= (b) | (c); \ - (b) ^= (a) | (d); \ - (a) ^= (b) & (c); \ - } while (0) - -/** - * \brief Applies the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - a = S[0]; b = S[1]; c = S[2]; d = S[3]; - S_LAYER(a, b, c, d); - S[0] = b; S[1] = c; S[2] = d; S[3] = a; - - /* PI_1 on the second half of the state */ - a = S[4]; b = S[5]; c = S[6]; d = S[7]; - S_LAYER(a, b, c, d); - S[4] = d; S[5] = b; S[6] = a; S[7] = c; -} - -/** - * \brief Applies the inverse of the SBOX to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sbox_inverse(uint32_t S[8]) -{ - uint32_t a, b, c, d; - - /* PI_0 on the first half of the state */ - b = S[0]; c = S[1]; d = S[2]; a = S[3]; - S_LAYER_INVERSE(a, b, c, d); - S[0] = a; S[1] = b; S[2] = c; S[3] = d; - - /* PI_1 on the second half of the state */ - d = S[4]; b = S[5]; a = S[6]; c = S[7]; - S_LAYER_INVERSE(a, b, c, d); - S[4] = a; S[5] = b; S[6] = c; S[7] = d; -} - -/** - * \brief Applies the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the MDS matrix to the state */ - #define SWAP(a) (((a) << 16) | ((a) >> 16)) - #define MUL(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ - } while (0) - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MUL(x4, x5, x6, x7, tmp); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - MUL(x0, x1, x2, x3, tmp); - MUL(x0, x1, x2, x3, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the inverse of the MDS matrix to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_mds_inverse(uint32_t S[8]) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t tmp; - - /* Load the state into temporary working variables */ - x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; - x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; - - /* Apply the inverse of the MDS matrix to the state */ - #define MULINV(x0, x1, x2, x3, tmp) \ - do { \ - tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ - } while (0) - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - MULINV(x0, x1, x2, x3, tmp); - MULINV(x0, x1, x2, x3, tmp); - x6 ^= SWAP(x2); x7 ^= SWAP(x3); - x4 ^= SWAP(x0); x5 ^= SWAP(x1); - MULINV(x4, x5, x6, x7, tmp); - x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; - - /* Store the temporary working variables back into the state */ - S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; - S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; -} - -/** - * \brief Applies the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); - leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); -} - -/** - * \brief Applies the inverse of the slice permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_slice_inverse(uint32_t S[8]) -{ - leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); - leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); - - leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); - leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); -} - -/** - * \brief Applies the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); - leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); -} - -/** - * \brief Applies the inverse of the sheet permutation to the SATURNIN state. - * - * \param S The state. - */ -static void saturnin_sheet_inverse(uint32_t S[8]) -{ - leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); - leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); - - leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); - leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Ciphertext output block, 32 bytes. - * \param input Plaintext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_decrypt() - */ -static void saturnin_block_encrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Perform all encryption rounds */ - for (; rounds > 0; rounds -= 2, RC += 2) { - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_slice(S); - saturnin_mds(S); - saturnin_slice_inverse(S); - S[0] ^= RC[0]; - saturnin_xor_key_rotated(); - - saturnin_sbox(S); - saturnin_mds(S); - saturnin_sbox(S); - saturnin_sheet(S); - saturnin_mds(S); - saturnin_sheet_inverse(S); - S[0] ^= RC[1]; - saturnin_xor_key(); - } - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Decrypts a 256-bit block with the SATURNIN block cipher. - * - * \param output Plaintext output block, 32 bytes. - * \param input Ciphertext input block, 32 bytes. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - * - * The \a input and \a output buffers can be the same. - * - * \sa saturnin_block_encrypt() - */ -static void saturnin_block_decrypt - (unsigned char *output, const unsigned char *input, - const unsigned char *key, unsigned rounds, const uint32_t *RC) -{ - uint32_t K[16]; - uint32_t S[8]; - uint32_t temp; - unsigned index; - - /* Unpack the key and the input block */ - for (index = 0; index < 16; index += 2) { - temp = ((uint32_t)(key[index])) | - (((uint32_t)(key[index + 1])) << 8) | - (((uint32_t)(key[index + 16])) << 16) | - (((uint32_t)(key[index + 17])) << 24); - K[index / 2] = temp; - K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | - ((temp >> 5) & 0x07FF07FFU); - S[index / 2] = ((uint32_t)(input[index])) | - (((uint32_t)(input[index + 1])) << 8) | - (((uint32_t)(input[index + 16])) << 16) | - (((uint32_t)(input[index + 17])) << 24); - } - - /* Perform all decryption rounds */ - RC += rounds - 2; - for (; rounds > 0; rounds -= 2, RC -= 2) { - saturnin_xor_key(); - S[0] ^= RC[1]; - saturnin_sheet(S); - saturnin_mds_inverse(S); - saturnin_sheet_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - - saturnin_xor_key_rotated(); - S[0] ^= RC[0]; - saturnin_slice(S); - saturnin_mds_inverse(S); - saturnin_slice_inverse(S); - saturnin_sbox_inverse(S); - saturnin_mds_inverse(S); - saturnin_sbox_inverse(S); - } - - /* XOR the key into the state */ - saturnin_xor_key(); - - /* Encode the state into the output block */ - for (index = 0; index < 16; index += 2) { - temp = S[index / 2]; - output[index] = (uint8_t)temp; - output[index + 1] = (uint8_t)(temp >> 8); - output[index + 16] = (uint8_t)(temp >> 16); - output[index + 17] = (uint8_t)(temp >> 24); - } -} - -/** - * \brief Encrypts a 256-bit block with the SATURNIN block cipher and - * then XOR's itself to generate a new key. - * - * \param block Block to be encrypted and then XOR'ed with itself. - * \param key Points to the 32 byte key for the block cipher. - * \param rounds Number of rounds to perform. - * \param RC Round constants to use for domain separation. - */ -void saturnin_block_encrypt_xor - (const unsigned char *block, unsigned char *key, - unsigned rounds, const uint32_t *RC) -{ - unsigned char temp[32]; - saturnin_block_encrypt(temp, block, key, rounds, RC); - lw_xor_block_2_src(key, block, temp, 32); -} - -/** - * \brief Encrypts (or decrypts) a data packet in CTR mode. - * - * \param c Output ciphertext buffer. - * \param m Input plaintext buffer. - * \param mlen Length of the plaintext in bytes. - * \param k Points to the 32-byte key. - * \param block Points to the pre-formatted nonce block. - */ -static void saturnin_ctr_encrypt - (unsigned char *c, const unsigned char *m, unsigned long long mlen, - const unsigned char *k, unsigned char *block) -{ - /* Note: Specification requires a 95-bit counter but we only use 32-bit. - * This limits the maximum packet size to 128Gb. That should be OK */ - uint32_t counter = 1; - unsigned char out[32]; - while (mlen >= 32) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, 32); - c += 32; - m += 32; - mlen -= 32; - ++counter; - } - if (mlen > 0) { - be_store_word32(block + 28, counter); - saturnin_block_encrypt(out, block, k, 10, RC_10_1); - lw_xor_block_2_src(c, out, m, (unsigned)mlen); - } -} - -/** - * \brief Pads an authenticates a message. - * - * \param tag Points to the authentication tag. - * \param block Temporary block of 32 bytes from the caller. - * \param m Points to the message to be authenticated. - * \param mlen Length of the message to be authenticated in bytes. - * \param rounds Number of rounds to perform. - * \param RC1 Round constants to use for domain separation on full blocks. - * \param RC2 Round constants to use for domain separation on the last block. - */ -static void saturnin_authenticate - (unsigned char *tag, unsigned char *block, - const unsigned char *m, unsigned long long mlen, - unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) -{ - unsigned temp; - while (mlen >= 32) { - saturnin_block_encrypt_xor(m, tag, rounds, RC1); - m += 32; - mlen -= 32; - } - temp = (unsigned)mlen; - memcpy(block, m, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, 31 - temp); - saturnin_block_encrypt_xor(block, tag, rounds, RC2); -} - -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char *tag; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the plaintext in counter mode to produce the ciphertext */ - saturnin_ctr_encrypt(c, m, mlen, k, block); - - /* Set the counter back to zero and then encrypt the nonce */ - tag = c + mlen; - memcpy(tag, k, 32); - memset(block + 17, 0, 15); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); - return 0; -} - -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned char tag[32]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SATURNIN_TAG_SIZE) - return -1; - *mlen = clen - SATURNIN_TAG_SIZE; - - /* Format the input block from the padded nonce */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - - /* Encrypt the nonce to initialize the authentication phase */ - memcpy(tag, k, 32); - saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); - - /* Authenticate the associated data and the ciphertext */ - saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); - saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); - - /* Decrypt the ciphertext in counter mode to produce the plaintext */ - memcpy(block, npub, 16); - block[16] = 0x80; - memset(block + 17, 0, 15); - saturnin_ctr_encrypt(m, c, *mlen, k, block); - - /* Check the authentication tag at the end of the message */ - return aead_check_tag - (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); -} - -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned temp; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data allowed and m <= 15 bytes */ - if (adlen > 0 || mlen > 15) - return -2; - - /* Format the input block from the nonce and plaintext */ - temp = (unsigned)mlen; - memcpy(block, npub, 16); - memcpy(block + 16, m, temp); - block[16 + temp] = 0x80; /* Padding */ - memset(block + 17 + temp, 0, 15 - temp); - - /* Encrypt the input block to produce the output ciphertext */ - saturnin_block_encrypt(c, block, k, 10, RC_10_6); - *clen = 32; - return 0; -} - -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char block[32]; - unsigned check1, check2, len; - int index, result; - (void)nsec; - (void)ad; - - /* Validate the parameters: no associated data and c is always 32 bytes */ - if (adlen > 0) - return -2; - if (clen != 32) - return -1; - - /* Decrypt the ciphertext block */ - saturnin_block_decrypt(block, c, k, 10, RC_10_6); - - /* Verify that the output block starts with the nonce and that it is - * padded correctly. We need to do this very carefully to avoid leaking - * any information that could be used in a padding oracle attack. Use the - * same algorithm as the reference implementation of SATURNIN-Short */ - check1 = 0; - for (index = 0; index < 16; ++index) - check1 |= npub[index] ^ block[index]; - check2 = 0xFF; - len = 0; - for (index = 15; index >= 0; --index) { - unsigned temp = block[16 + index]; - unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); - len |= temp2 & (unsigned)index; - check2 &= ~temp2; - check1 |= check2 & ((temp + 0xFF) >> 8); - } - check1 |= check2; - - /* At this point, check1 is zero if the nonce and plaintext are good, - * or non-zero if there was an error in the decrypted data */ - result = (((int)check1) - 1) >> 8; - - /* The "result" is -1 if the data is good or zero if the data is invalid. - * Copy either the plaintext or zeroes to the output buffer. We assume - * that the output buffer has space for up to 15 bytes. This may return - * some of the padding to the caller but as long as they restrict - * themselves to the first *mlen bytes then it shouldn't be a problem */ - for (index = 0; index < 15; ++index) - m[index] = block[16 + index] & result; - *mlen = len; - return ~result; -} - -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char tag[32]; - unsigned char block[32]; - memset(tag, 0, sizeof(tag)); - saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); - memcpy(out, tag, 32); - return 0; -} - -void saturnin_hash_init(saturnin_hash_state_t *state) -{ - memset(state, 0, sizeof(saturnin_hash_state_t)); -} - -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - unsigned temp; - - /* Handle the partial left-over block from last time */ - if (state->s.count) { - temp = 32 - state->s.count; - if (temp > inlen) { - temp = (unsigned)inlen; - memcpy(state->s.block + state->s.count, in, temp); - state->s.count += temp; - return; - } - memcpy(state->s.block + state->s.count, in, temp); - state->s.count = 0; - in += temp; - inlen -= temp; - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); - } - - /* Process full blocks that are aligned at state->s.count == 0 */ - while (inlen >= 32) { - saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); - in += 32; - inlen -= 32; - } - - /* Process the left-over block at the end of the input */ - temp = (unsigned)inlen; - memcpy(state->s.block, in, temp); - state->s.count = temp; -} - -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out) -{ - /* Pad the final block */ - state->s.block[state->s.count] = 0x80; - memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); - - /* Generate the final hash value */ - saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); - memcpy(out, state->s.hash, 32); -} diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.h deleted file mode 100644 index 873d950..0000000 --- a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/saturnin.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SATURNIN_H -#define LWCRYPTO_SATURNIN_H - -#include "aead-common.h" - -/** - * \file saturnin.h - * \brief Saturnin authenticated encryption algorithm. - * - * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and - * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. - * Internally they use a 256-bit block cipher similar in construction to AES. - * - * SATURNIN-Short does not support associated data or plaintext packets - * with more than 15 bytes. This makes it very efficient on short packets - * with only a single block operation involved. - * - * This implementation of SATURNIN-Short will return an error if the - * caller supplies associated data or more than 15 bytes of plaintext. - * - * References: https://project.inria.fr/saturnin/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SATURNIN family members. - */ -#define SATURNIN_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the - * total size of the ciphertext for SATURNIN-Short. - */ -#define SATURNIN_TAG_SIZE 32 - -/** - * \brief Size of the nonce for all SATURNIN family members. - */ -#define SATURNIN_NONCE_SIZE 16 - -/** - * \brief Size of the hash for SATURNIN-Hash. - */ -#define SATURNIN_HASH_SIZE 32 - -/** - * \brief State information for SATURNIN-Hash incremental modes. - */ -typedef union -{ - struct { - unsigned char hash[32]; /**< Current hash state */ - unsigned char block[32]; /**< Left-over block data from last update */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} saturnin_hash_state_t; - -/** - * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. - */ -extern aead_cipher_t const saturnin_cipher; - -/** - * \brief Meta-information block for the SATURNIN-Short cipher. - */ -extern aead_cipher_t const saturnin_short_cipher; - -/** - * \brief Meta-information block for SATURNIN-Hash. - */ -extern aead_hash_algorithm_t const saturnin_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 32 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa saturnin_aead_decrypt() - */ -int saturnin_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 32 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa saturnin_aead_encrypt() - */ -int saturnin_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SATURNIN-Short. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which is always 32. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes, which must be - * less than or equal to 15 bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or -2 if the caller supplied too many bytes of - * plaintext or they supplied associated data. - * - * \sa saturnin_short_aead_decrypt() - */ -int saturnin_short_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SATURNIN-Short. - * - * \param m Buffer to receive the plaintext message on output. There must - * be at least 15 bytes of space in this buffer even if the caller expects - * to receive less data than that. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext to decrypt. - * \param clen Length of the input data in bytes, which must be 32. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes, which must be zero. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or -2 if the caller supplied associated data. - * - * \sa saturnin_short_aead_encrypt() - */ -int saturnin_short_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with SATURNIN to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SATURNIN_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int saturnin_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() - */ -void saturnin_hash_init(saturnin_hash_state_t *state); - -/** - * \brief Updates an SATURNIN-Hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa saturnin_hash_init(), saturnin_hash_finalize() - */ -void saturnin_hash_update - (saturnin_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa saturnin_hash_init(), saturnin_hash_update() - */ -void saturnin_hash_finalize - (saturnin_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/aead-common.c b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/aead-common.c similarity index 100% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/aead-common.c rename to saturnin/Implementations/crypto_hash/saturninhashv2/rhys/aead-common.c diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/aead-common.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/aead-common.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/aead-common.h rename to saturnin/Implementations/crypto_hash/saturninhashv2/rhys/aead-common.h diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/api.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/hash.c b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/hash.c similarity index 100% rename from saturnin/Implementations/crypto_hash/saturninhashv2/rhys-avr/hash.c rename to saturnin/Implementations/crypto_hash/saturninhashv2/rhys/hash.c diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-util.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/internal-util.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-util.h rename to saturnin/Implementations/crypto_hash/saturninhashv2/rhys/internal-util.h diff --git a/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.c b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.c new file mode 100644 index 0000000..734fc69 --- /dev/null +++ b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.c @@ -0,0 +1,781 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "saturnin.h" +#include "internal-util.h" +#include + +aead_cipher_t const saturnin_cipher = { + "SATURNIN-CTR-Cascade", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_aead_encrypt, + saturnin_aead_decrypt +}; + +aead_cipher_t const saturnin_short_cipher = { + "SATURNIN-Short", + SATURNIN_KEY_SIZE, + SATURNIN_NONCE_SIZE, + SATURNIN_TAG_SIZE, + AEAD_FLAG_NONE, + saturnin_short_aead_encrypt, + saturnin_short_aead_decrypt +}; + +aead_hash_algorithm_t const saturnin_hash_algorithm = { + "SATURNIN-Hash", + sizeof(saturnin_hash_state_t), + SATURNIN_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + saturnin_hash, + (aead_hash_init_t)saturnin_hash_init, + (aead_hash_update_t)saturnin_hash_update, + (aead_hash_finalize_t)saturnin_hash_finalize, + 0, /* absorb */ + 0 /* squeeze */ +}; + +/* Round constant tables for various combinations of rounds and domain_sep */ +static uint32_t const RC_10_1[] = { + 0x4eb026c2, 0x90595303, 0xaa8fe632, 0xfe928a92, 0x4115a419, + 0x93539532, 0x5db1cc4e, 0x541515ca, 0xbd1f55a8, 0x5a6e1a0d +}; +static uint32_t const RC_10_2[] = { + 0x4e4526b5, 0xa3565ff0, 0x0f8f20d8, 0x0b54bee1, 0x7d1a6c9d, + 0x17a6280a, 0xaa46c986, 0xc1199062, 0x182c5cde, 0xa00d53fe +}; +static uint32_t const RC_10_3[] = { + 0x4e162698, 0xb2535ba1, 0x6c8f9d65, 0x5816ad30, 0x691fd4fa, + 0x6bf5bcf9, 0xf8eb3525, 0xb21decfa, 0x7b3da417, 0xf62c94b4 +}; +static uint32_t const RC_10_4[] = { + 0x4faf265b, 0xc5484616, 0x45dcad21, 0xe08bd607, 0x0504fdb8, + 0x1e1f5257, 0x45fbc216, 0xeb529b1f, 0x52194e32, 0x5498c018 +}; +static uint32_t const RC_10_5[] = { + 0x4ffc2676, 0xd44d4247, 0x26dc109c, 0xb3c9c5d6, 0x110145df, + 0x624cc6a4, 0x17563eb5, 0x9856e787, 0x3108b6fb, 0x02b90752 +}; +static uint32_t const RC_10_6[] = { + 0x4f092601, 0xe7424eb4, 0x83dcd676, 0x460ff1a5, 0x2d0e8d5b, + 0xe6b97b9c, 0xe0a13b7d, 0x0d5a622f, 0x943bbf8d, 0xf8da4ea1 +}; +static uint32_t const RC_16_7[] = { + 0x3fba180c, 0x563ab9ab, 0x125ea5ef, 0x859da26c, 0xb8cf779b, + 0x7d4de793, 0x07efb49f, 0x8d525306, 0x1e08e6ab, 0x41729f87, + 0x8c4aef0a, 0x4aa0c9a7, 0xd93a95ef, 0xbb00d2af, 0xb62c5bf0, + 0x386d94d8 +}; +static uint32_t const RC_16_8[] = { + 0x3c9b19a7, 0xa9098694, 0x23f878da, 0xa7b647d3, 0x74fc9d78, + 0xeacaae11, 0x2f31a677, 0x4cc8c054, 0x2f51ca05, 0x5268f195, + 0x4f5b8a2b, 0xf614b4ac, 0xf1d95401, 0x764d2568, 0x6a493611, + 0x8eef9c3e +}; + +/* Rotate the 4-bit nibbles within a 16-bit word left */ +#define leftRotate4_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (4 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (4 - (bits2))); \ + } while (0) + +/* Rotate 16-bit subwords left */ +#define leftRotate16_N(a, mask1, bits1, mask2, bits2) \ + do { \ + uint32_t _temp = (a); \ + (a) = ((_temp & (mask1)) << (bits1)) | \ + ((_temp & ((mask1) ^ (uint32_t)0xFFFFU)) >> (16 - (bits1))) | \ + ((_temp & (((uint32_t)(mask2)) << 16)) << (bits2)) | \ + ((_temp & (((uint32_t)((mask2)) << 16) ^ 0xFFFF0000U)) >> (16 - (bits2))); \ + } while (0) + +/* XOR the SATURNIN state with the key */ +#define saturnin_xor_key() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index]; \ + } while (0) + +/* XOR the SATURNIN state with a rotated version of the key */ +#define saturnin_xor_key_rotated() \ + do { \ + for (index = 0; index < 8; ++index) \ + S[index] ^= K[index + 8]; \ + } while (0) + +/* Apply an SBOX layer for SATURNIN - definition from the specification */ +#define S_LAYER(a, b, c, d) \ + do { \ + (a) ^= (b) & (c); \ + (b) ^= (a) | (d); \ + (d) ^= (b) | (c); \ + (c) ^= (b) & (d); \ + (b) ^= (a) | (c); \ + (a) ^= (b) | (d); \ + } while (0) + +/* Apply an SBOX layer for SATURNIN in reverse */ +#define S_LAYER_INVERSE(a, b, c, d) \ + do { \ + (a) ^= (b) | (d); \ + (b) ^= (a) | (c); \ + (c) ^= (b) & (d); \ + (d) ^= (b) | (c); \ + (b) ^= (a) | (d); \ + (a) ^= (b) & (c); \ + } while (0) + +/** + * \brief Applies the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + a = S[0]; b = S[1]; c = S[2]; d = S[3]; + S_LAYER(a, b, c, d); + S[0] = b; S[1] = c; S[2] = d; S[3] = a; + + /* PI_1 on the second half of the state */ + a = S[4]; b = S[5]; c = S[6]; d = S[7]; + S_LAYER(a, b, c, d); + S[4] = d; S[5] = b; S[6] = a; S[7] = c; +} + +/** + * \brief Applies the inverse of the SBOX to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sbox_inverse(uint32_t S[8]) +{ + uint32_t a, b, c, d; + + /* PI_0 on the first half of the state */ + b = S[0]; c = S[1]; d = S[2]; a = S[3]; + S_LAYER_INVERSE(a, b, c, d); + S[0] = a; S[1] = b; S[2] = c; S[3] = d; + + /* PI_1 on the second half of the state */ + d = S[4]; b = S[5]; a = S[6]; c = S[7]; + S_LAYER_INVERSE(a, b, c, d); + S[4] = a; S[5] = b; S[6] = c; S[7] = d; +} + +/** + * \brief Applies the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the MDS matrix to the state */ + #define SWAP(a) (((a) << 16) | ((a) >> 16)) + #define MUL(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x0; x0 = x1; x1 = x2; x2 = x3; x3 = tmp ^ x0; \ + } while (0) + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MUL(x4, x5, x6, x7, tmp); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + MUL(x0, x1, x2, x3, tmp); + MUL(x0, x1, x2, x3, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the inverse of the MDS matrix to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_mds_inverse(uint32_t S[8]) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t tmp; + + /* Load the state into temporary working variables */ + x0 = S[0]; x1 = S[1]; x2 = S[2]; x3 = S[3]; + x4 = S[4]; x5 = S[5]; x6 = S[6]; x7 = S[7]; + + /* Apply the inverse of the MDS matrix to the state */ + #define MULINV(x0, x1, x2, x3, tmp) \ + do { \ + tmp = x3; x3 = x2; x2 = x1; x1 = x0; x0 = x1 ^ tmp; \ + } while (0) + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + MULINV(x0, x1, x2, x3, tmp); + MULINV(x0, x1, x2, x3, tmp); + x6 ^= SWAP(x2); x7 ^= SWAP(x3); + x4 ^= SWAP(x0); x5 ^= SWAP(x1); + MULINV(x4, x5, x6, x7, tmp); + x0 ^= x4; x1 ^= x5; x2 ^= x6; x3 ^= x7; + + /* Store the temporary working variables back into the state */ + S[0] = x0; S[1] = x1; S[2] = x2; S[3] = x3; + S[4] = x4; S[5] = x5; S[6] = x6; S[7] = x7; +} + +/** + * \brief Applies the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[5], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[6], 0x7777U, 1, 0x1111, 3); + leftRotate4_N(S[7], 0x7777U, 1, 0x1111, 3); +} + +/** + * \brief Applies the inverse of the slice permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_slice_inverse(uint32_t S[8]) +{ + leftRotate4_N(S[0], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[1], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[2], 0xFFFFU, 0, 0x3333, 2); + leftRotate4_N(S[3], 0xFFFFU, 0, 0x3333, 2); + + leftRotate4_N(S[4], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[5], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[6], 0x1111U, 3, 0x7777, 1); + leftRotate4_N(S[7], 0x1111U, 3, 0x7777, 1); +} + +/** + * \brief Applies the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[5], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[6], 0x0FFFU, 4, 0x000F, 12); + leftRotate16_N(S[7], 0x0FFFU, 4, 0x000F, 12); +} + +/** + * \brief Applies the inverse of the sheet permutation to the SATURNIN state. + * + * \param S The state. + */ +static void saturnin_sheet_inverse(uint32_t S[8]) +{ + leftRotate16_N(S[0], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[1], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[2], 0xFFFFU, 0, 0x00FF, 8); + leftRotate16_N(S[3], 0xFFFFU, 0, 0x00FF, 8); + + leftRotate16_N(S[4], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[5], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[6], 0x000FU, 12, 0x0FFF, 4); + leftRotate16_N(S[7], 0x000FU, 12, 0x0FFF, 4); +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Ciphertext output block, 32 bytes. + * \param input Plaintext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_decrypt() + */ +static void saturnin_block_encrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Perform all encryption rounds */ + for (; rounds > 0; rounds -= 2, RC += 2) { + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_slice(S); + saturnin_mds(S); + saturnin_slice_inverse(S); + S[0] ^= RC[0]; + saturnin_xor_key_rotated(); + + saturnin_sbox(S); + saturnin_mds(S); + saturnin_sbox(S); + saturnin_sheet(S); + saturnin_mds(S); + saturnin_sheet_inverse(S); + S[0] ^= RC[1]; + saturnin_xor_key(); + } + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Decrypts a 256-bit block with the SATURNIN block cipher. + * + * \param output Plaintext output block, 32 bytes. + * \param input Ciphertext input block, 32 bytes. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + * + * The \a input and \a output buffers can be the same. + * + * \sa saturnin_block_encrypt() + */ +static void saturnin_block_decrypt + (unsigned char *output, const unsigned char *input, + const unsigned char *key, unsigned rounds, const uint32_t *RC) +{ + uint32_t K[16]; + uint32_t S[8]; + uint32_t temp; + unsigned index; + + /* Unpack the key and the input block */ + for (index = 0; index < 16; index += 2) { + temp = ((uint32_t)(key[index])) | + (((uint32_t)(key[index + 1])) << 8) | + (((uint32_t)(key[index + 16])) << 16) | + (((uint32_t)(key[index + 17])) << 24); + K[index / 2] = temp; + K[8 + (index / 2)] = ((temp & 0x001F001FU) << 11) | + ((temp >> 5) & 0x07FF07FFU); + S[index / 2] = ((uint32_t)(input[index])) | + (((uint32_t)(input[index + 1])) << 8) | + (((uint32_t)(input[index + 16])) << 16) | + (((uint32_t)(input[index + 17])) << 24); + } + + /* Perform all decryption rounds */ + RC += rounds - 2; + for (; rounds > 0; rounds -= 2, RC -= 2) { + saturnin_xor_key(); + S[0] ^= RC[1]; + saturnin_sheet(S); + saturnin_mds_inverse(S); + saturnin_sheet_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + + saturnin_xor_key_rotated(); + S[0] ^= RC[0]; + saturnin_slice(S); + saturnin_mds_inverse(S); + saturnin_slice_inverse(S); + saturnin_sbox_inverse(S); + saturnin_mds_inverse(S); + saturnin_sbox_inverse(S); + } + + /* XOR the key into the state */ + saturnin_xor_key(); + + /* Encode the state into the output block */ + for (index = 0; index < 16; index += 2) { + temp = S[index / 2]; + output[index] = (uint8_t)temp; + output[index + 1] = (uint8_t)(temp >> 8); + output[index + 16] = (uint8_t)(temp >> 16); + output[index + 17] = (uint8_t)(temp >> 24); + } +} + +/** + * \brief Encrypts a 256-bit block with the SATURNIN block cipher and + * then XOR's itself to generate a new key. + * + * \param block Block to be encrypted and then XOR'ed with itself. + * \param key Points to the 32 byte key for the block cipher. + * \param rounds Number of rounds to perform. + * \param RC Round constants to use for domain separation. + */ +void saturnin_block_encrypt_xor + (const unsigned char *block, unsigned char *key, + unsigned rounds, const uint32_t *RC) +{ + unsigned char temp[32]; + saturnin_block_encrypt(temp, block, key, rounds, RC); + lw_xor_block_2_src(key, block, temp, 32); +} + +/** + * \brief Encrypts (or decrypts) a data packet in CTR mode. + * + * \param c Output ciphertext buffer. + * \param m Input plaintext buffer. + * \param mlen Length of the plaintext in bytes. + * \param k Points to the 32-byte key. + * \param block Points to the pre-formatted nonce block. + */ +static void saturnin_ctr_encrypt + (unsigned char *c, const unsigned char *m, unsigned long long mlen, + const unsigned char *k, unsigned char *block) +{ + /* Note: Specification requires a 95-bit counter but we only use 32-bit. + * This limits the maximum packet size to 128Gb. That should be OK */ + uint32_t counter = 1; + unsigned char out[32]; + while (mlen >= 32) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, 32); + c += 32; + m += 32; + mlen -= 32; + ++counter; + } + if (mlen > 0) { + be_store_word32(block + 28, counter); + saturnin_block_encrypt(out, block, k, 10, RC_10_1); + lw_xor_block_2_src(c, out, m, (unsigned)mlen); + } +} + +/** + * \brief Pads an authenticates a message. + * + * \param tag Points to the authentication tag. + * \param block Temporary block of 32 bytes from the caller. + * \param m Points to the message to be authenticated. + * \param mlen Length of the message to be authenticated in bytes. + * \param rounds Number of rounds to perform. + * \param RC1 Round constants to use for domain separation on full blocks. + * \param RC2 Round constants to use for domain separation on the last block. + */ +static void saturnin_authenticate + (unsigned char *tag, unsigned char *block, + const unsigned char *m, unsigned long long mlen, + unsigned rounds, const uint32_t *RC1, const uint32_t *RC2) +{ + unsigned temp; + while (mlen >= 32) { + saturnin_block_encrypt_xor(m, tag, rounds, RC1); + m += 32; + mlen -= 32; + } + temp = (unsigned)mlen; + memcpy(block, m, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, 31 - temp); + saturnin_block_encrypt_xor(block, tag, rounds, RC2); +} + +int saturnin_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char *tag; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the plaintext in counter mode to produce the ciphertext */ + saturnin_ctr_encrypt(c, m, mlen, k, block); + + /* Set the counter back to zero and then encrypt the nonce */ + tag = c + mlen; + memcpy(tag, k, 32); + memset(block + 17, 0, 15); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, mlen, 10, RC_10_4, RC_10_5); + return 0; +} + +int saturnin_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned char tag[32]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SATURNIN_TAG_SIZE) + return -1; + *mlen = clen - SATURNIN_TAG_SIZE; + + /* Format the input block from the padded nonce */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + + /* Encrypt the nonce to initialize the authentication phase */ + memcpy(tag, k, 32); + saturnin_block_encrypt_xor(block, tag, 10, RC_10_2); + + /* Authenticate the associated data and the ciphertext */ + saturnin_authenticate(tag, block, ad, adlen, 10, RC_10_2, RC_10_3); + saturnin_authenticate(tag, block, c, *mlen, 10, RC_10_4, RC_10_5); + + /* Decrypt the ciphertext in counter mode to produce the plaintext */ + memcpy(block, npub, 16); + block[16] = 0x80; + memset(block + 17, 0, 15); + saturnin_ctr_encrypt(m, c, *mlen, k, block); + + /* Check the authentication tag at the end of the message */ + return aead_check_tag + (m, *mlen, tag, c + *mlen, SATURNIN_TAG_SIZE); +} + +int saturnin_short_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned temp; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data allowed and m <= 15 bytes */ + if (adlen > 0 || mlen > 15) + return -2; + + /* Format the input block from the nonce and plaintext */ + temp = (unsigned)mlen; + memcpy(block, npub, 16); + memcpy(block + 16, m, temp); + block[16 + temp] = 0x80; /* Padding */ + memset(block + 17 + temp, 0, 15 - temp); + + /* Encrypt the input block to produce the output ciphertext */ + saturnin_block_encrypt(c, block, k, 10, RC_10_6); + *clen = 32; + return 0; +} + +int saturnin_short_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned char block[32]; + unsigned check1, check2, len; + int index, result; + (void)nsec; + (void)ad; + + /* Validate the parameters: no associated data and c is always 32 bytes */ + if (adlen > 0) + return -2; + if (clen != 32) + return -1; + + /* Decrypt the ciphertext block */ + saturnin_block_decrypt(block, c, k, 10, RC_10_6); + + /* Verify that the output block starts with the nonce and that it is + * padded correctly. We need to do this very carefully to avoid leaking + * any information that could be used in a padding oracle attack. Use the + * same algorithm as the reference implementation of SATURNIN-Short */ + check1 = 0; + for (index = 0; index < 16; ++index) + check1 |= npub[index] ^ block[index]; + check2 = 0xFF; + len = 0; + for (index = 15; index >= 0; --index) { + unsigned temp = block[16 + index]; + unsigned temp2 = check2 & -(1 - (((temp ^ 0x80) + 0xFF) >> 8)); + len |= temp2 & (unsigned)index; + check2 &= ~temp2; + check1 |= check2 & ((temp + 0xFF) >> 8); + } + check1 |= check2; + + /* At this point, check1 is zero if the nonce and plaintext are good, + * or non-zero if there was an error in the decrypted data */ + result = (((int)check1) - 1) >> 8; + + /* The "result" is -1 if the data is good or zero if the data is invalid. + * Copy either the plaintext or zeroes to the output buffer. We assume + * that the output buffer has space for up to 15 bytes. This may return + * some of the padding to the caller but as long as they restrict + * themselves to the first *mlen bytes then it shouldn't be a problem */ + for (index = 0; index < 15; ++index) + m[index] = block[16 + index] & result; + *mlen = len; + return ~result; +} + +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char tag[32]; + unsigned char block[32]; + memset(tag, 0, sizeof(tag)); + saturnin_authenticate(tag, block, in, inlen, 16, RC_16_7, RC_16_8); + memcpy(out, tag, 32); + return 0; +} + +void saturnin_hash_init(saturnin_hash_state_t *state) +{ + memset(state, 0, sizeof(saturnin_hash_state_t)); +} + +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + unsigned temp; + + /* Handle the partial left-over block from last time */ + if (state->s.count) { + temp = 32 - state->s.count; + if (temp > inlen) { + temp = (unsigned)inlen; + memcpy(state->s.block + state->s.count, in, temp); + state->s.count += temp; + return; + } + memcpy(state->s.block + state->s.count, in, temp); + state->s.count = 0; + in += temp; + inlen -= temp; + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_7); + } + + /* Process full blocks that are aligned at state->s.count == 0 */ + while (inlen >= 32) { + saturnin_block_encrypt_xor(in, state->s.hash, 16, RC_16_7); + in += 32; + inlen -= 32; + } + + /* Process the left-over block at the end of the input */ + temp = (unsigned)inlen; + memcpy(state->s.block, in, temp); + state->s.count = temp; +} + +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out) +{ + /* Pad the final block */ + state->s.block[state->s.count] = 0x80; + memset(state->s.block + state->s.count + 1, 0, 31 - state->s.count); + + /* Generate the final hash value */ + saturnin_block_encrypt_xor(state->s.block, state->s.hash, 16, RC_16_8); + memcpy(out, state->s.hash, 32); +} diff --git a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.h b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.h similarity index 54% rename from comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.h rename to saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.h index d1b24a6..873d950 100644 --- a/comet/Implementations/crypto_aead/comet64chamv1/rhys-avr/comet.h +++ b/saturnin/Implementations/crypto_hash/saturninhashv2/rhys/saturnin.h @@ -20,30 +20,27 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_COMET_H -#define LWCRYPTO_COMET_H +#ifndef LWCRYPTO_SATURNIN_H +#define LWCRYPTO_SATURNIN_H #include "aead-common.h" /** - * \file comet.h - * \brief COMET authenticated encryption algorithm. + * \file saturnin.h + * \brief Saturnin authenticated encryption algorithm. * - * COMET is a family of authenticated encryption algorithms that are - * built around an underlying block cipher. This library implements - * three members of the family: + * The Saturnin family consists of two members: SATURNIN-CTR-Cascade and + * SATURNIN-Short. Both take a 256-bit key and a 128-bit nonce. + * Internally they use a 256-bit block cipher similar in construction to AES. * - * \li COMET-128_CHAM-128/128 which has a 128-bit key, a 128-bit nonce, - * and a 128-bit tag, built around the CHAM-128/128 block cipher. - * \li COMET-64_CHAM-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the CHAM-64/128 block cipher. - * \li COMET-64_SPECK-64/128 which has a 128-bit key, a 120-bit nonce, - * and a 64-bit tag, built around the SPECK-64/128 block cipher. + * SATURNIN-Short does not support associated data or plaintext packets + * with more than 15 bytes. This makes it very efficient on short packets + * with only a single block operation involved. * - * There is also another family member that is built around AES but - * this library does not implement that version. + * This implementation of SATURNIN-Short will return an error if the + * caller supplies associated data or more than 15 bytes of plaintext. * - * References: https://www.isical.ac.in/~lightweight/comet/ + * References: https://project.inria.fr/saturnin/ */ #ifdef __cplusplus @@ -51,51 +48,62 @@ extern "C" { #endif /** - * \brief Size of the key for all COMET family members. + * \brief Size of the key for all SATURNIN family members. */ -#define COMET_KEY_SIZE 16 +#define SATURNIN_KEY_SIZE 32 /** - * \brief Size of the authentication tag for the 128-bit versions of COMET. + * \brief Size of the authentication tag for SATURNIN-CTR-Cascade or the + * total size of the ciphertext for SATURNIN-Short. */ -#define COMET_128_TAG_SIZE 16 +#define SATURNIN_TAG_SIZE 32 /** - * \brief Size of the authentication tag for the 64-bit versions of COMET. + * \brief Size of the nonce for all SATURNIN family members. */ -#define COMET_64_TAG_SIZE 8 +#define SATURNIN_NONCE_SIZE 16 /** - * \brief Size of the nonce for the 128-bit versions of COMET. + * \brief Size of the hash for SATURNIN-Hash. */ -#define COMET_128_NONCE_SIZE 16 +#define SATURNIN_HASH_SIZE 32 /** - * \brief Size of the nonce for the 64-bit versions of COMET. + * \brief State information for SATURNIN-Hash incremental modes. */ -#define COMET_64_NONCE_SIZE 15 +typedef union +{ + struct { + unsigned char hash[32]; /**< Current hash state */ + unsigned char block[32]; /**< Left-over block data from last update */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: 0 for absorb, 1 for squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} saturnin_hash_state_t; /** - * \brief Meta-information block for the COMET-128_CHAM-128/128 cipher. + * \brief Meta-information block for the SATURNIN-CTR-Cascade cipher. */ -extern aead_cipher_t const comet_128_cham_cipher; +extern aead_cipher_t const saturnin_cipher; /** - * \brief Meta-information block for the COMET-64_CHAM-64/128 cipher. + * \brief Meta-information block for the SATURNIN-Short cipher. */ -extern aead_cipher_t const comet_64_cham_cipher; +extern aead_cipher_t const saturnin_short_cipher; /** - * \brief Meta-information block for the COMET-64_SPECK-64/128 cipher. + * \brief Meta-information block for SATURNIN-Hash. */ -extern aead_cipher_t const comet_64_speck_cipher; +extern aead_hash_algorithm_t const saturnin_hash_algorithm; /** - * \brief Encrypts and authenticates a packet with COMET-128_CHAM-128/128. + * \brief Encrypts and authenticates a packet with SATURNIN-CTR-Cascade. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. + * the ciphertext and the 32 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -104,14 +112,14 @@ extern aead_cipher_t const comet_64_speck_cipher; * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa comet_128_cham_aead_decrypt() + * \sa saturnin_aead_decrypt() */ -int comet_128_cham_aead_encrypt +int saturnin_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -120,7 +128,7 @@ int comet_128_cham_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with COMET-128_CHAM-128/128. + * \brief Decrypts and authenticates a packet with SATURNIN-CTR-Cascade. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -128,20 +136,20 @@ int comet_128_cham_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. + * ciphertext and the 32 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa comet_128_cham_aead_encrypt() + * \sa saturnin_aead_encrypt() */ -int comet_128_cham_aead_decrypt +int saturnin_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -150,27 +158,27 @@ int comet_128_cham_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with COMET-64_CHAM-64/128. + * \brief Encrypts and authenticates a packet with SATURNIN-Short. * * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * \param clen On exit, set to the length of the output which is always 32. * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. + * \param mlen Length of the plaintext message in bytes, which must be + * less than or equal to 15 bytes. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. + * \param adlen Length of the associated data in bytes, which must be zero. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to encrypt the packet. * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \return 0 on success, or -2 if the caller supplied too many bytes of + * plaintext or they supplied associated data. * - * \sa comet_64_cham_aead_decrypt() + * \sa saturnin_short_aead_decrypt() */ -int comet_64_cham_aead_encrypt +int saturnin_short_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -179,28 +187,28 @@ int comet_64_cham_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with COMET-64_CHAM-64/128. + * \brief Decrypts and authenticates a packet with SATURNIN-Short. * - * \param m Buffer to receive the plaintext message on output. + * \param m Buffer to receive the plaintext message on output. There must + * be at least 15 bytes of space in this buffer even if the caller expects + * to receive less data than that. * \param mlen Receives the length of the plaintext message on output. * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * \param c Buffer that contains the ciphertext to decrypt. + * \param clen Length of the input data in bytes, which must be 32. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. + * \param adlen Length of the associated data in bytes, which must be zero. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * be 16 bytes in length. + * \param k Points to the 32 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * or -2 if the caller supplied associated data. * - * \sa comet_64_cham_aead_encrypt() + * \sa saturnin_short_aead_encrypt() */ -int comet_64_cham_aead_decrypt +int saturnin_short_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -209,63 +217,51 @@ int comet_64_cham_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with COMET-64_SPECK-64/128. + * \brief Hashes a block of input data with SATURNIN to generate a hash value. * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \param out Buffer to receive the hash output which must be at least + * SATURNIN_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int saturnin_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an SATURNIN-Hash hashing operation. + * + * \param state Hash state to be initialized. * - * \sa comet_64_speck_aead_decrypt() + * \sa saturnin_hash_update(), saturnin_hash_finalize(), saturnin_hash() */ -int comet_64_speck_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +void saturnin_hash_init(saturnin_hash_state_t *state); /** - * \brief Decrypts and authenticates a packet with COMET-64_SPECK-64/128. + * \brief Updates an SATURNIN-Hash state with more input data. * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \sa saturnin_hash_init(), saturnin_hash_finalize() + */ +void saturnin_hash_update + (saturnin_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an SATURNIN-Hash hashing operation. * - * \sa comet_64_speck_aead_encrypt() + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa saturnin_hash_init(), saturnin_hash_update() */ -int comet_64_speck_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +void saturnin_hash_finalize + (saturnin_hash_state_t *state, unsigned char *out); #ifdef __cplusplus } diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/encrypt.c deleted file mode 100644 index 64c6ea2..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m5_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m5_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128-avr.S similarity index 100% rename from skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128-avr.S rename to skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128-avr.S diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk296128v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/encrypt.c deleted file mode 100644 index d304a40..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m6_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m6_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128-avr.S similarity index 100% rename from skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128-avr.S rename to skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128-avr.S diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk29664v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/aead-common.c similarity index 100% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/aead-common.c rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/aead-common.c diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/aead-common.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/aead-common.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/aead-common.h diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/api.h similarity index 100% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/api.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/api.h diff --git a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/encrypt.c similarity index 86% rename from ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/encrypt.c rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/encrypt.c index f32284a..97f599f 100644 --- a/ascon/Implementations/crypto_aead/ascon128v12/rhys-avr/encrypt.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/encrypt.c @@ -1,5 +1,4 @@ - -#include "ascon128.h" +#include "skinny-aead.h" int crypto_aead_encrypt (unsigned char *c, unsigned long long *clen, @@ -9,7 +8,7 @@ int crypto_aead_encrypt const unsigned char *npub, const unsigned char *k) { - return ascon128_aead_encrypt + return skinny_aead_m1_encrypt (c, clen, m, mlen, ad, adlen, nsec, npub, k); } @@ -21,6 +20,6 @@ int crypto_aead_decrypt const unsigned char *npub, const unsigned char *k) { - return ascon128_aead_decrypt + return skinny_aead_m1_decrypt (m, mlen, nsec, c, clen, ad, adlen, npub, k); } diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..0fafa4e --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,80 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,20 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,20 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,20 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,20 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,80 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.c new file mode 100644 index 0000000..cb1fbda --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.c @@ -0,0 +1,801 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +#if !defined(__AVR__) + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else + /* Set the initial states of TK1, TK2, and TK3 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } +#endif +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else + /* Set the initial states of TK1 and TK2 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } +#endif +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + /* Also fast-forward the LFSR's on every byte of TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +#else /* __AVR__ */ + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); +} + +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.h new file mode 100644 index 0000000..2bfda3c --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinny128.h @@ -0,0 +1,244 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. + */ +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinnyutil.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-skinnyutil.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-skinnyutil.h diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-util.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-util.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/internal-util.h diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.c new file mode 100644 index 0000000..7558527 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.c @@ -0,0 +1,804 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-aead.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_cipher_t const skinny_aead_m1_cipher = { + "SKINNY-AEAD-M1", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M1_NONCE_SIZE, + SKINNY_AEAD_M1_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m1_encrypt, + skinny_aead_m1_decrypt +}; + +aead_cipher_t const skinny_aead_m2_cipher = { + "SKINNY-AEAD-M2", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M2_NONCE_SIZE, + SKINNY_AEAD_M2_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m2_encrypt, + skinny_aead_m2_decrypt +}; + +aead_cipher_t const skinny_aead_m3_cipher = { + "SKINNY-AEAD-M3", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M3_NONCE_SIZE, + SKINNY_AEAD_M3_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m3_encrypt, + skinny_aead_m3_decrypt +}; + +aead_cipher_t const skinny_aead_m4_cipher = { + "SKINNY-AEAD-M4", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M4_NONCE_SIZE, + SKINNY_AEAD_M4_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m4_encrypt, + skinny_aead_m4_decrypt +}; + +aead_cipher_t const skinny_aead_m5_cipher = { + "SKINNY-AEAD-M5", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M5_NONCE_SIZE, + SKINNY_AEAD_M5_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m5_encrypt, + skinny_aead_m5_decrypt +}; + +aead_cipher_t const skinny_aead_m6_cipher = { + "SKINNY-AEAD-M6", + SKINNY_AEAD_KEY_SIZE, + SKINNY_AEAD_M6_NONCE_SIZE, + SKINNY_AEAD_M6_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + skinny_aead_m6_encrypt, + skinny_aead_m6_decrypt +}; + +/* Domain separator prefixes for all of the SKINNY-AEAD family members */ +#define DOMAIN_SEP_M1 0x00 +#define DOMAIN_SEP_M2 0x10 +#define DOMAIN_SEP_M3 0x08 +#define DOMAIN_SEP_M4 0x18 +#define DOMAIN_SEP_M5 0x10 +#define DOMAIN_SEP_M6 0x18 + +/** + * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-384. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 64-bit LFSR value. + */ +#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) + +/** + * \brief Updates the LFSR value for SKINNY-128-384. + * + * \param lfsr 64-bit LFSR value to be updated. + */ +#define skinny_aead_128_384_update_lfsr(lfsr) \ + do { \ + uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_384_authenticate + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + skinny_aead_128_384_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_384_encrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_384_decrypt + (skinny_128_384_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint64_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_384_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_128_384_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_384_update_lfsr(lfsr); + } + skinny_aead_128_384_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_384_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_384_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_384_update_lfsr(lfsr); + skinny_aead_128_384_set_lfsr(ks, lfsr); + skinny_aead_128_384_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_384_set_domain(ks, prefix | 4); + } + skinny_128_384_encrypt(ks, sum, sum); +} + +int skinny_aead_m1_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); + return 0; +} + +int skinny_aead_m1_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M1_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); +} + +int skinny_aead_m2_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); + return 0; +} + +int skinny_aead_m2_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M2_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); +} + +int skinny_aead_m3_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); + return 0; +} + +int skinny_aead_m3_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M3_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); +} + +int skinny_aead_m4_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); + return 0; +} + +int skinny_aead_m4_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_384_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M4_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); +} + +/** + * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. + * + * \param ks The key schedule to initialize. + * \param key Points to the 16 bytes of the key. + * \param nonce Points to the nonce. + * \param nonce_len Length of the nonce in bytes. + */ +static void skinny_aead_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char *key, + const unsigned char *nonce, unsigned nonce_len) +{ + unsigned char k[32]; + memset(k, 0, 16 - nonce_len); + memcpy(k + 16 - nonce_len, nonce, nonce_len); + memcpy(k + 16, key, 16); + skinny_128_256_init(ks, k); +} + +/** + * \brief Set the domain separation value in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param d Domain separation value to write into the tweak. + */ +#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) + +/** + * \brief Sets the LFSR field in the tweak for SKINNY-128-256. + * + * \param ks Key schedule for the block cipher. + * \param lfsr 24-bit LFSR value. + */ +#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ + do { \ + (ks)->TK1[0] = (uint8_t)(lfsr); \ + (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ + (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ + } while (0) + +/** + * \brief Updates the LFSR value for SKINNY-128-256. + * + * \param lfsr 24-bit LFSR value to be updated. + */ +#define skinny_aead_128_256_update_lfsr(lfsr) \ + do { \ + uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ + (lfsr) = ((lfsr) << 1) ^ (feedback); \ + } while (0) + +/** + * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param tag Final tag to XOR the authentication checksum into. + * \param ad Points to the associated data. + * \param adlen Length of the associated data in bytes. + */ +static void skinny_aead_128_256_authenticate + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char tag[SKINNY_128_BLOCK_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + skinny_aead_128_256_set_domain(ks, prefix | 2); + while (adlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_encrypt(ks, block, ad); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + ad += SKINNY_128_BLOCK_SIZE; + adlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + if (adlen > 0) { + unsigned temp = (unsigned)adlen; + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 3); + memcpy(block, ad, temp); + block[temp] = 0x80; + memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); + } +} + +/** + * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param c Points to the buffer to receive the ciphertext. + * \param m Points to the plaintext buffer. + * \param mlen Number of bytes of plaintext to be encrypted. + */ +static void skinny_aead_128_256_encrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, + const unsigned char *m, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, c, m); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(c, block, m, temp); + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +/** + * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. + * + * \param ks The key schedule to use. + * \param prefix Domain separation prefix for the family member. + * \param sum Authenticated checksum over the plaintext. + * \param m Points to the buffer to receive the plaintext. + * \param c Points to the ciphertext buffer. + * \param mlen Number of bytes of ciphertext to be decrypted. + */ +static void skinny_aead_128_256_decrypt + (skinny_128_256_key_schedule_t *ks, unsigned char prefix, + unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, + const unsigned char *c, unsigned long long mlen) +{ + unsigned char block[SKINNY_128_BLOCK_SIZE]; + uint32_t lfsr = 1; + memset(sum, 0, SKINNY_128_BLOCK_SIZE); + skinny_aead_128_256_set_domain(ks, prefix | 0); + while (mlen >= SKINNY_128_BLOCK_SIZE) { + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_128_256_decrypt(ks, m, c); + lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); + c += SKINNY_128_BLOCK_SIZE; + m += SKINNY_128_BLOCK_SIZE; + mlen -= SKINNY_128_BLOCK_SIZE; + skinny_aead_128_256_update_lfsr(lfsr); + } + skinny_aead_128_256_set_lfsr(ks, lfsr); + if (mlen > 0) { + unsigned temp = (unsigned)mlen; + skinny_aead_128_256_set_domain(ks, prefix | 1); + memset(block, 0, SKINNY_128_BLOCK_SIZE); + skinny_128_256_encrypt(ks, block, block); + lw_xor_block_2_src(m, block, c, temp); + lw_xor_block(sum, m, temp); + sum[temp] ^= 0x80; + skinny_aead_128_256_update_lfsr(lfsr); + skinny_aead_128_256_set_lfsr(ks, lfsr); + skinny_aead_128_256_set_domain(ks, prefix | 5); + } else { + skinny_aead_128_256_set_domain(ks, prefix | 4); + } + skinny_128_256_encrypt(ks, sum, sum); +} + +int skinny_aead_m5_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); + return 0; +} + +int skinny_aead_m5_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M5_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); +} + +int skinny_aead_m6_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Encrypt to plaintext to produce the ciphertext */ + skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Generate the authentication tag */ + memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); + return 0; +} + +int skinny_aead_m6_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + skinny_128_256_key_schedule_t ks; + unsigned char sum[SKINNY_128_BLOCK_SIZE]; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SKINNY_AEAD_M6_TAG_SIZE) + return -1; + *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; + + /* Set up the key schedule with the key and the nonce */ + skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); + + /* Decrypt to ciphertext to produce the plaintext */ + skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); + + /* Process the associated data */ + skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); + + /* Check the authentication tag */ + return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); +} diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.h similarity index 58% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.h index 3e27b50..c6b54fb 100644 --- a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/forkae.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-aead.h @@ -20,50 +20,42 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_FORKAE_H -#define LWCRYPTO_FORKAE_H +#ifndef LWCRYPTO_SKINNY_AEAD_H +#define LWCRYPTO_SKINNY_AEAD_H #include "aead-common.h" /** - * \file forkae.h - * \brief ForkAE authenticated encryption algorithm family. - * - * ForkAE is a family of authenticated encryption algorithms based on a - * modified version of the SKINNY tweakable block cipher. The modifications - * introduce "forking" where each input block produces two output blocks - * for use in encryption and authentication. There are six members in - * the ForkAE family: - * - * \li PAEF-ForkSkinny-64-192 has a 128-bit key, a 48-bit nonce, and a - * 64-bit authentication tag. The associated data and plaintext are - * limited to 216 bytes. - * \li PAEF-ForkSkinny-128-192 has a 128-bit key, a 48-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-256 has a 128-bit key, a 112-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 217 bytes. - * \li PAEF-ForkSkinny-128-288 has a 128-bit key, a 104-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext are - * limited to 257 bytes. This is the primary member of the family. - * \li SAEF-ForkSkinny-128-192 has a 128-bit key, a 56-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * \li SAEF-ForkSkinny-128-256 has a 128-bit key, a 120-bit nonce, and a - * 128-bit authentication tag. The associated data and plaintext may be - * unlimited in size. - * - * The PAEF variants support parallel encryption and decryption for - * higher throughput. The SAEF variants encrypt or decrypt blocks - * sequentially. - * - * ForkAE is designed to be efficient on small packet sizes so most of - * the PAEF algorithms have a limit of 64k or 128k on the amount of - * payload in a single packet. Obviously the input can be split into - * separate packets for larger amounts of data. - * - * References: https://www.esat.kuleuven.be/cosic/forkae/ + * \file skinny-aead.h + * \brief Authenticated encryption based on the SKINNY block cipher. + * + * SKINNY-AEAD is a family of authenticated encryption algorithms + * that are built around the SKINNY tweakable block cipher. There + * are six members in the family: + * + * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. This is the + * primary member of the family. + * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-384 tweakable block cipher. + * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, + * based around the SKINNY-128-256 tweakable block cipher. + * + * The SKINNY-AEAD family also includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home */ #ifdef __cplusplus @@ -71,131 +63,106 @@ extern "C" { #endif /** - * \brief Size of the key for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_TAG_SIZE 8 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-64-192. - */ -#define FORKAE_PAEF_64_192_NONCE_SIZE 6 - -/** - * \brief Size of the key for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-192. - */ -#define FORKAE_PAEF_128_192_TAG_SIZE 16 - -/** - * \brief Size of the nonce for PAEF-ForkSkinny-128-192. + * \brief Size of the key for all SKINNY-AEAD family members. */ -#define FORKAE_PAEF_128_192_NONCE_SIZE 6 +#define SKINNY_AEAD_KEY_SIZE 16 /** - * \brief Size of the key for PAEF-ForkSkinny-128-256. + * \brief Size of the authentication tag for SKINNY-AEAD-M1. */ -#define FORKAE_PAEF_128_256_KEY_SIZE 16 +#define SKINNY_AEAD_M1_TAG_SIZE 16 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-256. + * \brief Size of the nonce for SKINNY-AEAD-M1. */ -#define FORKAE_PAEF_128_256_TAG_SIZE 16 +#define SKINNY_AEAD_M1_NONCE_SIZE 16 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-256. + * \brief Size of the authentication tag for SKINNY-AEAD-M2. */ -#define FORKAE_PAEF_128_256_NONCE_SIZE 14 +#define SKINNY_AEAD_M2_TAG_SIZE 16 /** - * \brief Size of the key for PAEF-ForkSkinny-128-288. + * \brief Size of the nonce for SKINNY-AEAD-M2. */ -#define FORKAE_PAEF_128_288_KEY_SIZE 16 +#define SKINNY_AEAD_M2_NONCE_SIZE 12 /** - * \brief Size of the authentication tag for PAEF-ForkSkinny-128-288. + * \brief Size of the authentication tag for SKINNY-AEAD-M3. */ -#define FORKAE_PAEF_128_288_TAG_SIZE 16 +#define SKINNY_AEAD_M3_TAG_SIZE 8 /** - * \brief Size of the nonce for PAEF-ForkSkinny-128-288. + * \brief Size of the nonce for SKINNY-AEAD-M3. */ -#define FORKAE_PAEF_128_288_NONCE_SIZE 13 +#define SKINNY_AEAD_M3_NONCE_SIZE 16 /** - * \brief Size of the key for SAEF-ForkSkinny-128-192. + * \brief Size of the authentication tag for SKINNY-AEAD-M4. */ -#define FORKAE_SAEF_128_192_KEY_SIZE 16 +#define SKINNY_AEAD_M4_TAG_SIZE 8 /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-192. + * \brief Size of the nonce for SKINNY-AEAD-M4. */ -#define FORKAE_SAEF_128_192_TAG_SIZE 16 +#define SKINNY_AEAD_M4_NONCE_SIZE 12 /** - * \brief Size of the nonce for SAEF-ForkSkinny-128-192. + * \brief Size of the authentication tag for SKINNY-AEAD-M5. */ -#define FORKAE_SAEF_128_192_NONCE_SIZE 7 +#define SKINNY_AEAD_M5_TAG_SIZE 16 /** - * \brief Size of the key for SAEF-ForkSkinny-128-256. + * \brief Size of the nonce for SKINNY-AEAD-M5. */ -#define FORKAE_SAEF_128_256_KEY_SIZE 16 +#define SKINNY_AEAD_M5_NONCE_SIZE 12 /** - * \brief Size of the authentication tag for SAEF-ForkSkinny-128-256. + * \brief Size of the authentication tag for SKINNY-AEAD-M6. */ -#define FORKAE_SAEF_128_256_TAG_SIZE 16 +#define SKINNY_AEAD_M6_TAG_SIZE 8 /** - * \brief Size of the nonce for SAEF-ForkSkinny-128-256. + * \brief Size of the nonce for SKINNY-AEAD-M6. */ -#define FORKAE_SAEF_128_256_NONCE_SIZE 15 +#define SKINNY_AEAD_M6_NONCE_SIZE 12 /** - * \brief Meta-information block for the PAEF-ForkSkinny-64-192 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. */ -extern aead_cipher_t const forkae_paef_64_192_cipher; +extern aead_cipher_t const skinny_aead_m1_cipher; /** - * \brief Meta-information block for the PAEF-ForkSkinny-128-192 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. */ -extern aead_cipher_t const forkae_paef_128_192_cipher; +extern aead_cipher_t const skinny_aead_m2_cipher; /** - * \brief Meta-information block for the PAEF-ForkSkinny-128-256 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. */ -extern aead_cipher_t const forkae_paef_128_256_cipher; +extern aead_cipher_t const skinny_aead_m3_cipher; /** - * \brief Meta-information block for the PAEF-ForkSkinny-128-288 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. */ -extern aead_cipher_t const forkae_paef_128_288_cipher; +extern aead_cipher_t const skinny_aead_m4_cipher; /** - * \brief Meta-information block for the SAEF-ForkSkinny-128-192 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. */ -extern aead_cipher_t const forkae_saef_128_192_cipher; +extern aead_cipher_t const skinny_aead_m5_cipher; /** - * \brief Meta-information block for the SAEF-ForkSkinny-128-256 cipher. + * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. */ -extern aead_cipher_t const forkae_saef_128_256_cipher; +extern aead_cipher_t const skinny_aead_m6_cipher; /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. + * the ciphertext and the 16 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -203,15 +170,15 @@ extern aead_cipher_t const forkae_saef_128_256_cipher; * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_64_192_aead_decrypt() + * \sa skinny_aead_m1_decrypt() */ -int forkae_paef_64_192_aead_encrypt +int skinny_aead_m1_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -220,7 +187,7 @@ int forkae_paef_64_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-64-192. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -228,20 +195,20 @@ int forkae_paef_64_192_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. + * ciphertext and the 16 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_64_192_aead_encrypt() + * \sa skinny_aead_m1_encrypt() */ -int forkae_paef_64_192_aead_decrypt +int skinny_aead_m1_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -250,7 +217,7 @@ int forkae_paef_64_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -262,15 +229,15 @@ int forkae_paef_64_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_192_aead_decrypt() + * \sa skinny_aead_m2_decrypt() */ -int forkae_paef_128_192_aead_encrypt +int skinny_aead_m2_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -279,7 +246,7 @@ int forkae_paef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -292,15 +259,15 @@ int forkae_paef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 6 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_192_aead_encrypt() + * \sa skinny_aead_m2_encrypt() */ -int forkae_paef_128_192_aead_decrypt +int skinny_aead_m2_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -309,11 +276,11 @@ int forkae_paef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. + * the ciphertext and the 8 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -321,15 +288,15 @@ int forkae_paef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_256_aead_decrypt() + * \sa skinny_aead_m3_decrypt() */ -int forkae_paef_128_256_aead_encrypt +int skinny_aead_m3_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -338,7 +305,7 @@ int forkae_paef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -346,20 +313,20 @@ int forkae_paef_128_256_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. + * ciphertext and the 8 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 14 bytes in length. + * be 16 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_256_aead_encrypt() + * \sa skinny_aead_m3_encrypt() */ -int forkae_paef_128_256_aead_decrypt +int skinny_aead_m3_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -368,11 +335,11 @@ int forkae_paef_128_256_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. + * the ciphertext and the 8 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -380,15 +347,15 @@ int forkae_paef_128_256_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_paef_128_288_aead_decrypt() + * \sa skinny_aead_m4_decrypt() */ -int forkae_paef_128_288_aead_encrypt +int skinny_aead_m4_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -397,7 +364,7 @@ int forkae_paef_128_288_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with PAEF-ForkSkinny-128-288. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -405,20 +372,20 @@ int forkae_paef_128_288_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. + * ciphertext and the 8 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 13 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_paef_128_288_aead_encrypt() + * \sa skinny_aead_m4_encrypt() */ -int forkae_paef_128_288_aead_decrypt +int skinny_aead_m4_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -427,7 +394,7 @@ int forkae_paef_128_288_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -439,15 +406,15 @@ int forkae_paef_128_288_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_192_aead_decrypt() + * \sa skinny_aead_m5_decrypt() */ -int forkae_saef_128_192_aead_encrypt +int skinny_aead_m5_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -456,7 +423,7 @@ int forkae_saef_128_192_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-192. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -469,15 +436,15 @@ int forkae_saef_128_192_aead_encrypt * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 7 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_192_aead_encrypt() + * \sa skinny_aead_m5_encrypt() */ -int forkae_saef_128_192_aead_decrypt +int skinny_aead_m5_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -486,11 +453,11 @@ int forkae_saef_128_192_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. + * the ciphertext and the 8 byte authentication tag. * \param m Buffer that contains the plaintext message to encrypt. * \param mlen Length of the plaintext message in bytes. * \param ad Buffer that contains associated data to authenticate @@ -498,15 +465,15 @@ int forkae_saef_128_192_aead_decrypt * \param adlen Length of the associated data in bytes. * \param nsec Secret nonce - not used by this algorithm. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to encrypt the packet. * * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa forkae_saef_128_256_aead_decrypt() + * \sa skinny_aead_m6_decrypt() */ -int forkae_saef_128_256_aead_encrypt +int skinny_aead_m6_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -515,7 +482,7 @@ int forkae_saef_128_256_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with SAEF-ForkSkinny-128-256. + * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -523,20 +490,20 @@ int forkae_saef_128_256_aead_encrypt * \param c Buffer that contains the ciphertext and authentication * tag to decrypt. * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. + * ciphertext and the 8 byte authentication tag. * \param ad Buffer that contains associated data to authenticate * along with the packet but which does not need to be encrypted. * \param adlen Length of the associated data in bytes. * \param npub Points to the public nonce for the packet which must - * be 15 bytes in length. + * be 12 bytes in length. * \param k Points to the 16 bytes of the key to use to decrypt the packet. * * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa forkae_saef_128_256_aead_encrypt() + * \sa skinny_aead_m6_encrypt() */ -int forkae_saef_128_256_aead_decrypt +int skinny_aead_m6_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.c new file mode 100644 index 0000000..0abdeff --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-hash.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_hash_algorithm_t const skinny_tk3_hash_algorithm = { + "SKINNY-tk3-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk3_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const skinny_tk2_hash_algorithm = { + "SKINNY-tk2-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk2_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Size of the permutation state for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_STATE_SIZE 48 + +/** + * \brief Size of the permutation state for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_STATE_SIZE 32 + +/** + * \brief Rate of absorbing data for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_HASH_RATE 16 + +/** + * \brief Rate of absorbing data for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_HASH_RATE 4 + +/** + * \brief Input block that is encrypted with the state for each + * block permutation of SKINNY-tk3-HASH or SKINNY-tk2-HASH. + */ +static unsigned char const skinny_hash_block[48] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +/** + * \brief Permutes the internal state for SKINNY-tk3-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk3_permute(unsigned char state[SKINNY_TK3_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK3_STATE_SIZE]; + skinny_128_384_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_384_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + skinny_128_384_encrypt_tk_full(state, temp + 32, skinny_hash_block + 32); + memcpy(state, temp, SKINNY_TK3_STATE_SIZE); +} + +/** + * \brief Permutes the internal state for SKINNY-tk2-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk2_permute(unsigned char state[SKINNY_TK2_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK2_STATE_SIZE]; + skinny_128_256_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_256_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + memcpy(state, temp, SKINNY_TK2_STATE_SIZE); +} + +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK3_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK3_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK3_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK3_HASH_RATE); + skinny_tk3_permute(state); + in += SKINNY_TK3_HASH_RATE; + inlen -= SKINNY_TK3_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk3_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk3_permute(state); + memcpy(out + 16, state, 16); + return 0; +} + +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK2_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK2_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK2_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK2_HASH_RATE); + skinny_tk2_permute(state); + in += SKINNY_TK2_HASH_RATE; + inlen -= SKINNY_TK2_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk2_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk2_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.h similarity index 53% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.h rename to skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.h index 2ffef42..f75ce9f 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-keccak.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128+v1/rhys/skinny-hash.h @@ -20,14 +20,24 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H +#ifndef LWCRYPTO_SKINNY_HASH_H +#define LWCRYPTO_SKINNY_HASH_H -#include "internal-util.h" +#include "aead-common.h" /** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. + * \file skinny-hash.h + * \brief Hash algorithms based on the SKINNY block cipher. + * + * The SKINNY-AEAD family includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home */ #ifdef __cplusplus @@ -35,50 +45,49 @@ extern "C" { #endif /** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. + * \brief Size of the hash output for SKINNY-tk3-HASH and SKINNY-tk2-HASH. */ -#define KECCAKP_400_STATE_SIZE 50 +#define SKINNY_HASH_SIZE 32 /** - * \brief Structure of the internal state of the Keccak-p[200] permutation. + * \brief Meta-information block for the SKINNY-tk3-HASH algorithm. */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; +extern aead_hash_algorithm_t const skinny_tk3_hash_algorithm; /** - * \brief Structure of the internal state of the Keccak-p[400] permutation. + * \brief Meta-information block for the SKINNY-tk2-HASH algorithm. */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; +extern aead_hash_algorithm_t const skinny_tk2_hash_algorithm; /** - * \brief Permutes the Keccak-p[200] state. + * \brief Hashes a block of input data with SKINNY-tk3-HASH to + * generate a hash value. * - * \param state The Keccak-p[200] state to be permuted. + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void keccakp_200_permute(keccakp_200_state_t *state); +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. + * \brief Hashes a block of input data with SKINNY-tk2-HASH to + * generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/encrypt.c deleted file mode 100644 index 00e9d2e..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m1_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m1_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk3128128v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/api.h deleted file mode 100644 index 4bf8f5c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/encrypt.c deleted file mode 100644 index db41b19..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m3_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m3_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk312864v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/encrypt.c deleted file mode 100644 index 92605fe..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m2_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m2_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128-avr.S deleted file mode 100644 index d342cd5..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128-avr.S +++ /dev/null @@ -1,10099 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 256 -table_0: - .byte 101 - .byte 76 - .byte 106 - .byte 66 - .byte 75 - .byte 99 - .byte 67 - .byte 107 - .byte 85 - .byte 117 - .byte 90 - .byte 122 - .byte 83 - .byte 115 - .byte 91 - .byte 123 - .byte 53 - .byte 140 - .byte 58 - .byte 129 - .byte 137 - .byte 51 - .byte 128 - .byte 59 - .byte 149 - .byte 37 - .byte 152 - .byte 42 - .byte 144 - .byte 35 - .byte 153 - .byte 43 - .byte 229 - .byte 204 - .byte 232 - .byte 193 - .byte 201 - .byte 224 - .byte 192 - .byte 233 - .byte 213 - .byte 245 - .byte 216 - .byte 248 - .byte 208 - .byte 240 - .byte 217 - .byte 249 - .byte 165 - .byte 28 - .byte 168 - .byte 18 - .byte 27 - .byte 160 - .byte 19 - .byte 169 - .byte 5 - .byte 181 - .byte 10 - .byte 184 - .byte 3 - .byte 176 - .byte 11 - .byte 185 - .byte 50 - .byte 136 - .byte 60 - .byte 133 - .byte 141 - .byte 52 - .byte 132 - .byte 61 - .byte 145 - .byte 34 - .byte 156 - .byte 44 - .byte 148 - .byte 36 - .byte 157 - .byte 45 - .byte 98 - .byte 74 - .byte 108 - .byte 69 - .byte 77 - .byte 100 - .byte 68 - .byte 109 - .byte 82 - .byte 114 - .byte 92 - .byte 124 - .byte 84 - .byte 116 - .byte 93 - .byte 125 - .byte 161 - .byte 26 - .byte 172 - .byte 21 - .byte 29 - .byte 164 - .byte 20 - .byte 173 - .byte 2 - .byte 177 - .byte 12 - .byte 188 - .byte 4 - .byte 180 - .byte 13 - .byte 189 - .byte 225 - .byte 200 - .byte 236 - .byte 197 - .byte 205 - .byte 228 - .byte 196 - .byte 237 - .byte 209 - .byte 241 - .byte 220 - .byte 252 - .byte 212 - .byte 244 - .byte 221 - .byte 253 - .byte 54 - .byte 142 - .byte 56 - .byte 130 - .byte 139 - .byte 48 - .byte 131 - .byte 57 - .byte 150 - .byte 38 - .byte 154 - .byte 40 - .byte 147 - .byte 32 - .byte 155 - .byte 41 - .byte 102 - .byte 78 - .byte 104 - .byte 65 - .byte 73 - .byte 96 - .byte 64 - .byte 105 - .byte 86 - .byte 118 - .byte 88 - .byte 120 - .byte 80 - .byte 112 - .byte 89 - .byte 121 - .byte 166 - .byte 30 - .byte 170 - .byte 17 - .byte 25 - .byte 163 - .byte 16 - .byte 171 - .byte 6 - .byte 182 - .byte 8 - .byte 186 - .byte 0 - .byte 179 - .byte 9 - .byte 187 - .byte 230 - .byte 206 - .byte 234 - .byte 194 - .byte 203 - .byte 227 - .byte 195 - .byte 235 - .byte 214 - .byte 246 - .byte 218 - .byte 250 - .byte 211 - .byte 243 - .byte 219 - .byte 251 - .byte 49 - .byte 138 - .byte 62 - .byte 134 - .byte 143 - .byte 55 - .byte 135 - .byte 63 - .byte 146 - .byte 33 - .byte 158 - .byte 46 - .byte 151 - .byte 39 - .byte 159 - .byte 47 - .byte 97 - .byte 72 - .byte 110 - .byte 70 - .byte 79 - .byte 103 - .byte 71 - .byte 111 - .byte 81 - .byte 113 - .byte 94 - .byte 126 - .byte 87 - .byte 119 - .byte 95 - .byte 127 - .byte 162 - .byte 24 - .byte 174 - .byte 22 - .byte 31 - .byte 167 - .byte 23 - .byte 175 - .byte 1 - .byte 178 - .byte 14 - .byte 190 - .byte 7 - .byte 183 - .byte 15 - .byte 191 - .byte 226 - .byte 202 - .byte 238 - .byte 198 - .byte 207 - .byte 231 - .byte 199 - .byte 239 - .byte 210 - .byte 242 - .byte 222 - .byte 254 - .byte 215 - .byte 247 - .byte 223 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 256 -table_1: - .byte 172 - .byte 232 - .byte 104 - .byte 60 - .byte 108 - .byte 56 - .byte 168 - .byte 236 - .byte 170 - .byte 174 - .byte 58 - .byte 62 - .byte 106 - .byte 110 - .byte 234 - .byte 238 - .byte 166 - .byte 163 - .byte 51 - .byte 54 - .byte 102 - .byte 99 - .byte 227 - .byte 230 - .byte 225 - .byte 164 - .byte 97 - .byte 52 - .byte 49 - .byte 100 - .byte 161 - .byte 228 - .byte 141 - .byte 201 - .byte 73 - .byte 29 - .byte 77 - .byte 25 - .byte 137 - .byte 205 - .byte 139 - .byte 143 - .byte 27 - .byte 31 - .byte 75 - .byte 79 - .byte 203 - .byte 207 - .byte 133 - .byte 192 - .byte 64 - .byte 21 - .byte 69 - .byte 16 - .byte 128 - .byte 197 - .byte 130 - .byte 135 - .byte 18 - .byte 23 - .byte 66 - .byte 71 - .byte 194 - .byte 199 - .byte 150 - .byte 147 - .byte 3 - .byte 6 - .byte 86 - .byte 83 - .byte 211 - .byte 214 - .byte 209 - .byte 148 - .byte 81 - .byte 4 - .byte 1 - .byte 84 - .byte 145 - .byte 212 - .byte 156 - .byte 216 - .byte 88 - .byte 12 - .byte 92 - .byte 8 - .byte 152 - .byte 220 - .byte 154 - .byte 158 - .byte 10 - .byte 14 - .byte 90 - .byte 94 - .byte 218 - .byte 222 - .byte 149 - .byte 208 - .byte 80 - .byte 5 - .byte 85 - .byte 0 - .byte 144 - .byte 213 - .byte 146 - .byte 151 - .byte 2 - .byte 7 - .byte 82 - .byte 87 - .byte 210 - .byte 215 - .byte 157 - .byte 217 - .byte 89 - .byte 13 - .byte 93 - .byte 9 - .byte 153 - .byte 221 - .byte 155 - .byte 159 - .byte 11 - .byte 15 - .byte 91 - .byte 95 - .byte 219 - .byte 223 - .byte 22 - .byte 19 - .byte 131 - .byte 134 - .byte 70 - .byte 67 - .byte 195 - .byte 198 - .byte 65 - .byte 20 - .byte 193 - .byte 132 - .byte 17 - .byte 68 - .byte 129 - .byte 196 - .byte 28 - .byte 72 - .byte 200 - .byte 140 - .byte 76 - .byte 24 - .byte 136 - .byte 204 - .byte 26 - .byte 30 - .byte 138 - .byte 142 - .byte 74 - .byte 78 - .byte 202 - .byte 206 - .byte 53 - .byte 96 - .byte 224 - .byte 165 - .byte 101 - .byte 48 - .byte 160 - .byte 229 - .byte 50 - .byte 55 - .byte 162 - .byte 167 - .byte 98 - .byte 103 - .byte 226 - .byte 231 - .byte 61 - .byte 105 - .byte 233 - .byte 173 - .byte 109 - .byte 57 - .byte 169 - .byte 237 - .byte 59 - .byte 63 - .byte 171 - .byte 175 - .byte 107 - .byte 111 - .byte 235 - .byte 239 - .byte 38 - .byte 35 - .byte 179 - .byte 182 - .byte 118 - .byte 115 - .byte 243 - .byte 246 - .byte 113 - .byte 36 - .byte 241 - .byte 180 - .byte 33 - .byte 116 - .byte 177 - .byte 244 - .byte 44 - .byte 120 - .byte 248 - .byte 188 - .byte 124 - .byte 40 - .byte 184 - .byte 252 - .byte 42 - .byte 46 - .byte 186 - .byte 190 - .byte 122 - .byte 126 - .byte 250 - .byte 254 - .byte 37 - .byte 112 - .byte 240 - .byte 181 - .byte 117 - .byte 32 - .byte 176 - .byte 245 - .byte 34 - .byte 39 - .byte 178 - .byte 183 - .byte 114 - .byte 119 - .byte 242 - .byte 247 - .byte 45 - .byte 121 - .byte 249 - .byte 189 - .byte 125 - .byte 41 - .byte 185 - .byte 253 - .byte 43 - .byte 47 - .byte 187 - .byte 191 - .byte 123 - .byte 127 - .byte 251 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_2, @object - .size table_2, 256 -table_2: - .byte 0 - .byte 2 - .byte 4 - .byte 6 - .byte 8 - .byte 10 - .byte 12 - .byte 14 - .byte 16 - .byte 18 - .byte 20 - .byte 22 - .byte 24 - .byte 26 - .byte 28 - .byte 30 - .byte 32 - .byte 34 - .byte 36 - .byte 38 - .byte 40 - .byte 42 - .byte 44 - .byte 46 - .byte 48 - .byte 50 - .byte 52 - .byte 54 - .byte 56 - .byte 58 - .byte 60 - .byte 62 - .byte 65 - .byte 67 - .byte 69 - .byte 71 - .byte 73 - .byte 75 - .byte 77 - .byte 79 - .byte 81 - .byte 83 - .byte 85 - .byte 87 - .byte 89 - .byte 91 - .byte 93 - .byte 95 - .byte 97 - .byte 99 - .byte 101 - .byte 103 - .byte 105 - .byte 107 - .byte 109 - .byte 111 - .byte 113 - .byte 115 - .byte 117 - .byte 119 - .byte 121 - .byte 123 - .byte 125 - .byte 127 - .byte 128 - .byte 130 - .byte 132 - .byte 134 - .byte 136 - .byte 138 - .byte 140 - .byte 142 - .byte 144 - .byte 146 - .byte 148 - .byte 150 - .byte 152 - .byte 154 - .byte 156 - .byte 158 - .byte 160 - .byte 162 - .byte 164 - .byte 166 - .byte 168 - .byte 170 - .byte 172 - .byte 174 - .byte 176 - .byte 178 - .byte 180 - .byte 182 - .byte 184 - .byte 186 - .byte 188 - .byte 190 - .byte 193 - .byte 195 - .byte 197 - .byte 199 - .byte 201 - .byte 203 - .byte 205 - .byte 207 - .byte 209 - .byte 211 - .byte 213 - .byte 215 - .byte 217 - .byte 219 - .byte 221 - .byte 223 - .byte 225 - .byte 227 - .byte 229 - .byte 231 - .byte 233 - .byte 235 - .byte 237 - .byte 239 - .byte 241 - .byte 243 - .byte 245 - .byte 247 - .byte 249 - .byte 251 - .byte 253 - .byte 255 - .byte 1 - .byte 3 - .byte 5 - .byte 7 - .byte 9 - .byte 11 - .byte 13 - .byte 15 - .byte 17 - .byte 19 - .byte 21 - .byte 23 - .byte 25 - .byte 27 - .byte 29 - .byte 31 - .byte 33 - .byte 35 - .byte 37 - .byte 39 - .byte 41 - .byte 43 - .byte 45 - .byte 47 - .byte 49 - .byte 51 - .byte 53 - .byte 55 - .byte 57 - .byte 59 - .byte 61 - .byte 63 - .byte 64 - .byte 66 - .byte 68 - .byte 70 - .byte 72 - .byte 74 - .byte 76 - .byte 78 - .byte 80 - .byte 82 - .byte 84 - .byte 86 - .byte 88 - .byte 90 - .byte 92 - .byte 94 - .byte 96 - .byte 98 - .byte 100 - .byte 102 - .byte 104 - .byte 106 - .byte 108 - .byte 110 - .byte 112 - .byte 114 - .byte 116 - .byte 118 - .byte 120 - .byte 122 - .byte 124 - .byte 126 - .byte 129 - .byte 131 - .byte 133 - .byte 135 - .byte 137 - .byte 139 - .byte 141 - .byte 143 - .byte 145 - .byte 147 - .byte 149 - .byte 151 - .byte 153 - .byte 155 - .byte 157 - .byte 159 - .byte 161 - .byte 163 - .byte 165 - .byte 167 - .byte 169 - .byte 171 - .byte 173 - .byte 175 - .byte 177 - .byte 179 - .byte 181 - .byte 183 - .byte 185 - .byte 187 - .byte 189 - .byte 191 - .byte 192 - .byte 194 - .byte 196 - .byte 198 - .byte 200 - .byte 202 - .byte 204 - .byte 206 - .byte 208 - .byte 210 - .byte 212 - .byte 214 - .byte 216 - .byte 218 - .byte 220 - .byte 222 - .byte 224 - .byte 226 - .byte 228 - .byte 230 - .byte 232 - .byte 234 - .byte 236 - .byte 238 - .byte 240 - .byte 242 - .byte 244 - .byte 246 - .byte 248 - .byte 250 - .byte 252 - .byte 254 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_3, @object - .size table_3, 256 -table_3: - .byte 0 - .byte 128 - .byte 1 - .byte 129 - .byte 2 - .byte 130 - .byte 3 - .byte 131 - .byte 4 - .byte 132 - .byte 5 - .byte 133 - .byte 6 - .byte 134 - .byte 7 - .byte 135 - .byte 8 - .byte 136 - .byte 9 - .byte 137 - .byte 10 - .byte 138 - .byte 11 - .byte 139 - .byte 12 - .byte 140 - .byte 13 - .byte 141 - .byte 14 - .byte 142 - .byte 15 - .byte 143 - .byte 16 - .byte 144 - .byte 17 - .byte 145 - .byte 18 - .byte 146 - .byte 19 - .byte 147 - .byte 20 - .byte 148 - .byte 21 - .byte 149 - .byte 22 - .byte 150 - .byte 23 - .byte 151 - .byte 24 - .byte 152 - .byte 25 - .byte 153 - .byte 26 - .byte 154 - .byte 27 - .byte 155 - .byte 28 - .byte 156 - .byte 29 - .byte 157 - .byte 30 - .byte 158 - .byte 31 - .byte 159 - .byte 160 - .byte 32 - .byte 161 - .byte 33 - .byte 162 - .byte 34 - .byte 163 - .byte 35 - .byte 164 - .byte 36 - .byte 165 - .byte 37 - .byte 166 - .byte 38 - .byte 167 - .byte 39 - .byte 168 - .byte 40 - .byte 169 - .byte 41 - .byte 170 - .byte 42 - .byte 171 - .byte 43 - .byte 172 - .byte 44 - .byte 173 - .byte 45 - .byte 174 - .byte 46 - .byte 175 - .byte 47 - .byte 176 - .byte 48 - .byte 177 - .byte 49 - .byte 178 - .byte 50 - .byte 179 - .byte 51 - .byte 180 - .byte 52 - .byte 181 - .byte 53 - .byte 182 - .byte 54 - .byte 183 - .byte 55 - .byte 184 - .byte 56 - .byte 185 - .byte 57 - .byte 186 - .byte 58 - .byte 187 - .byte 59 - .byte 188 - .byte 60 - .byte 189 - .byte 61 - .byte 190 - .byte 62 - .byte 191 - .byte 63 - .byte 64 - .byte 192 - .byte 65 - .byte 193 - .byte 66 - .byte 194 - .byte 67 - .byte 195 - .byte 68 - .byte 196 - .byte 69 - .byte 197 - .byte 70 - .byte 198 - .byte 71 - .byte 199 - .byte 72 - .byte 200 - .byte 73 - .byte 201 - .byte 74 - .byte 202 - .byte 75 - .byte 203 - .byte 76 - .byte 204 - .byte 77 - .byte 205 - .byte 78 - .byte 206 - .byte 79 - .byte 207 - .byte 80 - .byte 208 - .byte 81 - .byte 209 - .byte 82 - .byte 210 - .byte 83 - .byte 211 - .byte 84 - .byte 212 - .byte 85 - .byte 213 - .byte 86 - .byte 214 - .byte 87 - .byte 215 - .byte 88 - .byte 216 - .byte 89 - .byte 217 - .byte 90 - .byte 218 - .byte 91 - .byte 219 - .byte 92 - .byte 220 - .byte 93 - .byte 221 - .byte 94 - .byte 222 - .byte 95 - .byte 223 - .byte 224 - .byte 96 - .byte 225 - .byte 97 - .byte 226 - .byte 98 - .byte 227 - .byte 99 - .byte 228 - .byte 100 - .byte 229 - .byte 101 - .byte 230 - .byte 102 - .byte 231 - .byte 103 - .byte 232 - .byte 104 - .byte 233 - .byte 105 - .byte 234 - .byte 106 - .byte 235 - .byte 107 - .byte 236 - .byte 108 - .byte 237 - .byte 109 - .byte 238 - .byte 110 - .byte 239 - .byte 111 - .byte 240 - .byte 112 - .byte 241 - .byte 113 - .byte 242 - .byte 114 - .byte 243 - .byte 115 - .byte 244 - .byte 116 - .byte 245 - .byte 117 - .byte 246 - .byte 118 - .byte 247 - .byte 119 - .byte 248 - .byte 120 - .byte 249 - .byte 121 - .byte 250 - .byte 122 - .byte 251 - .byte 123 - .byte 252 - .byte 124 - .byte 253 - .byte 125 - .byte 254 - .byte 126 - .byte 255 - .byte 127 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_4, @object - .size table_4, 112 -table_4: - .byte 1 - .byte 0 - .byte 3 - .byte 0 - .byte 7 - .byte 0 - .byte 15 - .byte 0 - .byte 15 - .byte 1 - .byte 14 - .byte 3 - .byte 13 - .byte 3 - .byte 11 - .byte 3 - .byte 7 - .byte 3 - .byte 15 - .byte 2 - .byte 14 - .byte 1 - .byte 12 - .byte 3 - .byte 9 - .byte 3 - .byte 3 - .byte 3 - .byte 7 - .byte 2 - .byte 14 - .byte 0 - .byte 13 - .byte 1 - .byte 10 - .byte 3 - .byte 5 - .byte 3 - .byte 11 - .byte 2 - .byte 6 - .byte 1 - .byte 12 - .byte 2 - .byte 8 - .byte 1 - .byte 0 - .byte 3 - .byte 1 - .byte 2 - .byte 2 - .byte 0 - .byte 5 - .byte 0 - .byte 11 - .byte 0 - .byte 7 - .byte 1 - .byte 14 - .byte 2 - .byte 12 - .byte 1 - .byte 8 - .byte 3 - .byte 1 - .byte 3 - .byte 3 - .byte 2 - .byte 6 - .byte 0 - .byte 13 - .byte 0 - .byte 11 - .byte 1 - .byte 6 - .byte 3 - .byte 13 - .byte 2 - .byte 10 - .byte 1 - .byte 4 - .byte 3 - .byte 9 - .byte 2 - .byte 2 - .byte 1 - .byte 4 - .byte 2 - .byte 8 - .byte 0 - .byte 1 - .byte 1 - .byte 2 - .byte 2 - .byte 4 - .byte 0 - .byte 9 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 2 - .byte 12 - .byte 0 - .byte 9 - .byte 1 - .byte 2 - .byte 3 - .byte 5 - .byte 2 - .byte 10 - .byte 0 - - .text -.global skinny_128_384_init - .type skinny_128_384_init, @function -skinny_128_384_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,12 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_384_init, .-skinny_128_384_init - - .text -.global skinny_128_384_encrypt - .type skinny_128_384_encrypt, @function -skinny_128_384_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - std Y+33,r18 - std Y+34,r19 - std Y+35,r20 - std Y+36,r21 - ldd r18,Z+36 - ldd r19,Z+37 - ldd r20,Z+38 - ldd r21,Z+39 - std Y+37,r18 - std Y+38,r19 - std Y+39,r20 - std Y+40,r21 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - std Y+41,r18 - std Y+42,r19 - std Y+43,r20 - std Y+44,r21 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - std Y+45,r18 - std Y+46,r19 - std Y+47,r20 - std Y+48,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -114: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,112 - brne 5721f - rjmp 790f -5721: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 114b -790: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_encrypt, .-skinny_128_384_encrypt - -.global skinny_128_384_encrypt_tk_full - .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt - - .text -.global skinny_128_384_decrypt - .type skinny_128_384_decrypt, @function -skinny_128_384_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r23 - std Y+2,r2 - std Y+3,r21 - std Y+4,r20 - std Y+5,r3 - std Y+6,r18 - std Y+7,r19 - std Y+8,r22 - std Y+9,r9 - std Y+10,r10 - std Y+11,r7 - std Y+12,r6 - std Y+13,r11 - std Y+14,r4 - std Y+15,r5 - std Y+16,r8 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r23 - std Y+18,r2 - std Y+19,r21 - std Y+20,r20 - std Y+21,r3 - std Y+22,r18 - std Y+23,r19 - std Y+24,r22 - std Y+25,r9 - std Y+26,r10 - std Y+27,r7 - std Y+28,r6 - std Y+29,r11 - std Y+30,r4 - std Y+31,r5 - std Y+32,r8 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - ldd r22,Z+36 - ldd r23,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+33,r23 - std Y+34,r2 - std Y+35,r21 - std Y+36,r20 - std Y+37,r3 - std Y+38,r18 - std Y+39,r19 - std Y+40,r22 - std Y+41,r9 - std Y+42,r10 - std Y+43,r7 - std Y+44,r6 - std Y+45,r11 - std Y+46,r4 - std Y+47,r5 - std Y+48,r8 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -122: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 122b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,28 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -150: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 150b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 -179: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 179b - std Y+33,r12 - std Y+34,r13 - std Y+35,r14 - std Y+36,r15 - std Y+37,r24 - std Y+38,r25 - std Y+39,r16 - std Y+40,r17 - ldi r26,28 - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 -207: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 207b - std Y+41,r12 - std Y+42,r13 - std Y+43,r14 - std Y+44,r15 - std Y+45,r24 - std Y+46,r25 - std Y+47,r16 - std Y+48,r17 - ldi r26,112 -227: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 903f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 227b -903: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_decrypt, .-skinny_128_384_decrypt - - .text -.global skinny_128_256_init - .type skinny_128_256_init, @function -skinny_128_256_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,8 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_256_init, .-skinny_128_256_init - - .text -.global skinny_128_256_encrypt - .type skinny_128_256_encrypt, @function -skinny_128_256_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -82: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,96 - breq 594f - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 82b -594: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_encrypt, .-skinny_128_256_encrypt - -.global skinny_128_256_encrypt_tk_full - .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt - - .text -.global skinny_128_256_decrypt - .type skinny_128_256_decrypt, @function -skinny_128_256_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r2 - std Y+8,r3 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - std Y+21,r22 - std Y+22,r23 - std Y+23,r2 - std Y+24,r3 - std Y+25,r4 - std Y+26,r5 - std Y+27,r6 - std Y+28,r7 - std Y+29,r8 - std Y+30,r9 - std Y+31,r10 - std Y+32,r11 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,24 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -90: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 90b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,24 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -118: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 118b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,96 -139: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 651f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 139b -651: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_decrypt, .-skinny_128_256_decrypt - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk396128v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/api.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/encrypt.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/encrypt.c deleted file mode 100644 index 0623826..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "skinny-aead.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m4_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return skinny_aead_m4_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128-avr.S deleted file mode 100644 index d342cd5..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128-avr.S +++ /dev/null @@ -1,10099 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 256 -table_0: - .byte 101 - .byte 76 - .byte 106 - .byte 66 - .byte 75 - .byte 99 - .byte 67 - .byte 107 - .byte 85 - .byte 117 - .byte 90 - .byte 122 - .byte 83 - .byte 115 - .byte 91 - .byte 123 - .byte 53 - .byte 140 - .byte 58 - .byte 129 - .byte 137 - .byte 51 - .byte 128 - .byte 59 - .byte 149 - .byte 37 - .byte 152 - .byte 42 - .byte 144 - .byte 35 - .byte 153 - .byte 43 - .byte 229 - .byte 204 - .byte 232 - .byte 193 - .byte 201 - .byte 224 - .byte 192 - .byte 233 - .byte 213 - .byte 245 - .byte 216 - .byte 248 - .byte 208 - .byte 240 - .byte 217 - .byte 249 - .byte 165 - .byte 28 - .byte 168 - .byte 18 - .byte 27 - .byte 160 - .byte 19 - .byte 169 - .byte 5 - .byte 181 - .byte 10 - .byte 184 - .byte 3 - .byte 176 - .byte 11 - .byte 185 - .byte 50 - .byte 136 - .byte 60 - .byte 133 - .byte 141 - .byte 52 - .byte 132 - .byte 61 - .byte 145 - .byte 34 - .byte 156 - .byte 44 - .byte 148 - .byte 36 - .byte 157 - .byte 45 - .byte 98 - .byte 74 - .byte 108 - .byte 69 - .byte 77 - .byte 100 - .byte 68 - .byte 109 - .byte 82 - .byte 114 - .byte 92 - .byte 124 - .byte 84 - .byte 116 - .byte 93 - .byte 125 - .byte 161 - .byte 26 - .byte 172 - .byte 21 - .byte 29 - .byte 164 - .byte 20 - .byte 173 - .byte 2 - .byte 177 - .byte 12 - .byte 188 - .byte 4 - .byte 180 - .byte 13 - .byte 189 - .byte 225 - .byte 200 - .byte 236 - .byte 197 - .byte 205 - .byte 228 - .byte 196 - .byte 237 - .byte 209 - .byte 241 - .byte 220 - .byte 252 - .byte 212 - .byte 244 - .byte 221 - .byte 253 - .byte 54 - .byte 142 - .byte 56 - .byte 130 - .byte 139 - .byte 48 - .byte 131 - .byte 57 - .byte 150 - .byte 38 - .byte 154 - .byte 40 - .byte 147 - .byte 32 - .byte 155 - .byte 41 - .byte 102 - .byte 78 - .byte 104 - .byte 65 - .byte 73 - .byte 96 - .byte 64 - .byte 105 - .byte 86 - .byte 118 - .byte 88 - .byte 120 - .byte 80 - .byte 112 - .byte 89 - .byte 121 - .byte 166 - .byte 30 - .byte 170 - .byte 17 - .byte 25 - .byte 163 - .byte 16 - .byte 171 - .byte 6 - .byte 182 - .byte 8 - .byte 186 - .byte 0 - .byte 179 - .byte 9 - .byte 187 - .byte 230 - .byte 206 - .byte 234 - .byte 194 - .byte 203 - .byte 227 - .byte 195 - .byte 235 - .byte 214 - .byte 246 - .byte 218 - .byte 250 - .byte 211 - .byte 243 - .byte 219 - .byte 251 - .byte 49 - .byte 138 - .byte 62 - .byte 134 - .byte 143 - .byte 55 - .byte 135 - .byte 63 - .byte 146 - .byte 33 - .byte 158 - .byte 46 - .byte 151 - .byte 39 - .byte 159 - .byte 47 - .byte 97 - .byte 72 - .byte 110 - .byte 70 - .byte 79 - .byte 103 - .byte 71 - .byte 111 - .byte 81 - .byte 113 - .byte 94 - .byte 126 - .byte 87 - .byte 119 - .byte 95 - .byte 127 - .byte 162 - .byte 24 - .byte 174 - .byte 22 - .byte 31 - .byte 167 - .byte 23 - .byte 175 - .byte 1 - .byte 178 - .byte 14 - .byte 190 - .byte 7 - .byte 183 - .byte 15 - .byte 191 - .byte 226 - .byte 202 - .byte 238 - .byte 198 - .byte 207 - .byte 231 - .byte 199 - .byte 239 - .byte 210 - .byte 242 - .byte 222 - .byte 254 - .byte 215 - .byte 247 - .byte 223 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 256 -table_1: - .byte 172 - .byte 232 - .byte 104 - .byte 60 - .byte 108 - .byte 56 - .byte 168 - .byte 236 - .byte 170 - .byte 174 - .byte 58 - .byte 62 - .byte 106 - .byte 110 - .byte 234 - .byte 238 - .byte 166 - .byte 163 - .byte 51 - .byte 54 - .byte 102 - .byte 99 - .byte 227 - .byte 230 - .byte 225 - .byte 164 - .byte 97 - .byte 52 - .byte 49 - .byte 100 - .byte 161 - .byte 228 - .byte 141 - .byte 201 - .byte 73 - .byte 29 - .byte 77 - .byte 25 - .byte 137 - .byte 205 - .byte 139 - .byte 143 - .byte 27 - .byte 31 - .byte 75 - .byte 79 - .byte 203 - .byte 207 - .byte 133 - .byte 192 - .byte 64 - .byte 21 - .byte 69 - .byte 16 - .byte 128 - .byte 197 - .byte 130 - .byte 135 - .byte 18 - .byte 23 - .byte 66 - .byte 71 - .byte 194 - .byte 199 - .byte 150 - .byte 147 - .byte 3 - .byte 6 - .byte 86 - .byte 83 - .byte 211 - .byte 214 - .byte 209 - .byte 148 - .byte 81 - .byte 4 - .byte 1 - .byte 84 - .byte 145 - .byte 212 - .byte 156 - .byte 216 - .byte 88 - .byte 12 - .byte 92 - .byte 8 - .byte 152 - .byte 220 - .byte 154 - .byte 158 - .byte 10 - .byte 14 - .byte 90 - .byte 94 - .byte 218 - .byte 222 - .byte 149 - .byte 208 - .byte 80 - .byte 5 - .byte 85 - .byte 0 - .byte 144 - .byte 213 - .byte 146 - .byte 151 - .byte 2 - .byte 7 - .byte 82 - .byte 87 - .byte 210 - .byte 215 - .byte 157 - .byte 217 - .byte 89 - .byte 13 - .byte 93 - .byte 9 - .byte 153 - .byte 221 - .byte 155 - .byte 159 - .byte 11 - .byte 15 - .byte 91 - .byte 95 - .byte 219 - .byte 223 - .byte 22 - .byte 19 - .byte 131 - .byte 134 - .byte 70 - .byte 67 - .byte 195 - .byte 198 - .byte 65 - .byte 20 - .byte 193 - .byte 132 - .byte 17 - .byte 68 - .byte 129 - .byte 196 - .byte 28 - .byte 72 - .byte 200 - .byte 140 - .byte 76 - .byte 24 - .byte 136 - .byte 204 - .byte 26 - .byte 30 - .byte 138 - .byte 142 - .byte 74 - .byte 78 - .byte 202 - .byte 206 - .byte 53 - .byte 96 - .byte 224 - .byte 165 - .byte 101 - .byte 48 - .byte 160 - .byte 229 - .byte 50 - .byte 55 - .byte 162 - .byte 167 - .byte 98 - .byte 103 - .byte 226 - .byte 231 - .byte 61 - .byte 105 - .byte 233 - .byte 173 - .byte 109 - .byte 57 - .byte 169 - .byte 237 - .byte 59 - .byte 63 - .byte 171 - .byte 175 - .byte 107 - .byte 111 - .byte 235 - .byte 239 - .byte 38 - .byte 35 - .byte 179 - .byte 182 - .byte 118 - .byte 115 - .byte 243 - .byte 246 - .byte 113 - .byte 36 - .byte 241 - .byte 180 - .byte 33 - .byte 116 - .byte 177 - .byte 244 - .byte 44 - .byte 120 - .byte 248 - .byte 188 - .byte 124 - .byte 40 - .byte 184 - .byte 252 - .byte 42 - .byte 46 - .byte 186 - .byte 190 - .byte 122 - .byte 126 - .byte 250 - .byte 254 - .byte 37 - .byte 112 - .byte 240 - .byte 181 - .byte 117 - .byte 32 - .byte 176 - .byte 245 - .byte 34 - .byte 39 - .byte 178 - .byte 183 - .byte 114 - .byte 119 - .byte 242 - .byte 247 - .byte 45 - .byte 121 - .byte 249 - .byte 189 - .byte 125 - .byte 41 - .byte 185 - .byte 253 - .byte 43 - .byte 47 - .byte 187 - .byte 191 - .byte 123 - .byte 127 - .byte 251 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_2, @object - .size table_2, 256 -table_2: - .byte 0 - .byte 2 - .byte 4 - .byte 6 - .byte 8 - .byte 10 - .byte 12 - .byte 14 - .byte 16 - .byte 18 - .byte 20 - .byte 22 - .byte 24 - .byte 26 - .byte 28 - .byte 30 - .byte 32 - .byte 34 - .byte 36 - .byte 38 - .byte 40 - .byte 42 - .byte 44 - .byte 46 - .byte 48 - .byte 50 - .byte 52 - .byte 54 - .byte 56 - .byte 58 - .byte 60 - .byte 62 - .byte 65 - .byte 67 - .byte 69 - .byte 71 - .byte 73 - .byte 75 - .byte 77 - .byte 79 - .byte 81 - .byte 83 - .byte 85 - .byte 87 - .byte 89 - .byte 91 - .byte 93 - .byte 95 - .byte 97 - .byte 99 - .byte 101 - .byte 103 - .byte 105 - .byte 107 - .byte 109 - .byte 111 - .byte 113 - .byte 115 - .byte 117 - .byte 119 - .byte 121 - .byte 123 - .byte 125 - .byte 127 - .byte 128 - .byte 130 - .byte 132 - .byte 134 - .byte 136 - .byte 138 - .byte 140 - .byte 142 - .byte 144 - .byte 146 - .byte 148 - .byte 150 - .byte 152 - .byte 154 - .byte 156 - .byte 158 - .byte 160 - .byte 162 - .byte 164 - .byte 166 - .byte 168 - .byte 170 - .byte 172 - .byte 174 - .byte 176 - .byte 178 - .byte 180 - .byte 182 - .byte 184 - .byte 186 - .byte 188 - .byte 190 - .byte 193 - .byte 195 - .byte 197 - .byte 199 - .byte 201 - .byte 203 - .byte 205 - .byte 207 - .byte 209 - .byte 211 - .byte 213 - .byte 215 - .byte 217 - .byte 219 - .byte 221 - .byte 223 - .byte 225 - .byte 227 - .byte 229 - .byte 231 - .byte 233 - .byte 235 - .byte 237 - .byte 239 - .byte 241 - .byte 243 - .byte 245 - .byte 247 - .byte 249 - .byte 251 - .byte 253 - .byte 255 - .byte 1 - .byte 3 - .byte 5 - .byte 7 - .byte 9 - .byte 11 - .byte 13 - .byte 15 - .byte 17 - .byte 19 - .byte 21 - .byte 23 - .byte 25 - .byte 27 - .byte 29 - .byte 31 - .byte 33 - .byte 35 - .byte 37 - .byte 39 - .byte 41 - .byte 43 - .byte 45 - .byte 47 - .byte 49 - .byte 51 - .byte 53 - .byte 55 - .byte 57 - .byte 59 - .byte 61 - .byte 63 - .byte 64 - .byte 66 - .byte 68 - .byte 70 - .byte 72 - .byte 74 - .byte 76 - .byte 78 - .byte 80 - .byte 82 - .byte 84 - .byte 86 - .byte 88 - .byte 90 - .byte 92 - .byte 94 - .byte 96 - .byte 98 - .byte 100 - .byte 102 - .byte 104 - .byte 106 - .byte 108 - .byte 110 - .byte 112 - .byte 114 - .byte 116 - .byte 118 - .byte 120 - .byte 122 - .byte 124 - .byte 126 - .byte 129 - .byte 131 - .byte 133 - .byte 135 - .byte 137 - .byte 139 - .byte 141 - .byte 143 - .byte 145 - .byte 147 - .byte 149 - .byte 151 - .byte 153 - .byte 155 - .byte 157 - .byte 159 - .byte 161 - .byte 163 - .byte 165 - .byte 167 - .byte 169 - .byte 171 - .byte 173 - .byte 175 - .byte 177 - .byte 179 - .byte 181 - .byte 183 - .byte 185 - .byte 187 - .byte 189 - .byte 191 - .byte 192 - .byte 194 - .byte 196 - .byte 198 - .byte 200 - .byte 202 - .byte 204 - .byte 206 - .byte 208 - .byte 210 - .byte 212 - .byte 214 - .byte 216 - .byte 218 - .byte 220 - .byte 222 - .byte 224 - .byte 226 - .byte 228 - .byte 230 - .byte 232 - .byte 234 - .byte 236 - .byte 238 - .byte 240 - .byte 242 - .byte 244 - .byte 246 - .byte 248 - .byte 250 - .byte 252 - .byte 254 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_3, @object - .size table_3, 256 -table_3: - .byte 0 - .byte 128 - .byte 1 - .byte 129 - .byte 2 - .byte 130 - .byte 3 - .byte 131 - .byte 4 - .byte 132 - .byte 5 - .byte 133 - .byte 6 - .byte 134 - .byte 7 - .byte 135 - .byte 8 - .byte 136 - .byte 9 - .byte 137 - .byte 10 - .byte 138 - .byte 11 - .byte 139 - .byte 12 - .byte 140 - .byte 13 - .byte 141 - .byte 14 - .byte 142 - .byte 15 - .byte 143 - .byte 16 - .byte 144 - .byte 17 - .byte 145 - .byte 18 - .byte 146 - .byte 19 - .byte 147 - .byte 20 - .byte 148 - .byte 21 - .byte 149 - .byte 22 - .byte 150 - .byte 23 - .byte 151 - .byte 24 - .byte 152 - .byte 25 - .byte 153 - .byte 26 - .byte 154 - .byte 27 - .byte 155 - .byte 28 - .byte 156 - .byte 29 - .byte 157 - .byte 30 - .byte 158 - .byte 31 - .byte 159 - .byte 160 - .byte 32 - .byte 161 - .byte 33 - .byte 162 - .byte 34 - .byte 163 - .byte 35 - .byte 164 - .byte 36 - .byte 165 - .byte 37 - .byte 166 - .byte 38 - .byte 167 - .byte 39 - .byte 168 - .byte 40 - .byte 169 - .byte 41 - .byte 170 - .byte 42 - .byte 171 - .byte 43 - .byte 172 - .byte 44 - .byte 173 - .byte 45 - .byte 174 - .byte 46 - .byte 175 - .byte 47 - .byte 176 - .byte 48 - .byte 177 - .byte 49 - .byte 178 - .byte 50 - .byte 179 - .byte 51 - .byte 180 - .byte 52 - .byte 181 - .byte 53 - .byte 182 - .byte 54 - .byte 183 - .byte 55 - .byte 184 - .byte 56 - .byte 185 - .byte 57 - .byte 186 - .byte 58 - .byte 187 - .byte 59 - .byte 188 - .byte 60 - .byte 189 - .byte 61 - .byte 190 - .byte 62 - .byte 191 - .byte 63 - .byte 64 - .byte 192 - .byte 65 - .byte 193 - .byte 66 - .byte 194 - .byte 67 - .byte 195 - .byte 68 - .byte 196 - .byte 69 - .byte 197 - .byte 70 - .byte 198 - .byte 71 - .byte 199 - .byte 72 - .byte 200 - .byte 73 - .byte 201 - .byte 74 - .byte 202 - .byte 75 - .byte 203 - .byte 76 - .byte 204 - .byte 77 - .byte 205 - .byte 78 - .byte 206 - .byte 79 - .byte 207 - .byte 80 - .byte 208 - .byte 81 - .byte 209 - .byte 82 - .byte 210 - .byte 83 - .byte 211 - .byte 84 - .byte 212 - .byte 85 - .byte 213 - .byte 86 - .byte 214 - .byte 87 - .byte 215 - .byte 88 - .byte 216 - .byte 89 - .byte 217 - .byte 90 - .byte 218 - .byte 91 - .byte 219 - .byte 92 - .byte 220 - .byte 93 - .byte 221 - .byte 94 - .byte 222 - .byte 95 - .byte 223 - .byte 224 - .byte 96 - .byte 225 - .byte 97 - .byte 226 - .byte 98 - .byte 227 - .byte 99 - .byte 228 - .byte 100 - .byte 229 - .byte 101 - .byte 230 - .byte 102 - .byte 231 - .byte 103 - .byte 232 - .byte 104 - .byte 233 - .byte 105 - .byte 234 - .byte 106 - .byte 235 - .byte 107 - .byte 236 - .byte 108 - .byte 237 - .byte 109 - .byte 238 - .byte 110 - .byte 239 - .byte 111 - .byte 240 - .byte 112 - .byte 241 - .byte 113 - .byte 242 - .byte 114 - .byte 243 - .byte 115 - .byte 244 - .byte 116 - .byte 245 - .byte 117 - .byte 246 - .byte 118 - .byte 247 - .byte 119 - .byte 248 - .byte 120 - .byte 249 - .byte 121 - .byte 250 - .byte 122 - .byte 251 - .byte 123 - .byte 252 - .byte 124 - .byte 253 - .byte 125 - .byte 254 - .byte 126 - .byte 255 - .byte 127 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_4, @object - .size table_4, 112 -table_4: - .byte 1 - .byte 0 - .byte 3 - .byte 0 - .byte 7 - .byte 0 - .byte 15 - .byte 0 - .byte 15 - .byte 1 - .byte 14 - .byte 3 - .byte 13 - .byte 3 - .byte 11 - .byte 3 - .byte 7 - .byte 3 - .byte 15 - .byte 2 - .byte 14 - .byte 1 - .byte 12 - .byte 3 - .byte 9 - .byte 3 - .byte 3 - .byte 3 - .byte 7 - .byte 2 - .byte 14 - .byte 0 - .byte 13 - .byte 1 - .byte 10 - .byte 3 - .byte 5 - .byte 3 - .byte 11 - .byte 2 - .byte 6 - .byte 1 - .byte 12 - .byte 2 - .byte 8 - .byte 1 - .byte 0 - .byte 3 - .byte 1 - .byte 2 - .byte 2 - .byte 0 - .byte 5 - .byte 0 - .byte 11 - .byte 0 - .byte 7 - .byte 1 - .byte 14 - .byte 2 - .byte 12 - .byte 1 - .byte 8 - .byte 3 - .byte 1 - .byte 3 - .byte 3 - .byte 2 - .byte 6 - .byte 0 - .byte 13 - .byte 0 - .byte 11 - .byte 1 - .byte 6 - .byte 3 - .byte 13 - .byte 2 - .byte 10 - .byte 1 - .byte 4 - .byte 3 - .byte 9 - .byte 2 - .byte 2 - .byte 1 - .byte 4 - .byte 2 - .byte 8 - .byte 0 - .byte 1 - .byte 1 - .byte 2 - .byte 2 - .byte 4 - .byte 0 - .byte 9 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 2 - .byte 12 - .byte 0 - .byte 9 - .byte 1 - .byte 2 - .byte 3 - .byte 5 - .byte 2 - .byte 10 - .byte 0 - - .text -.global skinny_128_384_init - .type skinny_128_384_init, @function -skinny_128_384_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,12 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_384_init, .-skinny_128_384_init - - .text -.global skinny_128_384_encrypt - .type skinny_128_384_encrypt, @function -skinny_128_384_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - std Y+33,r18 - std Y+34,r19 - std Y+35,r20 - std Y+36,r21 - ldd r18,Z+36 - ldd r19,Z+37 - ldd r20,Z+38 - ldd r21,Z+39 - std Y+37,r18 - std Y+38,r19 - std Y+39,r20 - std Y+40,r21 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - std Y+41,r18 - std Y+42,r19 - std Y+43,r20 - std Y+44,r21 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - std Y+45,r18 - std Y+46,r19 - std Y+47,r20 - std Y+48,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -114: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,112 - brne 5721f - rjmp 790f -5721: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 114b -790: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_encrypt, .-skinny_128_384_encrypt - -.global skinny_128_384_encrypt_tk_full - .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt - - .text -.global skinny_128_384_decrypt - .type skinny_128_384_decrypt, @function -skinny_128_384_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r23 - std Y+2,r2 - std Y+3,r21 - std Y+4,r20 - std Y+5,r3 - std Y+6,r18 - std Y+7,r19 - std Y+8,r22 - std Y+9,r9 - std Y+10,r10 - std Y+11,r7 - std Y+12,r6 - std Y+13,r11 - std Y+14,r4 - std Y+15,r5 - std Y+16,r8 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r23 - std Y+18,r2 - std Y+19,r21 - std Y+20,r20 - std Y+21,r3 - std Y+22,r18 - std Y+23,r19 - std Y+24,r22 - std Y+25,r9 - std Y+26,r10 - std Y+27,r7 - std Y+28,r6 - std Y+29,r11 - std Y+30,r4 - std Y+31,r5 - std Y+32,r8 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - ldd r22,Z+36 - ldd r23,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+33,r23 - std Y+34,r2 - std Y+35,r21 - std Y+36,r20 - std Y+37,r3 - std Y+38,r18 - std Y+39,r19 - std Y+40,r22 - std Y+41,r9 - std Y+42,r10 - std Y+43,r7 - std Y+44,r6 - std Y+45,r11 - std Y+46,r4 - std Y+47,r5 - std Y+48,r8 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -122: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 122b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,28 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -150: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 150b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 -179: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 179b - std Y+33,r12 - std Y+34,r13 - std Y+35,r14 - std Y+36,r15 - std Y+37,r24 - std Y+38,r25 - std Y+39,r16 - std Y+40,r17 - ldi r26,28 - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 -207: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 207b - std Y+41,r12 - std Y+42,r13 - std Y+43,r14 - std Y+44,r15 - std Y+45,r24 - std Y+46,r25 - std Y+47,r16 - std Y+48,r17 - ldi r26,112 -227: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 903f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 227b -903: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_decrypt, .-skinny_128_384_decrypt - - .text -.global skinny_128_256_init - .type skinny_128_256_init, @function -skinny_128_256_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,8 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_256_init, .-skinny_128_256_init - - .text -.global skinny_128_256_encrypt - .type skinny_128_256_encrypt, @function -skinny_128_256_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -82: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,96 - breq 594f - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 82b -594: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_encrypt, .-skinny_128_256_encrypt - -.global skinny_128_256_encrypt_tk_full - .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt - - .text -.global skinny_128_256_decrypt - .type skinny_128_256_decrypt, @function -skinny_128_256_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r2 - std Y+8,r3 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - std Y+21,r22 - std Y+22,r23 - std Y+23,r2 - std Y+24,r3 - std Y+25,r4 - std Y+26,r5 - std Y+27,r6 - std Y+28,r7 - std Y+29,r8 - std Y+30,r9 - std Y+31,r10 - std Y+32,r11 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,24 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -90: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 90b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,24 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -118: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 118b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,96 -139: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 651f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 139b -651: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_decrypt, .-skinny_128_256_decrypt - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.c deleted file mode 100644 index 7558527..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.c +++ /dev/null @@ -1,804 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-aead.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_cipher_t const skinny_aead_m1_cipher = { - "SKINNY-AEAD-M1", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M1_NONCE_SIZE, - SKINNY_AEAD_M1_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m1_encrypt, - skinny_aead_m1_decrypt -}; - -aead_cipher_t const skinny_aead_m2_cipher = { - "SKINNY-AEAD-M2", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M2_NONCE_SIZE, - SKINNY_AEAD_M2_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m2_encrypt, - skinny_aead_m2_decrypt -}; - -aead_cipher_t const skinny_aead_m3_cipher = { - "SKINNY-AEAD-M3", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M3_NONCE_SIZE, - SKINNY_AEAD_M3_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m3_encrypt, - skinny_aead_m3_decrypt -}; - -aead_cipher_t const skinny_aead_m4_cipher = { - "SKINNY-AEAD-M4", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M4_NONCE_SIZE, - SKINNY_AEAD_M4_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m4_encrypt, - skinny_aead_m4_decrypt -}; - -aead_cipher_t const skinny_aead_m5_cipher = { - "SKINNY-AEAD-M5", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M5_NONCE_SIZE, - SKINNY_AEAD_M5_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m5_encrypt, - skinny_aead_m5_decrypt -}; - -aead_cipher_t const skinny_aead_m6_cipher = { - "SKINNY-AEAD-M6", - SKINNY_AEAD_KEY_SIZE, - SKINNY_AEAD_M6_NONCE_SIZE, - SKINNY_AEAD_M6_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - skinny_aead_m6_encrypt, - skinny_aead_m6_decrypt -}; - -/* Domain separator prefixes for all of the SKINNY-AEAD family members */ -#define DOMAIN_SEP_M1 0x00 -#define DOMAIN_SEP_M2 0x10 -#define DOMAIN_SEP_M3 0x08 -#define DOMAIN_SEP_M4 0x18 -#define DOMAIN_SEP_M5 0x10 -#define DOMAIN_SEP_M6 0x18 - -/** - * \brief Initialize the key and nonce for SKINNY-128-384 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[48]; - memset(k, 0, 16); - memcpy(k + 16, nonce, nonce_len); - memset(k + 16 + nonce_len, 0, 16 - nonce_len); - memcpy(k + 32, key, 16); - skinny_128_384_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_384_set_domain(ks,d) ((ks)->TK1[15] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-384. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 64-bit LFSR value. - */ -#define skinny_aead_128_384_set_lfsr(ks,lfsr) le_store_word64((ks)->TK1, (lfsr)) - -/** - * \brief Updates the LFSR value for SKINNY-128-384. - * - * \param lfsr 64-bit LFSR value to be updated. - */ -#define skinny_aead_128_384_update_lfsr(lfsr) \ - do { \ - uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ feedback; \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_384_authenticate - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - skinny_aead_128_384_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_384_encrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-384 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_384_decrypt - (skinny_128_384_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint64_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_384_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_128_384_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_384_update_lfsr(lfsr); - } - skinny_aead_128_384_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_384_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_384_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_384_update_lfsr(lfsr); - skinny_aead_128_384_set_lfsr(ks, lfsr); - skinny_aead_128_384_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_384_set_domain(ks, prefix | 4); - } - skinny_128_384_encrypt(ks, sum, sum); -} - -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M1, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M1_TAG_SIZE); - return 0; -} - -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M1_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M1_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M1_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M1, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M1, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M1_TAG_SIZE); -} - -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M2, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M2_TAG_SIZE); - return 0; -} - -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M2_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M2_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M2_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M2, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M2, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M2_TAG_SIZE); -} - -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M3, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M3_TAG_SIZE); - return 0; -} - -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M3_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M3_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M3_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M3, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M3, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M3_TAG_SIZE); -} - -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_384_encrypt(&ks, DOMAIN_SEP_M4, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M4_TAG_SIZE); - return 0; -} - -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_384_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M4_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M4_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_384_init(&ks, k, npub, SKINNY_AEAD_M4_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_384_decrypt(&ks, DOMAIN_SEP_M4, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_384_authenticate(&ks, DOMAIN_SEP_M4, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M4_TAG_SIZE); -} - -/** - * \brief Initialize the key and nonce for SKINNY-128-256 based AEAD schemes. - * - * \param ks The key schedule to initialize. - * \param key Points to the 16 bytes of the key. - * \param nonce Points to the nonce. - * \param nonce_len Length of the nonce in bytes. - */ -static void skinny_aead_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - const unsigned char *nonce, unsigned nonce_len) -{ - unsigned char k[32]; - memset(k, 0, 16 - nonce_len); - memcpy(k + 16 - nonce_len, nonce, nonce_len); - memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k); -} - -/** - * \brief Set the domain separation value in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param d Domain separation value to write into the tweak. - */ -#define skinny_aead_128_256_set_domain(ks,d) ((ks)->TK1[3] = (d)) - -/** - * \brief Sets the LFSR field in the tweak for SKINNY-128-256. - * - * \param ks Key schedule for the block cipher. - * \param lfsr 24-bit LFSR value. - */ -#define skinny_aead_128_256_set_lfsr(ks,lfsr) \ - do { \ - (ks)->TK1[0] = (uint8_t)(lfsr); \ - (ks)->TK1[1] = (uint8_t)((lfsr) >> 8); \ - (ks)->TK1[2] = (uint8_t)((lfsr) >> 16); \ - } while (0) - -/** - * \brief Updates the LFSR value for SKINNY-128-256. - * - * \param lfsr 24-bit LFSR value to be updated. - */ -#define skinny_aead_128_256_update_lfsr(lfsr) \ - do { \ - uint32_t feedback = ((lfsr) & (((uint32_t)1) << 23)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) ^ (feedback); \ - } while (0) - -/** - * \brief Authenticates the associated data for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param tag Final tag to XOR the authentication checksum into. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void skinny_aead_128_256_authenticate - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char tag[SKINNY_128_BLOCK_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - skinny_aead_128_256_set_domain(ks, prefix | 2); - while (adlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_encrypt(ks, block, ad); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - ad += SKINNY_128_BLOCK_SIZE; - adlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 3); - memcpy(block, ad, temp); - block[temp] = 0x80; - memset(block + temp + 1, 0, SKINNY_128_BLOCK_SIZE - temp - 1); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block(tag, block, SKINNY_128_BLOCK_SIZE); - } -} - -/** - * \brief Encrypts the plaintext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param c Points to the buffer to receive the ciphertext. - * \param m Points to the plaintext buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void skinny_aead_128_256_encrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, c, m); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(c, block, m, temp); - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -/** - * \brief Decrypts the ciphertext for a SKINNY-128-256 based AEAD. - * - * \param ks The key schedule to use. - * \param prefix Domain separation prefix for the family member. - * \param sum Authenticated checksum over the plaintext. - * \param m Points to the buffer to receive the plaintext. - * \param c Points to the ciphertext buffer. - * \param mlen Number of bytes of ciphertext to be decrypted. - */ -static void skinny_aead_128_256_decrypt - (skinny_128_256_key_schedule_t *ks, unsigned char prefix, - unsigned char sum[SKINNY_128_BLOCK_SIZE], unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - unsigned char block[SKINNY_128_BLOCK_SIZE]; - uint32_t lfsr = 1; - memset(sum, 0, SKINNY_128_BLOCK_SIZE); - skinny_aead_128_256_set_domain(ks, prefix | 0); - while (mlen >= SKINNY_128_BLOCK_SIZE) { - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_128_256_decrypt(ks, m, c); - lw_xor_block(sum, m, SKINNY_128_BLOCK_SIZE); - c += SKINNY_128_BLOCK_SIZE; - m += SKINNY_128_BLOCK_SIZE; - mlen -= SKINNY_128_BLOCK_SIZE; - skinny_aead_128_256_update_lfsr(lfsr); - } - skinny_aead_128_256_set_lfsr(ks, lfsr); - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - skinny_aead_128_256_set_domain(ks, prefix | 1); - memset(block, 0, SKINNY_128_BLOCK_SIZE); - skinny_128_256_encrypt(ks, block, block); - lw_xor_block_2_src(m, block, c, temp); - lw_xor_block(sum, m, temp); - sum[temp] ^= 0x80; - skinny_aead_128_256_update_lfsr(lfsr); - skinny_aead_128_256_set_lfsr(ks, lfsr); - skinny_aead_128_256_set_domain(ks, prefix | 5); - } else { - skinny_aead_128_256_set_domain(ks, prefix | 4); - } - skinny_128_256_encrypt(ks, sum, sum); -} - -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M5, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M5_TAG_SIZE); - return 0; -} - -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M5_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M5_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M5_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M5, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M5, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M5_TAG_SIZE); -} - -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Encrypt to plaintext to produce the ciphertext */ - skinny_aead_128_256_encrypt(&ks, DOMAIN_SEP_M6, sum, c, m, mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Generate the authentication tag */ - memcpy(c + mlen, sum, SKINNY_AEAD_M6_TAG_SIZE); - return 0; -} - -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - skinny_128_256_key_schedule_t ks; - unsigned char sum[SKINNY_128_BLOCK_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SKINNY_AEAD_M6_TAG_SIZE) - return -1; - *mlen = clen - SKINNY_AEAD_M6_TAG_SIZE; - - /* Set up the key schedule with the key and the nonce */ - skinny_aead_128_256_init(&ks, k, npub, SKINNY_AEAD_M6_NONCE_SIZE); - - /* Decrypt to ciphertext to produce the plaintext */ - skinny_aead_128_256_decrypt(&ks, DOMAIN_SEP_M6, sum, m, c, *mlen); - - /* Process the associated data */ - skinny_aead_128_256_authenticate(&ks, DOMAIN_SEP_M6, sum, ad, adlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, sum, c + *mlen, SKINNY_AEAD_M6_TAG_SIZE); -} diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.h deleted file mode 100644 index c6b54fb..0000000 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys-avr/skinny-aead.h +++ /dev/null @@ -1,518 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_AEAD_H -#define LWCRYPTO_SKINNY_AEAD_H - -#include "aead-common.h" - -/** - * \file skinny-aead.h - * \brief Authenticated encryption based on the SKINNY block cipher. - * - * SKINNY-AEAD is a family of authenticated encryption algorithms - * that are built around the SKINNY tweakable block cipher. There - * are six members in the family: - * - * \li SKINNY-AEAD-M1 has a 128-bit key, a 128-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. This is the - * primary member of the family. - * \li SKINNY-AEAD-M2 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M3 has a 128-bit key, a 128-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M4 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-384 tweakable block cipher. - * \li SKINNY-AEAD-M5 has a 128-bit key, a 96-bit nonce, and a 128-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * \li SKINNY-AEAD-M6 has a 128-bit key, a 96-bit nonce, and a 64-bit tag, - * based around the SKINNY-128-256 tweakable block cipher. - * - * The SKINNY-AEAD family also includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SKINNY-AEAD family members. - */ -#define SKINNY_AEAD_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M1. - */ -#define SKINNY_AEAD_M1_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M2. - */ -#define SKINNY_AEAD_M2_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M3. - */ -#define SKINNY_AEAD_M3_NONCE_SIZE 16 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M4. - */ -#define SKINNY_AEAD_M4_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M5. - */ -#define SKINNY_AEAD_M5_NONCE_SIZE 12 - -/** - * \brief Size of the authentication tag for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_TAG_SIZE 8 - -/** - * \brief Size of the nonce for SKINNY-AEAD-M6. - */ -#define SKINNY_AEAD_M6_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the SKINNY-AEAD-M1 cipher. - */ -extern aead_cipher_t const skinny_aead_m1_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M2 cipher. - */ -extern aead_cipher_t const skinny_aead_m2_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M3 cipher. - */ -extern aead_cipher_t const skinny_aead_m3_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M4 cipher. - */ -extern aead_cipher_t const skinny_aead_m4_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M5 cipher. - */ -extern aead_cipher_t const skinny_aead_m5_cipher; - -/** - * \brief Meta-information block for the SKINNY-AEAD-M6 cipher. - */ -extern aead_cipher_t const skinny_aead_m6_cipher; - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m1_decrypt() - */ -int skinny_aead_m1_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M1. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m1_encrypt() - */ -int skinny_aead_m1_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m2_decrypt() - */ -int skinny_aead_m2_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M2. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m2_encrypt() - */ -int skinny_aead_m2_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m3_decrypt() - */ -int skinny_aead_m3_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M3. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m3_encrypt() - */ -int skinny_aead_m3_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m4_decrypt() - */ -int skinny_aead_m4_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M4. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m4_encrypt() - */ -int skinny_aead_m4_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m5_decrypt() - */ -int skinny_aead_m5_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M5. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m5_encrypt() - */ -int skinny_aead_m5_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa skinny_aead_m6_decrypt() - */ -int skinny_aead_m6_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SKINNY-AEAD-M6. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa skinny_aead_m6_encrypt() - */ -int skinny_aead_m6_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c index 65ba4ed..579ced1 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.c @@ -25,6 +25,8 @@ #include "internal-util.h" #include +#if !defined(__AVR__) + STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) { /* This function is used to fast-forward the TK1 tweak value @@ -55,42 +57,33 @@ STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) ((row3 << 24) & 0xFF000000U); } -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t TK3[4]; uint32_t *schedule; unsigned round; uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || (key_len != 32 && key_len != 48)) - return 0; - +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else /* Set the initial states of TK1, TK2, and TK3 */ - if (key_len == 32) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - TK3[0] = le_load_word32(key + 16); - TK3[1] = le_load_word32(key + 20); - TK3[2] = le_load_word32(key + 24); - TK3[3] = le_load_word32(key + 28); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); /* Set up the key schedule using TK2 and TK3. TK1 is not added * to the key schedule because we will derive that part of the @@ -116,20 +109,7 @@ int skinny_128_384_init skinny128_LFSR3(TK3[0]); skinny128_LFSR3(TK3[1]); } - return 1; -} - -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_384_encrypt @@ -138,7 +118,13 @@ void skinny_128_384_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -148,14 +134,24 @@ void skinny_128_384_encrypt s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -163,8 +159,15 @@ void skinny_128_384_encrypt skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -185,6 +188,16 @@ void skinny_128_384_encrypt /* Permute TK1 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -200,7 +213,13 @@ void skinny_128_384_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -215,15 +234,47 @@ void skinny_128_384_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Permute TK1 to fast-forward it to the end of the key schedule */ skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -240,8 +291,15 @@ void skinny_128_384_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -259,13 +317,18 @@ void skinny_128_384_decrypt } void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2) { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -275,7 +338,7 @@ void skinny_128_384_encrypt_tk2 s2 = le_load_word32(input + 8); s3 = le_load_word32(input + 12); - /* Make a local copy of the tweakable part of the state, TK1/TK2 */ + /* Make a local copy of the tweakable part of the state */ TK1[0] = le_load_word32(ks->TK1); TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); @@ -284,9 +347,15 @@ void skinny_128_384_encrypt_tk2 TK2[1] = le_load_word32(tk2 + 4); TK2[2] = le_load_word32(tk2 + 8); TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); @@ -294,8 +363,15 @@ void skinny_128_384_encrypt_tk2 skinny128_sbox(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -319,6 +395,13 @@ void skinny_128_384_encrypt_tk2 skinny128_permute_tk(TK2); skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -408,33 +491,27 @@ void skinny_128_384_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len) +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) { +#if !SKINNY_128_SMALL_SCHEDULE uint32_t TK2[4]; uint32_t *schedule; unsigned round; uint8_t rc; +#endif - /* Validate the parameters */ - if (!ks || !key || (key_len != 16 && key_len != 32)) - return 0; - +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else /* Set the initial states of TK1 and TK2 */ - if (key_len == 16) { - memset(ks->TK1, 0, sizeof(ks->TK1)); - TK2[0] = le_load_word32(key); - TK2[1] = le_load_word32(key + 4); - TK2[2] = le_load_word32(key + 8); - TK2[3] = le_load_word32(key + 12); - } else { - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - } + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); /* Set up the key schedule using TK2. TK1 is not added * to the key schedule because we will derive that part of the @@ -457,20 +534,7 @@ int skinny_128_256_init skinny128_LFSR2(TK2[0]); skinny128_LFSR2(TK2[1]); } - return 1; -} - -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len) -{ - /* Validate the parameters */ - if (!ks || !tweak || tweak_len != 16) - return 0; - - /* Set TK1 directly from the tweak value */ - memcpy(ks->TK1, tweak, 16); - return 1; +#endif } void skinny_128_256_encrypt @@ -479,7 +543,12 @@ void skinny_128_256_encrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else const uint32_t *schedule = ks->k; +#endif uint32_t temp; unsigned round; @@ -494,18 +563,31 @@ void skinny_128_256_encrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Apply the S-box to all bytes in the state */ skinny128_sbox(s0); skinny128_sbox(s1); skinny128_sbox(s2); skinny128_sbox(s3); - /* Apply the subkey for this round */ + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; +#endif s2 ^= 0x02; /* Shift the cells in the rows right, which moves the cell @@ -524,8 +606,15 @@ void skinny_128_256_encrypt s1 = s0; s0 = temp; - /* Permute TK1 for the next round */ + /* Permute TK1 and TK2 for the next round */ skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif } /* Pack the result into the output buffer */ @@ -541,7 +630,12 @@ void skinny_128_256_decrypt { uint32_t s0, s1, s2, s3; uint32_t TK1[4]; - const uint32_t *schedule; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif uint32_t temp; unsigned round; @@ -558,12 +652,29 @@ void skinny_128_256_decrypt TK1[1] = le_load_word32(ks->TK1 + 4); TK1[2] = le_load_word32(ks->TK1 + 8); TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule -= 2) { + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { /* Inverse permutation on TK1 for this round */ skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif /* Inverse mix of the columns */ temp = s3; @@ -580,8 +691,15 @@ void skinny_128_256_decrypt s3 = leftRotate8(s3); /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else s0 ^= schedule[0] ^ TK1[0]; s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif s2 ^= 0x02; /* Apply the inverse of the S-box to all bytes in the state */ @@ -670,142 +788,14 @@ void skinny_128_256_encrypt_tk_full le_store_word32(output + 12, s3); } -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len) -{ - uint32_t TK1[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; - - /* Validate the parameters */ - if (!ks || !key || key_len != 16) - return 0; - - /* Set the initial state of TK1 */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); +#else /* __AVR__ */ - /* Set up the key schedule using TK1 */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK1[0] ^ (rc & 0x0F); - schedule[1] = TK1[1] ^ (rc >> 4); - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); - } - return 1; -} - -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) { - uint32_t s0, s1, s2, s3; - const uint32_t *schedule = ks->k; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule += 2) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); } -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - const uint32_t *schedule; - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all decryption rounds */ - schedule = &(ks->k[SKINNY_128_128_ROUNDS * 2 - 2]); - for (round = 0; round < SKINNY_128_128_ROUNDS; ++round, schedule -= 2) { - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ - s0 ^= schedule[0]; - s1 ^= schedule[1]; - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h index 76b34f5..2bfda3c 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-skinny128.h @@ -39,6 +39,16 @@ extern "C" { #endif /** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** * \brief Size of a block for SKINNY-128 block ciphers. */ #define SKINNY_128_BLOCK_SIZE 16 @@ -56,8 +66,16 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif } skinny_128_384_key_schedule_t; @@ -66,29 +84,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 32 or 48, - * where 32 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_384_set_tweak - (skinny_128_384_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); /** * \brief Encrypts a 128-bit block with SKINNY-128-384. @@ -133,9 +131,12 @@ void skinny_128_384_decrypt * This version is useful when both TK1 and TK2 change from block to block. * When the key is initialized with skinny_128_384_init(), the TK2 part of * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. */ void skinny_128_384_encrypt_tk2 - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + (skinny_128_384_key_schedule_t *ks, unsigned char *output, const unsigned char *input, const unsigned char *tk2); /** @@ -170,8 +171,13 @@ typedef struct /** TK1 for the tweakable part of the key schedule */ uint8_t TK1[16]; - /** Words of the key schedule */ +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif } skinny_128_256_key_schedule_t; @@ -180,29 +186,9 @@ typedef struct * * \param ks Points to the key schedule to initialize. * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16 or 32, - * where 16 is used for the tweakable variant. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. */ -int skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Sets the tweakable part of the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to modify. - * \param tweak Points to the tweak data. - * \param tweak_len Length of the tweak data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_256_set_tweak - (skinny_128_256_key_schedule_t *ks, const unsigned char *tweak, - size_t tweak_len); +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); /** * \brief Encrypts a 128-bit block with SKINNY-128-256. @@ -251,63 +237,6 @@ void skinny_128_256_encrypt_tk_full (const unsigned char key[32], unsigned char *output, const unsigned char *input); -/** - * \brief Number of rounds for SKINNY-128-128. - */ -#define SKINNY_128_128_ROUNDS 40 - -/** - * \brief Structure of the key schedule for SKINNY-128-128. - */ -typedef struct -{ - /** Words of the key schedule */ - uint32_t k[SKINNY_128_128_ROUNDS * 2]; - -} skinny_128_128_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-128. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. - */ -int skinny_128_128_init - (skinny_128_128_key_schedule_t *ks, const unsigned char *key, - size_t key_len); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_encrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-128. - * - * \param ks Points to the SKINNY-128-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_128_decrypt - (const skinny_128_128_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - #ifdef __cplusplus } #endif diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c index 2bb37e9..7558527 100644 --- a/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c +++ b/skinny/Implementations/crypto_aead/skinnyaeadtk39664v1/rhys/skinny-aead.c @@ -105,11 +105,12 @@ static void skinny_aead_128_384_init (skinny_128_384_key_schedule_t *ks, const unsigned char *key, const unsigned char *nonce, unsigned nonce_len) { - unsigned char k[32]; - memcpy(k, nonce, nonce_len); - memset(k + nonce_len, 0, 16 - nonce_len); - memcpy(k + 16, key, 16); - skinny_128_384_init(ks, k, 32); + unsigned char k[48]; + memset(k, 0, 16); + memcpy(k + 16, nonce, nonce_len); + memset(k + 16 + nonce_len, 0, 16 - nonce_len); + memcpy(k + 32, key, 16); + skinny_128_384_init(ks, k); } /** @@ -136,7 +137,7 @@ static void skinny_aead_128_384_init #define skinny_aead_128_384_update_lfsr(lfsr) \ do { \ uint8_t feedback = ((lfsr) & (1ULL << 63)) ? 0x1B : 0x00; \ - (lfsr) = ((lfsr) << 1) | feedback; \ + (lfsr) = ((lfsr) << 1) ^ feedback; \ } while (0) /** @@ -520,7 +521,7 @@ static void skinny_aead_128_256_init memset(k, 0, 16 - nonce_len); memcpy(k + 16 - nonce_len, nonce, nonce_len); memcpy(k + 16, key, 16); - skinny_128_256_init(ks, k, 32); + skinny_128_256_init(ks, k); } /** diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/api.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128-avr.S deleted file mode 100644 index d342cd5..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128-avr.S +++ /dev/null @@ -1,10099 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 256 -table_0: - .byte 101 - .byte 76 - .byte 106 - .byte 66 - .byte 75 - .byte 99 - .byte 67 - .byte 107 - .byte 85 - .byte 117 - .byte 90 - .byte 122 - .byte 83 - .byte 115 - .byte 91 - .byte 123 - .byte 53 - .byte 140 - .byte 58 - .byte 129 - .byte 137 - .byte 51 - .byte 128 - .byte 59 - .byte 149 - .byte 37 - .byte 152 - .byte 42 - .byte 144 - .byte 35 - .byte 153 - .byte 43 - .byte 229 - .byte 204 - .byte 232 - .byte 193 - .byte 201 - .byte 224 - .byte 192 - .byte 233 - .byte 213 - .byte 245 - .byte 216 - .byte 248 - .byte 208 - .byte 240 - .byte 217 - .byte 249 - .byte 165 - .byte 28 - .byte 168 - .byte 18 - .byte 27 - .byte 160 - .byte 19 - .byte 169 - .byte 5 - .byte 181 - .byte 10 - .byte 184 - .byte 3 - .byte 176 - .byte 11 - .byte 185 - .byte 50 - .byte 136 - .byte 60 - .byte 133 - .byte 141 - .byte 52 - .byte 132 - .byte 61 - .byte 145 - .byte 34 - .byte 156 - .byte 44 - .byte 148 - .byte 36 - .byte 157 - .byte 45 - .byte 98 - .byte 74 - .byte 108 - .byte 69 - .byte 77 - .byte 100 - .byte 68 - .byte 109 - .byte 82 - .byte 114 - .byte 92 - .byte 124 - .byte 84 - .byte 116 - .byte 93 - .byte 125 - .byte 161 - .byte 26 - .byte 172 - .byte 21 - .byte 29 - .byte 164 - .byte 20 - .byte 173 - .byte 2 - .byte 177 - .byte 12 - .byte 188 - .byte 4 - .byte 180 - .byte 13 - .byte 189 - .byte 225 - .byte 200 - .byte 236 - .byte 197 - .byte 205 - .byte 228 - .byte 196 - .byte 237 - .byte 209 - .byte 241 - .byte 220 - .byte 252 - .byte 212 - .byte 244 - .byte 221 - .byte 253 - .byte 54 - .byte 142 - .byte 56 - .byte 130 - .byte 139 - .byte 48 - .byte 131 - .byte 57 - .byte 150 - .byte 38 - .byte 154 - .byte 40 - .byte 147 - .byte 32 - .byte 155 - .byte 41 - .byte 102 - .byte 78 - .byte 104 - .byte 65 - .byte 73 - .byte 96 - .byte 64 - .byte 105 - .byte 86 - .byte 118 - .byte 88 - .byte 120 - .byte 80 - .byte 112 - .byte 89 - .byte 121 - .byte 166 - .byte 30 - .byte 170 - .byte 17 - .byte 25 - .byte 163 - .byte 16 - .byte 171 - .byte 6 - .byte 182 - .byte 8 - .byte 186 - .byte 0 - .byte 179 - .byte 9 - .byte 187 - .byte 230 - .byte 206 - .byte 234 - .byte 194 - .byte 203 - .byte 227 - .byte 195 - .byte 235 - .byte 214 - .byte 246 - .byte 218 - .byte 250 - .byte 211 - .byte 243 - .byte 219 - .byte 251 - .byte 49 - .byte 138 - .byte 62 - .byte 134 - .byte 143 - .byte 55 - .byte 135 - .byte 63 - .byte 146 - .byte 33 - .byte 158 - .byte 46 - .byte 151 - .byte 39 - .byte 159 - .byte 47 - .byte 97 - .byte 72 - .byte 110 - .byte 70 - .byte 79 - .byte 103 - .byte 71 - .byte 111 - .byte 81 - .byte 113 - .byte 94 - .byte 126 - .byte 87 - .byte 119 - .byte 95 - .byte 127 - .byte 162 - .byte 24 - .byte 174 - .byte 22 - .byte 31 - .byte 167 - .byte 23 - .byte 175 - .byte 1 - .byte 178 - .byte 14 - .byte 190 - .byte 7 - .byte 183 - .byte 15 - .byte 191 - .byte 226 - .byte 202 - .byte 238 - .byte 198 - .byte 207 - .byte 231 - .byte 199 - .byte 239 - .byte 210 - .byte 242 - .byte 222 - .byte 254 - .byte 215 - .byte 247 - .byte 223 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 256 -table_1: - .byte 172 - .byte 232 - .byte 104 - .byte 60 - .byte 108 - .byte 56 - .byte 168 - .byte 236 - .byte 170 - .byte 174 - .byte 58 - .byte 62 - .byte 106 - .byte 110 - .byte 234 - .byte 238 - .byte 166 - .byte 163 - .byte 51 - .byte 54 - .byte 102 - .byte 99 - .byte 227 - .byte 230 - .byte 225 - .byte 164 - .byte 97 - .byte 52 - .byte 49 - .byte 100 - .byte 161 - .byte 228 - .byte 141 - .byte 201 - .byte 73 - .byte 29 - .byte 77 - .byte 25 - .byte 137 - .byte 205 - .byte 139 - .byte 143 - .byte 27 - .byte 31 - .byte 75 - .byte 79 - .byte 203 - .byte 207 - .byte 133 - .byte 192 - .byte 64 - .byte 21 - .byte 69 - .byte 16 - .byte 128 - .byte 197 - .byte 130 - .byte 135 - .byte 18 - .byte 23 - .byte 66 - .byte 71 - .byte 194 - .byte 199 - .byte 150 - .byte 147 - .byte 3 - .byte 6 - .byte 86 - .byte 83 - .byte 211 - .byte 214 - .byte 209 - .byte 148 - .byte 81 - .byte 4 - .byte 1 - .byte 84 - .byte 145 - .byte 212 - .byte 156 - .byte 216 - .byte 88 - .byte 12 - .byte 92 - .byte 8 - .byte 152 - .byte 220 - .byte 154 - .byte 158 - .byte 10 - .byte 14 - .byte 90 - .byte 94 - .byte 218 - .byte 222 - .byte 149 - .byte 208 - .byte 80 - .byte 5 - .byte 85 - .byte 0 - .byte 144 - .byte 213 - .byte 146 - .byte 151 - .byte 2 - .byte 7 - .byte 82 - .byte 87 - .byte 210 - .byte 215 - .byte 157 - .byte 217 - .byte 89 - .byte 13 - .byte 93 - .byte 9 - .byte 153 - .byte 221 - .byte 155 - .byte 159 - .byte 11 - .byte 15 - .byte 91 - .byte 95 - .byte 219 - .byte 223 - .byte 22 - .byte 19 - .byte 131 - .byte 134 - .byte 70 - .byte 67 - .byte 195 - .byte 198 - .byte 65 - .byte 20 - .byte 193 - .byte 132 - .byte 17 - .byte 68 - .byte 129 - .byte 196 - .byte 28 - .byte 72 - .byte 200 - .byte 140 - .byte 76 - .byte 24 - .byte 136 - .byte 204 - .byte 26 - .byte 30 - .byte 138 - .byte 142 - .byte 74 - .byte 78 - .byte 202 - .byte 206 - .byte 53 - .byte 96 - .byte 224 - .byte 165 - .byte 101 - .byte 48 - .byte 160 - .byte 229 - .byte 50 - .byte 55 - .byte 162 - .byte 167 - .byte 98 - .byte 103 - .byte 226 - .byte 231 - .byte 61 - .byte 105 - .byte 233 - .byte 173 - .byte 109 - .byte 57 - .byte 169 - .byte 237 - .byte 59 - .byte 63 - .byte 171 - .byte 175 - .byte 107 - .byte 111 - .byte 235 - .byte 239 - .byte 38 - .byte 35 - .byte 179 - .byte 182 - .byte 118 - .byte 115 - .byte 243 - .byte 246 - .byte 113 - .byte 36 - .byte 241 - .byte 180 - .byte 33 - .byte 116 - .byte 177 - .byte 244 - .byte 44 - .byte 120 - .byte 248 - .byte 188 - .byte 124 - .byte 40 - .byte 184 - .byte 252 - .byte 42 - .byte 46 - .byte 186 - .byte 190 - .byte 122 - .byte 126 - .byte 250 - .byte 254 - .byte 37 - .byte 112 - .byte 240 - .byte 181 - .byte 117 - .byte 32 - .byte 176 - .byte 245 - .byte 34 - .byte 39 - .byte 178 - .byte 183 - .byte 114 - .byte 119 - .byte 242 - .byte 247 - .byte 45 - .byte 121 - .byte 249 - .byte 189 - .byte 125 - .byte 41 - .byte 185 - .byte 253 - .byte 43 - .byte 47 - .byte 187 - .byte 191 - .byte 123 - .byte 127 - .byte 251 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_2, @object - .size table_2, 256 -table_2: - .byte 0 - .byte 2 - .byte 4 - .byte 6 - .byte 8 - .byte 10 - .byte 12 - .byte 14 - .byte 16 - .byte 18 - .byte 20 - .byte 22 - .byte 24 - .byte 26 - .byte 28 - .byte 30 - .byte 32 - .byte 34 - .byte 36 - .byte 38 - .byte 40 - .byte 42 - .byte 44 - .byte 46 - .byte 48 - .byte 50 - .byte 52 - .byte 54 - .byte 56 - .byte 58 - .byte 60 - .byte 62 - .byte 65 - .byte 67 - .byte 69 - .byte 71 - .byte 73 - .byte 75 - .byte 77 - .byte 79 - .byte 81 - .byte 83 - .byte 85 - .byte 87 - .byte 89 - .byte 91 - .byte 93 - .byte 95 - .byte 97 - .byte 99 - .byte 101 - .byte 103 - .byte 105 - .byte 107 - .byte 109 - .byte 111 - .byte 113 - .byte 115 - .byte 117 - .byte 119 - .byte 121 - .byte 123 - .byte 125 - .byte 127 - .byte 128 - .byte 130 - .byte 132 - .byte 134 - .byte 136 - .byte 138 - .byte 140 - .byte 142 - .byte 144 - .byte 146 - .byte 148 - .byte 150 - .byte 152 - .byte 154 - .byte 156 - .byte 158 - .byte 160 - .byte 162 - .byte 164 - .byte 166 - .byte 168 - .byte 170 - .byte 172 - .byte 174 - .byte 176 - .byte 178 - .byte 180 - .byte 182 - .byte 184 - .byte 186 - .byte 188 - .byte 190 - .byte 193 - .byte 195 - .byte 197 - .byte 199 - .byte 201 - .byte 203 - .byte 205 - .byte 207 - .byte 209 - .byte 211 - .byte 213 - .byte 215 - .byte 217 - .byte 219 - .byte 221 - .byte 223 - .byte 225 - .byte 227 - .byte 229 - .byte 231 - .byte 233 - .byte 235 - .byte 237 - .byte 239 - .byte 241 - .byte 243 - .byte 245 - .byte 247 - .byte 249 - .byte 251 - .byte 253 - .byte 255 - .byte 1 - .byte 3 - .byte 5 - .byte 7 - .byte 9 - .byte 11 - .byte 13 - .byte 15 - .byte 17 - .byte 19 - .byte 21 - .byte 23 - .byte 25 - .byte 27 - .byte 29 - .byte 31 - .byte 33 - .byte 35 - .byte 37 - .byte 39 - .byte 41 - .byte 43 - .byte 45 - .byte 47 - .byte 49 - .byte 51 - .byte 53 - .byte 55 - .byte 57 - .byte 59 - .byte 61 - .byte 63 - .byte 64 - .byte 66 - .byte 68 - .byte 70 - .byte 72 - .byte 74 - .byte 76 - .byte 78 - .byte 80 - .byte 82 - .byte 84 - .byte 86 - .byte 88 - .byte 90 - .byte 92 - .byte 94 - .byte 96 - .byte 98 - .byte 100 - .byte 102 - .byte 104 - .byte 106 - .byte 108 - .byte 110 - .byte 112 - .byte 114 - .byte 116 - .byte 118 - .byte 120 - .byte 122 - .byte 124 - .byte 126 - .byte 129 - .byte 131 - .byte 133 - .byte 135 - .byte 137 - .byte 139 - .byte 141 - .byte 143 - .byte 145 - .byte 147 - .byte 149 - .byte 151 - .byte 153 - .byte 155 - .byte 157 - .byte 159 - .byte 161 - .byte 163 - .byte 165 - .byte 167 - .byte 169 - .byte 171 - .byte 173 - .byte 175 - .byte 177 - .byte 179 - .byte 181 - .byte 183 - .byte 185 - .byte 187 - .byte 189 - .byte 191 - .byte 192 - .byte 194 - .byte 196 - .byte 198 - .byte 200 - .byte 202 - .byte 204 - .byte 206 - .byte 208 - .byte 210 - .byte 212 - .byte 214 - .byte 216 - .byte 218 - .byte 220 - .byte 222 - .byte 224 - .byte 226 - .byte 228 - .byte 230 - .byte 232 - .byte 234 - .byte 236 - .byte 238 - .byte 240 - .byte 242 - .byte 244 - .byte 246 - .byte 248 - .byte 250 - .byte 252 - .byte 254 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_3, @object - .size table_3, 256 -table_3: - .byte 0 - .byte 128 - .byte 1 - .byte 129 - .byte 2 - .byte 130 - .byte 3 - .byte 131 - .byte 4 - .byte 132 - .byte 5 - .byte 133 - .byte 6 - .byte 134 - .byte 7 - .byte 135 - .byte 8 - .byte 136 - .byte 9 - .byte 137 - .byte 10 - .byte 138 - .byte 11 - .byte 139 - .byte 12 - .byte 140 - .byte 13 - .byte 141 - .byte 14 - .byte 142 - .byte 15 - .byte 143 - .byte 16 - .byte 144 - .byte 17 - .byte 145 - .byte 18 - .byte 146 - .byte 19 - .byte 147 - .byte 20 - .byte 148 - .byte 21 - .byte 149 - .byte 22 - .byte 150 - .byte 23 - .byte 151 - .byte 24 - .byte 152 - .byte 25 - .byte 153 - .byte 26 - .byte 154 - .byte 27 - .byte 155 - .byte 28 - .byte 156 - .byte 29 - .byte 157 - .byte 30 - .byte 158 - .byte 31 - .byte 159 - .byte 160 - .byte 32 - .byte 161 - .byte 33 - .byte 162 - .byte 34 - .byte 163 - .byte 35 - .byte 164 - .byte 36 - .byte 165 - .byte 37 - .byte 166 - .byte 38 - .byte 167 - .byte 39 - .byte 168 - .byte 40 - .byte 169 - .byte 41 - .byte 170 - .byte 42 - .byte 171 - .byte 43 - .byte 172 - .byte 44 - .byte 173 - .byte 45 - .byte 174 - .byte 46 - .byte 175 - .byte 47 - .byte 176 - .byte 48 - .byte 177 - .byte 49 - .byte 178 - .byte 50 - .byte 179 - .byte 51 - .byte 180 - .byte 52 - .byte 181 - .byte 53 - .byte 182 - .byte 54 - .byte 183 - .byte 55 - .byte 184 - .byte 56 - .byte 185 - .byte 57 - .byte 186 - .byte 58 - .byte 187 - .byte 59 - .byte 188 - .byte 60 - .byte 189 - .byte 61 - .byte 190 - .byte 62 - .byte 191 - .byte 63 - .byte 64 - .byte 192 - .byte 65 - .byte 193 - .byte 66 - .byte 194 - .byte 67 - .byte 195 - .byte 68 - .byte 196 - .byte 69 - .byte 197 - .byte 70 - .byte 198 - .byte 71 - .byte 199 - .byte 72 - .byte 200 - .byte 73 - .byte 201 - .byte 74 - .byte 202 - .byte 75 - .byte 203 - .byte 76 - .byte 204 - .byte 77 - .byte 205 - .byte 78 - .byte 206 - .byte 79 - .byte 207 - .byte 80 - .byte 208 - .byte 81 - .byte 209 - .byte 82 - .byte 210 - .byte 83 - .byte 211 - .byte 84 - .byte 212 - .byte 85 - .byte 213 - .byte 86 - .byte 214 - .byte 87 - .byte 215 - .byte 88 - .byte 216 - .byte 89 - .byte 217 - .byte 90 - .byte 218 - .byte 91 - .byte 219 - .byte 92 - .byte 220 - .byte 93 - .byte 221 - .byte 94 - .byte 222 - .byte 95 - .byte 223 - .byte 224 - .byte 96 - .byte 225 - .byte 97 - .byte 226 - .byte 98 - .byte 227 - .byte 99 - .byte 228 - .byte 100 - .byte 229 - .byte 101 - .byte 230 - .byte 102 - .byte 231 - .byte 103 - .byte 232 - .byte 104 - .byte 233 - .byte 105 - .byte 234 - .byte 106 - .byte 235 - .byte 107 - .byte 236 - .byte 108 - .byte 237 - .byte 109 - .byte 238 - .byte 110 - .byte 239 - .byte 111 - .byte 240 - .byte 112 - .byte 241 - .byte 113 - .byte 242 - .byte 114 - .byte 243 - .byte 115 - .byte 244 - .byte 116 - .byte 245 - .byte 117 - .byte 246 - .byte 118 - .byte 247 - .byte 119 - .byte 248 - .byte 120 - .byte 249 - .byte 121 - .byte 250 - .byte 122 - .byte 251 - .byte 123 - .byte 252 - .byte 124 - .byte 253 - .byte 125 - .byte 254 - .byte 126 - .byte 255 - .byte 127 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_4, @object - .size table_4, 112 -table_4: - .byte 1 - .byte 0 - .byte 3 - .byte 0 - .byte 7 - .byte 0 - .byte 15 - .byte 0 - .byte 15 - .byte 1 - .byte 14 - .byte 3 - .byte 13 - .byte 3 - .byte 11 - .byte 3 - .byte 7 - .byte 3 - .byte 15 - .byte 2 - .byte 14 - .byte 1 - .byte 12 - .byte 3 - .byte 9 - .byte 3 - .byte 3 - .byte 3 - .byte 7 - .byte 2 - .byte 14 - .byte 0 - .byte 13 - .byte 1 - .byte 10 - .byte 3 - .byte 5 - .byte 3 - .byte 11 - .byte 2 - .byte 6 - .byte 1 - .byte 12 - .byte 2 - .byte 8 - .byte 1 - .byte 0 - .byte 3 - .byte 1 - .byte 2 - .byte 2 - .byte 0 - .byte 5 - .byte 0 - .byte 11 - .byte 0 - .byte 7 - .byte 1 - .byte 14 - .byte 2 - .byte 12 - .byte 1 - .byte 8 - .byte 3 - .byte 1 - .byte 3 - .byte 3 - .byte 2 - .byte 6 - .byte 0 - .byte 13 - .byte 0 - .byte 11 - .byte 1 - .byte 6 - .byte 3 - .byte 13 - .byte 2 - .byte 10 - .byte 1 - .byte 4 - .byte 3 - .byte 9 - .byte 2 - .byte 2 - .byte 1 - .byte 4 - .byte 2 - .byte 8 - .byte 0 - .byte 1 - .byte 1 - .byte 2 - .byte 2 - .byte 4 - .byte 0 - .byte 9 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 2 - .byte 12 - .byte 0 - .byte 9 - .byte 1 - .byte 2 - .byte 3 - .byte 5 - .byte 2 - .byte 10 - .byte 0 - - .text -.global skinny_128_384_init - .type skinny_128_384_init, @function -skinny_128_384_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,12 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_384_init, .-skinny_128_384_init - - .text -.global skinny_128_384_encrypt - .type skinny_128_384_encrypt, @function -skinny_128_384_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - std Y+33,r18 - std Y+34,r19 - std Y+35,r20 - std Y+36,r21 - ldd r18,Z+36 - ldd r19,Z+37 - ldd r20,Z+38 - ldd r21,Z+39 - std Y+37,r18 - std Y+38,r19 - std Y+39,r20 - std Y+40,r21 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - std Y+41,r18 - std Y+42,r19 - std Y+43,r20 - std Y+44,r21 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - std Y+45,r18 - std Y+46,r19 - std Y+47,r20 - std Y+48,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -114: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,112 - brne 5721f - rjmp 790f -5721: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 114b -790: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_encrypt, .-skinny_128_384_encrypt - -.global skinny_128_384_encrypt_tk_full - .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt - - .text -.global skinny_128_384_decrypt - .type skinny_128_384_decrypt, @function -skinny_128_384_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r23 - std Y+2,r2 - std Y+3,r21 - std Y+4,r20 - std Y+5,r3 - std Y+6,r18 - std Y+7,r19 - std Y+8,r22 - std Y+9,r9 - std Y+10,r10 - std Y+11,r7 - std Y+12,r6 - std Y+13,r11 - std Y+14,r4 - std Y+15,r5 - std Y+16,r8 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r23 - std Y+18,r2 - std Y+19,r21 - std Y+20,r20 - std Y+21,r3 - std Y+22,r18 - std Y+23,r19 - std Y+24,r22 - std Y+25,r9 - std Y+26,r10 - std Y+27,r7 - std Y+28,r6 - std Y+29,r11 - std Y+30,r4 - std Y+31,r5 - std Y+32,r8 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - ldd r22,Z+36 - ldd r23,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+33,r23 - std Y+34,r2 - std Y+35,r21 - std Y+36,r20 - std Y+37,r3 - std Y+38,r18 - std Y+39,r19 - std Y+40,r22 - std Y+41,r9 - std Y+42,r10 - std Y+43,r7 - std Y+44,r6 - std Y+45,r11 - std Y+46,r4 - std Y+47,r5 - std Y+48,r8 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -122: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 122b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,28 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -150: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 150b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 -179: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 179b - std Y+33,r12 - std Y+34,r13 - std Y+35,r14 - std Y+36,r15 - std Y+37,r24 - std Y+38,r25 - std Y+39,r16 - std Y+40,r17 - ldi r26,28 - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 -207: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 207b - std Y+41,r12 - std Y+42,r13 - std Y+43,r14 - std Y+44,r15 - std Y+45,r24 - std Y+46,r25 - std Y+47,r16 - std Y+48,r17 - ldi r26,112 -227: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 903f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 227b -903: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_decrypt, .-skinny_128_384_decrypt - - .text -.global skinny_128_256_init - .type skinny_128_256_init, @function -skinny_128_256_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,8 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_256_init, .-skinny_128_256_init - - .text -.global skinny_128_256_encrypt - .type skinny_128_256_encrypt, @function -skinny_128_256_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -82: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,96 - breq 594f - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 82b -594: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_encrypt, .-skinny_128_256_encrypt - -.global skinny_128_256_encrypt_tk_full - .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt - - .text -.global skinny_128_256_decrypt - .type skinny_128_256_decrypt, @function -skinny_128_256_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r2 - std Y+8,r3 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - std Y+21,r22 - std Y+22,r23 - std Y+23,r2 - std Y+24,r3 - std Y+25,r4 - std Y+26,r5 - std Y+27,r6 - std Y+28,r7 - std Y+29,r8 - std Y+30,r9 - std Y+31,r10 - std Y+32,r11 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,24 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -90: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 90b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,24 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -118: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 118b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,96 -139: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 651f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 139b -651: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_decrypt, .-skinny_128_256_decrypt - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-util.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.c deleted file mode 100644 index 0abdeff..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-hash.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_hash_algorithm_t const skinny_tk3_hash_algorithm = { - "SKINNY-tk3-HASH", - sizeof(int), - SKINNY_HASH_SIZE, - AEAD_FLAG_NONE, - skinny_tk3_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const skinny_tk2_hash_algorithm = { - "SKINNY-tk2-HASH", - sizeof(int), - SKINNY_HASH_SIZE, - AEAD_FLAG_NONE, - skinny_tk2_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Size of the permutation state for SKINNY-tk3-HASH. - */ -#define SKINNY_TK3_STATE_SIZE 48 - -/** - * \brief Size of the permutation state for SKINNY-tk2-HASH. - */ -#define SKINNY_TK2_STATE_SIZE 32 - -/** - * \brief Rate of absorbing data for SKINNY-tk3-HASH. - */ -#define SKINNY_TK3_HASH_RATE 16 - -/** - * \brief Rate of absorbing data for SKINNY-tk2-HASH. - */ -#define SKINNY_TK2_HASH_RATE 4 - -/** - * \brief Input block that is encrypted with the state for each - * block permutation of SKINNY-tk3-HASH or SKINNY-tk2-HASH. - */ -static unsigned char const skinny_hash_block[48] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -/** - * \brief Permutes the internal state for SKINNY-tk3-HASH. - * - * \param state The state to be permuted. - */ -static void skinny_tk3_permute(unsigned char state[SKINNY_TK3_STATE_SIZE]) -{ - unsigned char temp[SKINNY_TK3_STATE_SIZE]; - skinny_128_384_encrypt_tk_full(state, temp, skinny_hash_block); - skinny_128_384_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); - skinny_128_384_encrypt_tk_full(state, temp + 32, skinny_hash_block + 32); - memcpy(state, temp, SKINNY_TK3_STATE_SIZE); -} - -/** - * \brief Permutes the internal state for SKINNY-tk2-HASH. - * - * \param state The state to be permuted. - */ -static void skinny_tk2_permute(unsigned char state[SKINNY_TK2_STATE_SIZE]) -{ - unsigned char temp[SKINNY_TK2_STATE_SIZE]; - skinny_128_256_encrypt_tk_full(state, temp, skinny_hash_block); - skinny_128_256_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); - memcpy(state, temp, SKINNY_TK2_STATE_SIZE); -} - -int skinny_tk3_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[SKINNY_TK3_STATE_SIZE]; - unsigned temp; - - /* Initialize the hash state */ - memset(state, 0, sizeof(state)); - state[SKINNY_TK3_HASH_RATE] = 0x80; - - /* Process as many full blocks as possible */ - while (inlen >= SKINNY_TK3_HASH_RATE) { - lw_xor_block(state, in, SKINNY_TK3_HASH_RATE); - skinny_tk3_permute(state); - in += SKINNY_TK3_HASH_RATE; - inlen -= SKINNY_TK3_HASH_RATE; - } - - /* Pad and process the last block */ - temp = (unsigned)inlen; - lw_xor_block(state, in, temp); - state[temp] ^= 0x80; /* padding */ - skinny_tk3_permute(state); - - /* Generate the hash output */ - memcpy(out, state, 16); - skinny_tk3_permute(state); - memcpy(out + 16, state, 16); - return 0; -} - -int skinny_tk2_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[SKINNY_TK2_STATE_SIZE]; - unsigned temp; - - /* Initialize the hash state */ - memset(state, 0, sizeof(state)); - state[SKINNY_TK2_HASH_RATE] = 0x80; - - /* Process as many full blocks as possible */ - while (inlen >= SKINNY_TK2_HASH_RATE) { - lw_xor_block(state, in, SKINNY_TK2_HASH_RATE); - skinny_tk2_permute(state); - in += SKINNY_TK2_HASH_RATE; - inlen -= SKINNY_TK2_HASH_RATE; - } - - /* Pad and process the last block */ - temp = (unsigned)inlen; - lw_xor_block(state, in, temp); - state[temp] ^= 0x80; /* padding */ - skinny_tk2_permute(state); - - /* Generate the hash output */ - memcpy(out, state, 16); - skinny_tk2_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.h deleted file mode 100644 index f75ce9f..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/skinny-hash.h +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_HASH_H -#define LWCRYPTO_SKINNY_HASH_H - -#include "aead-common.h" - -/** - * \file skinny-hash.h - * \brief Hash algorithms based on the SKINNY block cipher. - * - * The SKINNY-AEAD family includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the hash output for SKINNY-tk3-HASH and SKINNY-tk2-HASH. - */ -#define SKINNY_HASH_SIZE 32 - -/** - * \brief Meta-information block for the SKINNY-tk3-HASH algorithm. - */ -extern aead_hash_algorithm_t const skinny_tk3_hash_algorithm; - -/** - * \brief Meta-information block for the SKINNY-tk2-HASH algorithm. - */ -extern aead_hash_algorithm_t const skinny_tk2_hash_algorithm; - -/** - * \brief Hashes a block of input data with SKINNY-tk3-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SKINNY_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int skinny_tk3_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with SKINNY-tk2-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SKINNY_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int skinny_tk2_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/aead-common.c similarity index 100% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/aead-common.c rename to skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/aead-common.c diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/aead-common.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/aead-common.h rename to skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/aead-common.h diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/api.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/hash.c similarity index 100% rename from skinny/Implementations/crypto_hash/skinnyhashtk2/rhys-avr/hash.c rename to skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/hash.c diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.c new file mode 100644 index 0000000..579ced1 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.c @@ -0,0 +1,801 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +#if !defined(__AVR__) + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else + /* Set the initial states of TK1, TK2, and TK3 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } +#endif +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else + /* Set the initial states of TK1 and TK2 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } +#endif +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +#else /* __AVR__ */ + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); +} + +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.h new file mode 100644 index 0000000..2bfda3c --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinny128.h @@ -0,0 +1,244 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. + */ +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-util.h similarity index 100% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-util.h rename to skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/internal-util.h diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.c new file mode 100644 index 0000000..0abdeff --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-hash.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_hash_algorithm_t const skinny_tk3_hash_algorithm = { + "SKINNY-tk3-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk3_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const skinny_tk2_hash_algorithm = { + "SKINNY-tk2-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk2_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Size of the permutation state for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_STATE_SIZE 48 + +/** + * \brief Size of the permutation state for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_STATE_SIZE 32 + +/** + * \brief Rate of absorbing data for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_HASH_RATE 16 + +/** + * \brief Rate of absorbing data for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_HASH_RATE 4 + +/** + * \brief Input block that is encrypted with the state for each + * block permutation of SKINNY-tk3-HASH or SKINNY-tk2-HASH. + */ +static unsigned char const skinny_hash_block[48] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +/** + * \brief Permutes the internal state for SKINNY-tk3-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk3_permute(unsigned char state[SKINNY_TK3_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK3_STATE_SIZE]; + skinny_128_384_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_384_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + skinny_128_384_encrypt_tk_full(state, temp + 32, skinny_hash_block + 32); + memcpy(state, temp, SKINNY_TK3_STATE_SIZE); +} + +/** + * \brief Permutes the internal state for SKINNY-tk2-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk2_permute(unsigned char state[SKINNY_TK2_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK2_STATE_SIZE]; + skinny_128_256_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_256_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + memcpy(state, temp, SKINNY_TK2_STATE_SIZE); +} + +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK3_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK3_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK3_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK3_HASH_RATE); + skinny_tk3_permute(state); + in += SKINNY_TK3_HASH_RATE; + inlen -= SKINNY_TK3_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk3_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk3_permute(state); + memcpy(out + 16, state, 16); + return 0; +} + +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK2_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK2_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK2_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK2_HASH_RATE); + skinny_tk2_permute(state); + in += SKINNY_TK2_HASH_RATE; + inlen -= SKINNY_TK2_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk2_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk2_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.h b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.h similarity index 53% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.h rename to skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.h index 2ffef42..f75ce9f 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-keccak.h +++ b/skinny/Implementations/crypto_hash/skinnyhashtk2/rhys/skinny-hash.h @@ -20,14 +20,24 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_KECCAK_H -#define LW_INTERNAL_KECCAK_H +#ifndef LWCRYPTO_SKINNY_HASH_H +#define LWCRYPTO_SKINNY_HASH_H -#include "internal-util.h" +#include "aead-common.h" /** - * \file internal-keccak.h - * \brief Internal implementation of the Keccak-p permutation. + * \file skinny-hash.h + * \brief Hash algorithms based on the SKINNY block cipher. + * + * The SKINNY-AEAD family includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home */ #ifdef __cplusplus @@ -35,50 +45,49 @@ extern "C" { #endif /** - * \brief Size of the state for the Keccak-p[200] permutation. - */ -#define KECCAKP_200_STATE_SIZE 25 - -/** - * \brief Size of the state for the Keccak-p[400] permutation. + * \brief Size of the hash output for SKINNY-tk3-HASH and SKINNY-tk2-HASH. */ -#define KECCAKP_400_STATE_SIZE 50 +#define SKINNY_HASH_SIZE 32 /** - * \brief Structure of the internal state of the Keccak-p[200] permutation. + * \brief Meta-information block for the SKINNY-tk3-HASH algorithm. */ -typedef union -{ - uint8_t A[5][5]; /**< Keccak-p[200] state as a 5x5 array of lanes */ - uint8_t B[25]; /**< Keccak-p[200] state as a byte array */ - -} keccakp_200_state_t; +extern aead_hash_algorithm_t const skinny_tk3_hash_algorithm; /** - * \brief Structure of the internal state of the Keccak-p[400] permutation. + * \brief Meta-information block for the SKINNY-tk2-HASH algorithm. */ -typedef union -{ - uint16_t A[5][5]; /**< Keccak-p[400] state as a 5x5 array of lanes */ - uint8_t B[50]; /**< Keccak-p[400] state as a byte array */ - -} keccakp_400_state_t; +extern aead_hash_algorithm_t const skinny_tk2_hash_algorithm; /** - * \brief Permutes the Keccak-p[200] state. + * \brief Hashes a block of input data with SKINNY-tk3-HASH to + * generate a hash value. * - * \param state The Keccak-p[200] state to be permuted. + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void keccakp_200_permute(keccakp_200_state_t *state); +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Permutes the Keccak-p[400] state, which is assumed to be in - * little-endian byte order. + * \brief Hashes a block of input data with SKINNY-tk2-HASH to + * generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \param state The Keccak-p[400] state to be permuted. - * \param rounds The number of rounds to perform (up to 20). + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void keccakp_400_permute(keccakp_400_state_t *state, unsigned rounds); +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/api.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128-avr.S b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128-avr.S deleted file mode 100644 index d342cd5..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128-avr.S +++ /dev/null @@ -1,10099 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 256 -table_0: - .byte 101 - .byte 76 - .byte 106 - .byte 66 - .byte 75 - .byte 99 - .byte 67 - .byte 107 - .byte 85 - .byte 117 - .byte 90 - .byte 122 - .byte 83 - .byte 115 - .byte 91 - .byte 123 - .byte 53 - .byte 140 - .byte 58 - .byte 129 - .byte 137 - .byte 51 - .byte 128 - .byte 59 - .byte 149 - .byte 37 - .byte 152 - .byte 42 - .byte 144 - .byte 35 - .byte 153 - .byte 43 - .byte 229 - .byte 204 - .byte 232 - .byte 193 - .byte 201 - .byte 224 - .byte 192 - .byte 233 - .byte 213 - .byte 245 - .byte 216 - .byte 248 - .byte 208 - .byte 240 - .byte 217 - .byte 249 - .byte 165 - .byte 28 - .byte 168 - .byte 18 - .byte 27 - .byte 160 - .byte 19 - .byte 169 - .byte 5 - .byte 181 - .byte 10 - .byte 184 - .byte 3 - .byte 176 - .byte 11 - .byte 185 - .byte 50 - .byte 136 - .byte 60 - .byte 133 - .byte 141 - .byte 52 - .byte 132 - .byte 61 - .byte 145 - .byte 34 - .byte 156 - .byte 44 - .byte 148 - .byte 36 - .byte 157 - .byte 45 - .byte 98 - .byte 74 - .byte 108 - .byte 69 - .byte 77 - .byte 100 - .byte 68 - .byte 109 - .byte 82 - .byte 114 - .byte 92 - .byte 124 - .byte 84 - .byte 116 - .byte 93 - .byte 125 - .byte 161 - .byte 26 - .byte 172 - .byte 21 - .byte 29 - .byte 164 - .byte 20 - .byte 173 - .byte 2 - .byte 177 - .byte 12 - .byte 188 - .byte 4 - .byte 180 - .byte 13 - .byte 189 - .byte 225 - .byte 200 - .byte 236 - .byte 197 - .byte 205 - .byte 228 - .byte 196 - .byte 237 - .byte 209 - .byte 241 - .byte 220 - .byte 252 - .byte 212 - .byte 244 - .byte 221 - .byte 253 - .byte 54 - .byte 142 - .byte 56 - .byte 130 - .byte 139 - .byte 48 - .byte 131 - .byte 57 - .byte 150 - .byte 38 - .byte 154 - .byte 40 - .byte 147 - .byte 32 - .byte 155 - .byte 41 - .byte 102 - .byte 78 - .byte 104 - .byte 65 - .byte 73 - .byte 96 - .byte 64 - .byte 105 - .byte 86 - .byte 118 - .byte 88 - .byte 120 - .byte 80 - .byte 112 - .byte 89 - .byte 121 - .byte 166 - .byte 30 - .byte 170 - .byte 17 - .byte 25 - .byte 163 - .byte 16 - .byte 171 - .byte 6 - .byte 182 - .byte 8 - .byte 186 - .byte 0 - .byte 179 - .byte 9 - .byte 187 - .byte 230 - .byte 206 - .byte 234 - .byte 194 - .byte 203 - .byte 227 - .byte 195 - .byte 235 - .byte 214 - .byte 246 - .byte 218 - .byte 250 - .byte 211 - .byte 243 - .byte 219 - .byte 251 - .byte 49 - .byte 138 - .byte 62 - .byte 134 - .byte 143 - .byte 55 - .byte 135 - .byte 63 - .byte 146 - .byte 33 - .byte 158 - .byte 46 - .byte 151 - .byte 39 - .byte 159 - .byte 47 - .byte 97 - .byte 72 - .byte 110 - .byte 70 - .byte 79 - .byte 103 - .byte 71 - .byte 111 - .byte 81 - .byte 113 - .byte 94 - .byte 126 - .byte 87 - .byte 119 - .byte 95 - .byte 127 - .byte 162 - .byte 24 - .byte 174 - .byte 22 - .byte 31 - .byte 167 - .byte 23 - .byte 175 - .byte 1 - .byte 178 - .byte 14 - .byte 190 - .byte 7 - .byte 183 - .byte 15 - .byte 191 - .byte 226 - .byte 202 - .byte 238 - .byte 198 - .byte 207 - .byte 231 - .byte 199 - .byte 239 - .byte 210 - .byte 242 - .byte 222 - .byte 254 - .byte 215 - .byte 247 - .byte 223 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 256 -table_1: - .byte 172 - .byte 232 - .byte 104 - .byte 60 - .byte 108 - .byte 56 - .byte 168 - .byte 236 - .byte 170 - .byte 174 - .byte 58 - .byte 62 - .byte 106 - .byte 110 - .byte 234 - .byte 238 - .byte 166 - .byte 163 - .byte 51 - .byte 54 - .byte 102 - .byte 99 - .byte 227 - .byte 230 - .byte 225 - .byte 164 - .byte 97 - .byte 52 - .byte 49 - .byte 100 - .byte 161 - .byte 228 - .byte 141 - .byte 201 - .byte 73 - .byte 29 - .byte 77 - .byte 25 - .byte 137 - .byte 205 - .byte 139 - .byte 143 - .byte 27 - .byte 31 - .byte 75 - .byte 79 - .byte 203 - .byte 207 - .byte 133 - .byte 192 - .byte 64 - .byte 21 - .byte 69 - .byte 16 - .byte 128 - .byte 197 - .byte 130 - .byte 135 - .byte 18 - .byte 23 - .byte 66 - .byte 71 - .byte 194 - .byte 199 - .byte 150 - .byte 147 - .byte 3 - .byte 6 - .byte 86 - .byte 83 - .byte 211 - .byte 214 - .byte 209 - .byte 148 - .byte 81 - .byte 4 - .byte 1 - .byte 84 - .byte 145 - .byte 212 - .byte 156 - .byte 216 - .byte 88 - .byte 12 - .byte 92 - .byte 8 - .byte 152 - .byte 220 - .byte 154 - .byte 158 - .byte 10 - .byte 14 - .byte 90 - .byte 94 - .byte 218 - .byte 222 - .byte 149 - .byte 208 - .byte 80 - .byte 5 - .byte 85 - .byte 0 - .byte 144 - .byte 213 - .byte 146 - .byte 151 - .byte 2 - .byte 7 - .byte 82 - .byte 87 - .byte 210 - .byte 215 - .byte 157 - .byte 217 - .byte 89 - .byte 13 - .byte 93 - .byte 9 - .byte 153 - .byte 221 - .byte 155 - .byte 159 - .byte 11 - .byte 15 - .byte 91 - .byte 95 - .byte 219 - .byte 223 - .byte 22 - .byte 19 - .byte 131 - .byte 134 - .byte 70 - .byte 67 - .byte 195 - .byte 198 - .byte 65 - .byte 20 - .byte 193 - .byte 132 - .byte 17 - .byte 68 - .byte 129 - .byte 196 - .byte 28 - .byte 72 - .byte 200 - .byte 140 - .byte 76 - .byte 24 - .byte 136 - .byte 204 - .byte 26 - .byte 30 - .byte 138 - .byte 142 - .byte 74 - .byte 78 - .byte 202 - .byte 206 - .byte 53 - .byte 96 - .byte 224 - .byte 165 - .byte 101 - .byte 48 - .byte 160 - .byte 229 - .byte 50 - .byte 55 - .byte 162 - .byte 167 - .byte 98 - .byte 103 - .byte 226 - .byte 231 - .byte 61 - .byte 105 - .byte 233 - .byte 173 - .byte 109 - .byte 57 - .byte 169 - .byte 237 - .byte 59 - .byte 63 - .byte 171 - .byte 175 - .byte 107 - .byte 111 - .byte 235 - .byte 239 - .byte 38 - .byte 35 - .byte 179 - .byte 182 - .byte 118 - .byte 115 - .byte 243 - .byte 246 - .byte 113 - .byte 36 - .byte 241 - .byte 180 - .byte 33 - .byte 116 - .byte 177 - .byte 244 - .byte 44 - .byte 120 - .byte 248 - .byte 188 - .byte 124 - .byte 40 - .byte 184 - .byte 252 - .byte 42 - .byte 46 - .byte 186 - .byte 190 - .byte 122 - .byte 126 - .byte 250 - .byte 254 - .byte 37 - .byte 112 - .byte 240 - .byte 181 - .byte 117 - .byte 32 - .byte 176 - .byte 245 - .byte 34 - .byte 39 - .byte 178 - .byte 183 - .byte 114 - .byte 119 - .byte 242 - .byte 247 - .byte 45 - .byte 121 - .byte 249 - .byte 189 - .byte 125 - .byte 41 - .byte 185 - .byte 253 - .byte 43 - .byte 47 - .byte 187 - .byte 191 - .byte 123 - .byte 127 - .byte 251 - .byte 255 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_2, @object - .size table_2, 256 -table_2: - .byte 0 - .byte 2 - .byte 4 - .byte 6 - .byte 8 - .byte 10 - .byte 12 - .byte 14 - .byte 16 - .byte 18 - .byte 20 - .byte 22 - .byte 24 - .byte 26 - .byte 28 - .byte 30 - .byte 32 - .byte 34 - .byte 36 - .byte 38 - .byte 40 - .byte 42 - .byte 44 - .byte 46 - .byte 48 - .byte 50 - .byte 52 - .byte 54 - .byte 56 - .byte 58 - .byte 60 - .byte 62 - .byte 65 - .byte 67 - .byte 69 - .byte 71 - .byte 73 - .byte 75 - .byte 77 - .byte 79 - .byte 81 - .byte 83 - .byte 85 - .byte 87 - .byte 89 - .byte 91 - .byte 93 - .byte 95 - .byte 97 - .byte 99 - .byte 101 - .byte 103 - .byte 105 - .byte 107 - .byte 109 - .byte 111 - .byte 113 - .byte 115 - .byte 117 - .byte 119 - .byte 121 - .byte 123 - .byte 125 - .byte 127 - .byte 128 - .byte 130 - .byte 132 - .byte 134 - .byte 136 - .byte 138 - .byte 140 - .byte 142 - .byte 144 - .byte 146 - .byte 148 - .byte 150 - .byte 152 - .byte 154 - .byte 156 - .byte 158 - .byte 160 - .byte 162 - .byte 164 - .byte 166 - .byte 168 - .byte 170 - .byte 172 - .byte 174 - .byte 176 - .byte 178 - .byte 180 - .byte 182 - .byte 184 - .byte 186 - .byte 188 - .byte 190 - .byte 193 - .byte 195 - .byte 197 - .byte 199 - .byte 201 - .byte 203 - .byte 205 - .byte 207 - .byte 209 - .byte 211 - .byte 213 - .byte 215 - .byte 217 - .byte 219 - .byte 221 - .byte 223 - .byte 225 - .byte 227 - .byte 229 - .byte 231 - .byte 233 - .byte 235 - .byte 237 - .byte 239 - .byte 241 - .byte 243 - .byte 245 - .byte 247 - .byte 249 - .byte 251 - .byte 253 - .byte 255 - .byte 1 - .byte 3 - .byte 5 - .byte 7 - .byte 9 - .byte 11 - .byte 13 - .byte 15 - .byte 17 - .byte 19 - .byte 21 - .byte 23 - .byte 25 - .byte 27 - .byte 29 - .byte 31 - .byte 33 - .byte 35 - .byte 37 - .byte 39 - .byte 41 - .byte 43 - .byte 45 - .byte 47 - .byte 49 - .byte 51 - .byte 53 - .byte 55 - .byte 57 - .byte 59 - .byte 61 - .byte 63 - .byte 64 - .byte 66 - .byte 68 - .byte 70 - .byte 72 - .byte 74 - .byte 76 - .byte 78 - .byte 80 - .byte 82 - .byte 84 - .byte 86 - .byte 88 - .byte 90 - .byte 92 - .byte 94 - .byte 96 - .byte 98 - .byte 100 - .byte 102 - .byte 104 - .byte 106 - .byte 108 - .byte 110 - .byte 112 - .byte 114 - .byte 116 - .byte 118 - .byte 120 - .byte 122 - .byte 124 - .byte 126 - .byte 129 - .byte 131 - .byte 133 - .byte 135 - .byte 137 - .byte 139 - .byte 141 - .byte 143 - .byte 145 - .byte 147 - .byte 149 - .byte 151 - .byte 153 - .byte 155 - .byte 157 - .byte 159 - .byte 161 - .byte 163 - .byte 165 - .byte 167 - .byte 169 - .byte 171 - .byte 173 - .byte 175 - .byte 177 - .byte 179 - .byte 181 - .byte 183 - .byte 185 - .byte 187 - .byte 189 - .byte 191 - .byte 192 - .byte 194 - .byte 196 - .byte 198 - .byte 200 - .byte 202 - .byte 204 - .byte 206 - .byte 208 - .byte 210 - .byte 212 - .byte 214 - .byte 216 - .byte 218 - .byte 220 - .byte 222 - .byte 224 - .byte 226 - .byte 228 - .byte 230 - .byte 232 - .byte 234 - .byte 236 - .byte 238 - .byte 240 - .byte 242 - .byte 244 - .byte 246 - .byte 248 - .byte 250 - .byte 252 - .byte 254 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_3, @object - .size table_3, 256 -table_3: - .byte 0 - .byte 128 - .byte 1 - .byte 129 - .byte 2 - .byte 130 - .byte 3 - .byte 131 - .byte 4 - .byte 132 - .byte 5 - .byte 133 - .byte 6 - .byte 134 - .byte 7 - .byte 135 - .byte 8 - .byte 136 - .byte 9 - .byte 137 - .byte 10 - .byte 138 - .byte 11 - .byte 139 - .byte 12 - .byte 140 - .byte 13 - .byte 141 - .byte 14 - .byte 142 - .byte 15 - .byte 143 - .byte 16 - .byte 144 - .byte 17 - .byte 145 - .byte 18 - .byte 146 - .byte 19 - .byte 147 - .byte 20 - .byte 148 - .byte 21 - .byte 149 - .byte 22 - .byte 150 - .byte 23 - .byte 151 - .byte 24 - .byte 152 - .byte 25 - .byte 153 - .byte 26 - .byte 154 - .byte 27 - .byte 155 - .byte 28 - .byte 156 - .byte 29 - .byte 157 - .byte 30 - .byte 158 - .byte 31 - .byte 159 - .byte 160 - .byte 32 - .byte 161 - .byte 33 - .byte 162 - .byte 34 - .byte 163 - .byte 35 - .byte 164 - .byte 36 - .byte 165 - .byte 37 - .byte 166 - .byte 38 - .byte 167 - .byte 39 - .byte 168 - .byte 40 - .byte 169 - .byte 41 - .byte 170 - .byte 42 - .byte 171 - .byte 43 - .byte 172 - .byte 44 - .byte 173 - .byte 45 - .byte 174 - .byte 46 - .byte 175 - .byte 47 - .byte 176 - .byte 48 - .byte 177 - .byte 49 - .byte 178 - .byte 50 - .byte 179 - .byte 51 - .byte 180 - .byte 52 - .byte 181 - .byte 53 - .byte 182 - .byte 54 - .byte 183 - .byte 55 - .byte 184 - .byte 56 - .byte 185 - .byte 57 - .byte 186 - .byte 58 - .byte 187 - .byte 59 - .byte 188 - .byte 60 - .byte 189 - .byte 61 - .byte 190 - .byte 62 - .byte 191 - .byte 63 - .byte 64 - .byte 192 - .byte 65 - .byte 193 - .byte 66 - .byte 194 - .byte 67 - .byte 195 - .byte 68 - .byte 196 - .byte 69 - .byte 197 - .byte 70 - .byte 198 - .byte 71 - .byte 199 - .byte 72 - .byte 200 - .byte 73 - .byte 201 - .byte 74 - .byte 202 - .byte 75 - .byte 203 - .byte 76 - .byte 204 - .byte 77 - .byte 205 - .byte 78 - .byte 206 - .byte 79 - .byte 207 - .byte 80 - .byte 208 - .byte 81 - .byte 209 - .byte 82 - .byte 210 - .byte 83 - .byte 211 - .byte 84 - .byte 212 - .byte 85 - .byte 213 - .byte 86 - .byte 214 - .byte 87 - .byte 215 - .byte 88 - .byte 216 - .byte 89 - .byte 217 - .byte 90 - .byte 218 - .byte 91 - .byte 219 - .byte 92 - .byte 220 - .byte 93 - .byte 221 - .byte 94 - .byte 222 - .byte 95 - .byte 223 - .byte 224 - .byte 96 - .byte 225 - .byte 97 - .byte 226 - .byte 98 - .byte 227 - .byte 99 - .byte 228 - .byte 100 - .byte 229 - .byte 101 - .byte 230 - .byte 102 - .byte 231 - .byte 103 - .byte 232 - .byte 104 - .byte 233 - .byte 105 - .byte 234 - .byte 106 - .byte 235 - .byte 107 - .byte 236 - .byte 108 - .byte 237 - .byte 109 - .byte 238 - .byte 110 - .byte 239 - .byte 111 - .byte 240 - .byte 112 - .byte 241 - .byte 113 - .byte 242 - .byte 114 - .byte 243 - .byte 115 - .byte 244 - .byte 116 - .byte 245 - .byte 117 - .byte 246 - .byte 118 - .byte 247 - .byte 119 - .byte 248 - .byte 120 - .byte 249 - .byte 121 - .byte 250 - .byte 122 - .byte 251 - .byte 123 - .byte 252 - .byte 124 - .byte 253 - .byte 125 - .byte 254 - .byte 126 - .byte 255 - .byte 127 - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_4, @object - .size table_4, 112 -table_4: - .byte 1 - .byte 0 - .byte 3 - .byte 0 - .byte 7 - .byte 0 - .byte 15 - .byte 0 - .byte 15 - .byte 1 - .byte 14 - .byte 3 - .byte 13 - .byte 3 - .byte 11 - .byte 3 - .byte 7 - .byte 3 - .byte 15 - .byte 2 - .byte 14 - .byte 1 - .byte 12 - .byte 3 - .byte 9 - .byte 3 - .byte 3 - .byte 3 - .byte 7 - .byte 2 - .byte 14 - .byte 0 - .byte 13 - .byte 1 - .byte 10 - .byte 3 - .byte 5 - .byte 3 - .byte 11 - .byte 2 - .byte 6 - .byte 1 - .byte 12 - .byte 2 - .byte 8 - .byte 1 - .byte 0 - .byte 3 - .byte 1 - .byte 2 - .byte 2 - .byte 0 - .byte 5 - .byte 0 - .byte 11 - .byte 0 - .byte 7 - .byte 1 - .byte 14 - .byte 2 - .byte 12 - .byte 1 - .byte 8 - .byte 3 - .byte 1 - .byte 3 - .byte 3 - .byte 2 - .byte 6 - .byte 0 - .byte 13 - .byte 0 - .byte 11 - .byte 1 - .byte 6 - .byte 3 - .byte 13 - .byte 2 - .byte 10 - .byte 1 - .byte 4 - .byte 3 - .byte 9 - .byte 2 - .byte 2 - .byte 1 - .byte 4 - .byte 2 - .byte 8 - .byte 0 - .byte 1 - .byte 1 - .byte 2 - .byte 2 - .byte 4 - .byte 0 - .byte 9 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 2 - .byte 12 - .byte 0 - .byte 9 - .byte 1 - .byte 2 - .byte 3 - .byte 5 - .byte 2 - .byte 10 - .byte 0 - - .text -.global skinny_128_384_init - .type skinny_128_384_init, @function -skinny_128_384_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,12 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_384_init, .-skinny_128_384_init - - .text -.global skinny_128_384_encrypt - .type skinny_128_384_encrypt, @function -skinny_128_384_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - std Y+33,r18 - std Y+34,r19 - std Y+35,r20 - std Y+36,r21 - ldd r18,Z+36 - ldd r19,Z+37 - ldd r20,Z+38 - ldd r21,Z+39 - std Y+37,r18 - std Y+38,r19 - std Y+39,r20 - std Y+40,r21 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - std Y+41,r18 - std Y+42,r19 - std Y+43,r20 - std Y+44,r21 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - std Y+45,r18 - std Y+46,r19 - std Y+47,r20 - std Y+48,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -114: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r13 - std Y+42,r17 - std Y+43,r12 - std Y+44,r25 - std Y+45,r14 - std Y+46,r16 - std Y+47,r24 - std Y+48,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,112 - brne 5721f - rjmp 790f -5721: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r13 - std Y+34,r17 - std Y+35,r12 - std Y+36,r25 - std Y+37,r14 - std Y+38,r16 - std Y+39,r24 - std Y+40,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 114b -790: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_encrypt, .-skinny_128_384_encrypt - -.global skinny_128_384_encrypt_tk_full - .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt - - .text -.global skinny_128_384_decrypt - .type skinny_128_384_decrypt, @function -skinny_128_384_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,48 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 68 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r23 - std Y+2,r2 - std Y+3,r21 - std Y+4,r20 - std Y+5,r3 - std Y+6,r18 - std Y+7,r19 - std Y+8,r22 - std Y+9,r9 - std Y+10,r10 - std Y+11,r7 - std Y+12,r6 - std Y+13,r11 - std Y+14,r4 - std Y+15,r5 - std Y+16,r8 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r23 - std Y+18,r2 - std Y+19,r21 - std Y+20,r20 - std Y+21,r3 - std Y+22,r18 - std Y+23,r19 - std Y+24,r22 - std Y+25,r9 - std Y+26,r10 - std Y+27,r7 - std Y+28,r6 - std Y+29,r11 - std Y+30,r4 - std Y+31,r5 - std Y+32,r8 - ldd r18,Z+32 - ldd r19,Z+33 - ldd r20,Z+34 - ldd r21,Z+35 - ldd r22,Z+36 - ldd r23,Z+37 - ldd r2,Z+38 - ldd r3,Z+39 - ldd r4,Z+40 - ldd r5,Z+41 - ldd r6,Z+42 - ldd r7,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - std Y+33,r23 - std Y+34,r2 - std Y+35,r21 - std Y+36,r20 - std Y+37,r3 - std Y+38,r18 - std Y+39,r19 - std Y+40,r22 - std Y+41,r9 - std Y+42,r10 - std Y+43,r7 - std Y+44,r6 - std Y+45,r11 - std Y+46,r4 - std Y+47,r5 - std Y+48,r8 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -122: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 122b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,28 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -150: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 150b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,28 - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 -179: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 179b - std Y+33,r12 - std Y+34,r13 - std Y+35,r14 - std Y+36,r15 - std Y+37,r24 - std Y+38,r25 - std Y+39,r16 - std Y+40,r17 - ldi r26,28 - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 -207: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 207b - std Y+41,r12 - std Y+42,r13 - std Y+43,r14 - std Y+44,r15 - std Y+45,r24 - std Y+46,r25 - std Y+47,r16 - std Y+48,r17 - ldi r26,112 -227: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+41 - eor r22,r0 - ldd r0,Y+42 - eor r23,r0 - ldd r0,Y+43 - eor r2,r0 - ldd r0,Y+44 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldd r0,Y+45 - eor r4,r0 - ldd r0,Y+46 - eor r5,r0 - ldd r0,Y+47 - eor r6,r0 - ldd r0,Y+48 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+33 - eor r4,r0 - ldd r0,Y+34 - eor r5,r0 - ldd r0,Y+35 - eor r6,r0 - ldd r0,Y+36 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldd r0,Y+37 - eor r8,r0 - ldd r0,Y+38 - eor r9,r0 - ldd r0,Y+39 - eor r10,r0 - ldd r0,Y+40 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+33 - ldd r13,Y+34 - ldd r14,Y+35 - ldd r15,Y+36 - ldd r24,Y+37 - ldd r25,Y+38 - ldd r16,Y+39 - ldd r17,Y+40 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+33,r14 - std Y+34,r12 - std Y+35,r24 - std Y+36,r17 - std Y+37,r16 - std Y+38,r15 - std Y+39,r25 - std Y+40,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+41 - eor r8,r0 - ldd r0,Y+42 - eor r9,r0 - ldd r0,Y+43 - eor r10,r0 - ldd r0,Y+44 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldd r0,Y+45 - eor r18,r0 - ldd r0,Y+46 - eor r19,r0 - ldd r0,Y+47 - eor r20,r0 - ldd r0,Y+48 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+41 - ldd r13,Y+42 - ldd r14,Y+43 - ldd r15,Y+44 - ldd r24,Y+45 - ldd r25,Y+46 - ldd r16,Y+47 - ldd r17,Y+48 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+41,r14 - std Y+42,r12 - std Y+43,r24 - std Y+44,r17 - std Y+45,r16 - std Y+46,r15 - std Y+47,r25 - std Y+48,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+33 - eor r18,r0 - ldd r0,Y+34 - eor r19,r0 - ldd r0,Y+35 - eor r20,r0 - ldd r0,Y+36 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldd r0,Y+37 - eor r22,r0 - ldd r0,Y+38 - eor r23,r0 - ldd r0,Y+39 - eor r2,r0 - ldd r0,Y+40 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 903f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 227b -903: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+49 - ldd r27,Y+50 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,50 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_384_decrypt, .-skinny_128_384_decrypt - - .text -.global skinny_128_256_init - .type skinny_128_256_init, @function -skinny_128_256_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ldi r22,8 -1: - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - st Z+,r18 - st Z+,r19 - st Z+,r20 - st Z+,r21 - dec r22 - brne 1b - ret - .size skinny_128_256_init, .-skinny_128_256_init - - .text -.global skinny_128_256_encrypt - .type skinny_128_256_encrypt, @function -skinny_128_256_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Y+5,r18 - std Y+6,r19 - std Y+7,r20 - std Y+8,r21 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - std Y+9,r18 - std Y+10,r19 - std Y+11,r20 - std Y+12,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - std Y+13,r18 - std Y+14,r19 - std Y+15,r20 - std Y+16,r21 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - ldd r18,Z+20 - ldd r19,Z+21 - ldd r20,Z+22 - ldd r21,Z+23 - std Y+21,r18 - std Y+22,r19 - std Y+23,r20 - std Y+24,r21 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - std Y+25,r18 - std Y+26,r19 - std Y+27,r20 - std Y+28,r21 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - std Y+29,r18 - std Y+30,r19 - std Y+31,r20 - std Y+32,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r26,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - mov r26,r1 -82: - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - ldi r27,2 - eor r4,r27 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - inc r26 - ldi r27,2 - eor r22,r27 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - mov r0,r2 - mov r2,r22 - mov r22,r0 - mov r0,r3 - mov r3,r23 - mov r23,r0 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - inc r26 - ldi r27,2 - eor r18,r27 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r20 - mov r20,r18 - mov r18,r0 - mov r0,r21 - mov r21,r19 - mov r19,r0 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r13 - std Y+10,r17 - std Y+11,r12 - std Y+12,r25 - std Y+13,r14 - std Y+14,r16 - std Y+15,r24 - std Y+16,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r13 - std Y+26,r17 - std Y+27,r12 - std Y+28,r25 - std Y+29,r14 - std Y+30,r16 - std Y+31,r24 - std Y+32,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - inc r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - inc r26 - ldi r27,2 - eor r8,r27 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - cpi r26,96 - breq 594f - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r13 - std Y+2,r17 - std Y+3,r12 - std Y+4,r25 - std Y+5,r14 - std Y+6,r16 - std Y+7,r24 - std Y+8,r15 - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r27,hh8(table_2) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r13 - std Y+18,r17 - std Y+19,r12 - std Y+20,r25 - std Y+21,r14 - std Y+22,r16 - std Y+23,r24 - std Y+24,r15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r27,hh8(table_0) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 82b -594: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_encrypt, .-skinny_128_256_encrypt - -.global skinny_128_256_encrypt_tk_full - .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt - - .text -.global skinny_128_256_decrypt - .type skinny_128_256_decrypt, @function -skinny_128_256_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,32 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 52 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - ldd r4,Z+8 - ldd r5,Z+9 - ldd r6,Z+10 - ldd r7,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r2 - std Y+8,r3 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r18,Z+16 - ldd r19,Z+17 - ldd r20,Z+18 - ldd r21,Z+19 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - ldd r4,Z+24 - ldd r5,Z+25 - ldd r6,Z+26 - ldd r7,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Y+17,r18 - std Y+18,r19 - std Y+19,r20 - std Y+20,r21 - std Y+21,r22 - std Y+22,r23 - std Y+23,r2 - std Y+24,r3 - std Y+25,r4 - std Y+26,r5 - std Y+27,r6 - std Y+28,r7 - std Y+29,r8 - std Y+30,r9 - std Y+31,r10 - std Y+32,r11 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ldi r30,lo8(table_2) - ldi r31,hi8(table_2) -#if defined(RAMPZ) - ldi r26,hh8(table_2) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,24 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 -90: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 90b - std Y+17,r12 - std Y+18,r13 - std Y+19,r14 - std Y+20,r15 - std Y+21,r24 - std Y+22,r25 - std Y+23,r16 - std Y+24,r17 - ldi r26,24 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 -118: - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - dec r26 - brne 118b - std Y+25,r12 - std Y+26,r13 - std Y+27,r14 - std Y+28,r15 - std Y+29,r24 - std Y+30,r25 - std Y+31,r16 - std Y+32,r17 - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r26,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r26 -#endif - ldi r26,96 -139: - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - eor r8,r22 - eor r9,r23 - eor r10,r2 - eor r11,r3 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - mov r0,r4 - mov r4,r5 - mov r5,r6 - mov r6,r7 - mov r7,r0 - mov r0,r8 - mov r8,r10 - mov r10,r0 - mov r0,r9 - mov r9,r11 - mov r11,r0 - mov r0,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - ldd r0,Y+9 - eor r22,r0 - ldd r0,Y+10 - eor r23,r0 - ldd r0,Y+11 - eor r2,r0 - ldd r0,Y+12 - eor r3,r0 - ldd r0,Y+25 - eor r22,r0 - ldd r0,Y+26 - eor r23,r0 - ldd r0,Y+27 - eor r2,r0 - ldd r0,Y+28 - eor r3,r0 - ldd r0,Y+13 - eor r4,r0 - ldd r0,Y+14 - eor r5,r0 - ldd r0,Y+15 - eor r6,r0 - ldd r0,Y+16 - eor r7,r0 - ldd r0,Y+29 - eor r4,r0 - ldd r0,Y+30 - eor r5,r0 - ldd r0,Y+31 - eor r6,r0 - ldd r0,Y+32 - eor r7,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - ldi r27,2 - eor r8,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r18 - mov r18,r20 - mov r20,r0 - mov r0,r19 - mov r19,r21 - mov r21,r0 - mov r0,r3 - mov r3,r2 - mov r2,r23 - mov r23,r22 - mov r22,r0 - ldd r0,Y+1 - eor r4,r0 - ldd r0,Y+2 - eor r5,r0 - ldd r0,Y+3 - eor r6,r0 - ldd r0,Y+4 - eor r7,r0 - ldd r0,Y+17 - eor r4,r0 - ldd r0,Y+18 - eor r5,r0 - ldd r0,Y+19 - eor r6,r0 - ldd r0,Y+20 - eor r7,r0 - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - ldd r0,Y+21 - eor r8,r0 - ldd r0,Y+22 - eor r9,r0 - ldd r0,Y+23 - eor r10,r0 - ldd r0,Y+24 - eor r11,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r4,r27 - ldi r27,2 - eor r18,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - ldd r24,Y+5 - ldd r25,Y+6 - ldd r16,Y+7 - ldd r17,Y+8 - std Y+1,r14 - std Y+2,r12 - std Y+3,r24 - std Y+4,r17 - std Y+5,r16 - std Y+6,r15 - std Y+7,r25 - std Y+8,r13 - ldd r12,Y+17 - ldd r13,Y+18 - ldd r14,Y+19 - ldd r15,Y+20 - ldd r24,Y+21 - ldd r25,Y+22 - ldd r16,Y+23 - ldd r17,Y+24 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+17,r14 - std Y+18,r12 - std Y+19,r24 - std Y+20,r17 - std Y+21,r16 - std Y+22,r15 - std Y+23,r25 - std Y+24,r13 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - mov r0,r18 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r7 - mov r7,r6 - mov r6,r5 - mov r5,r4 - mov r4,r0 - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - ldd r0,Y+25 - eor r8,r0 - ldd r0,Y+26 - eor r9,r0 - ldd r0,Y+27 - eor r10,r0 - ldd r0,Y+28 - eor r11,r0 - ldd r0,Y+13 - eor r18,r0 - ldd r0,Y+14 - eor r19,r0 - ldd r0,Y+15 - eor r20,r0 - ldd r0,Y+16 - eor r21,r0 - ldd r0,Y+29 - eor r18,r0 - ldd r0,Y+30 - eor r19,r0 - ldd r0,Y+31 - eor r20,r0 - ldd r0,Y+32 - eor r21,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r8,r27 - ldi r27,2 - eor r22,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - ldd r12,Y+9 - ldd r13,Y+10 - ldd r14,Y+11 - ldd r15,Y+12 - ldd r24,Y+13 - ldd r25,Y+14 - ldd r16,Y+15 - ldd r17,Y+16 - std Y+9,r14 - std Y+10,r12 - std Y+11,r24 - std Y+12,r17 - std Y+13,r16 - std Y+14,r15 - std Y+15,r25 - std Y+16,r13 - ldd r12,Y+25 - ldd r13,Y+26 - ldd r14,Y+27 - ldd r15,Y+28 - ldd r24,Y+29 - ldd r25,Y+30 - ldd r16,Y+31 - ldd r17,Y+32 - mov r30,r12 -#if defined(RAMPZ) - elpm r12,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r12,Z -#elif defined(__AVR_TINY__) - ld r12,Z -#else - lpm - mov r12,r0 -#endif - mov r30,r13 -#if defined(RAMPZ) - elpm r13,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r13,Z -#elif defined(__AVR_TINY__) - ld r13,Z -#else - lpm - mov r13,r0 -#endif - mov r30,r14 -#if defined(RAMPZ) - elpm r14,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r14,Z -#elif defined(__AVR_TINY__) - ld r14,Z -#else - lpm - mov r14,r0 -#endif - mov r30,r15 -#if defined(RAMPZ) - elpm r15,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r15,Z -#elif defined(__AVR_TINY__) - ld r15,Z -#else - lpm - mov r15,r0 -#endif - mov r30,r24 -#if defined(RAMPZ) - elpm r24,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r24,Z -#elif defined(__AVR_TINY__) - ld r24,Z -#else - lpm - mov r24,r0 -#endif - mov r30,r25 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - mov r30,r16 -#if defined(RAMPZ) - elpm r16,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r16,Z -#elif defined(__AVR_TINY__) - ld r16,Z -#else - lpm - mov r16,r0 -#endif - mov r30,r17 -#if defined(RAMPZ) - elpm r17,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r17,Z -#elif defined(__AVR_TINY__) - ld r17,Z -#else - lpm - mov r17,r0 -#endif - std Y+25,r14 - std Y+26,r12 - std Y+27,r24 - std Y+28,r17 - std Y+29,r16 - std Y+30,r15 - std Y+31,r25 - std Y+32,r13 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - eor r22,r4 - eor r23,r5 - eor r2,r6 - eor r3,r7 - mov r0,r22 - mov r22,r23 - mov r23,r2 - mov r2,r3 - mov r3,r0 - mov r0,r4 - mov r4,r6 - mov r6,r0 - mov r0,r5 - mov r5,r7 - mov r7,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - ldd r0,Y+1 - eor r18,r0 - ldd r0,Y+2 - eor r19,r0 - ldd r0,Y+3 - eor r20,r0 - ldd r0,Y+4 - eor r21,r0 - ldd r0,Y+17 - eor r18,r0 - ldd r0,Y+18 - eor r19,r0 - ldd r0,Y+19 - eor r20,r0 - ldd r0,Y+20 - eor r21,r0 - ldd r0,Y+5 - eor r22,r0 - ldd r0,Y+6 - eor r23,r0 - ldd r0,Y+7 - eor r2,r0 - ldd r0,Y+8 - eor r3,r0 - ldd r0,Y+21 - eor r22,r0 - ldd r0,Y+22 - eor r23,r0 - ldd r0,Y+23 - eor r2,r0 - ldd r0,Y+24 - eor r3,r0 - ldi r30,lo8(table_4) - ldi r31,hi8(table_4) -#if defined(RAMPZ) - ldi r24,hh8(table_4) - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r22,r27 - dec r26 - mov r30,r26 -#if defined(RAMPZ) - elpm r27,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r27,Z -#elif defined(__AVR_TINY__) - ld r27,Z -#else - lpm - mov r27,r0 -#endif - eor r18,r27 - ldi r27,2 - eor r4,r27 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r27,hh8(table_1) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - mov r30,r18 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - mov r30,r19 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - mov r30,r20 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - mov r30,r21 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - mov r30,r22 -#if defined(RAMPZ) - elpm r22,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r22,Z -#elif defined(__AVR_TINY__) - ld r22,Z -#else - lpm - mov r22,r0 -#endif - mov r30,r23 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - mov r30,r2 -#if defined(RAMPZ) - elpm r2,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r2,Z -#elif defined(__AVR_TINY__) - ld r2,Z -#else - lpm - mov r2,r0 -#endif - mov r30,r3 -#if defined(RAMPZ) - elpm r3,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r3,Z -#elif defined(__AVR_TINY__) - ld r3,Z -#else - lpm - mov r3,r0 -#endif - mov r30,r4 -#if defined(RAMPZ) - elpm r4,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r4,Z -#elif defined(__AVR_TINY__) - ld r4,Z -#else - lpm - mov r4,r0 -#endif - mov r30,r5 -#if defined(RAMPZ) - elpm r5,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r5,Z -#elif defined(__AVR_TINY__) - ld r5,Z -#else - lpm - mov r5,r0 -#endif - mov r30,r6 -#if defined(RAMPZ) - elpm r6,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r6,Z -#elif defined(__AVR_TINY__) - ld r6,Z -#else - lpm - mov r6,r0 -#endif - mov r30,r7 -#if defined(RAMPZ) - elpm r7,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r7,Z -#elif defined(__AVR_TINY__) - ld r7,Z -#else - lpm - mov r7,r0 -#endif - mov r30,r8 -#if defined(RAMPZ) - elpm r8,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r8,Z -#elif defined(__AVR_TINY__) - ld r8,Z -#else - lpm - mov r8,r0 -#endif - mov r30,r9 -#if defined(RAMPZ) - elpm r9,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r9,Z -#elif defined(__AVR_TINY__) - ld r9,Z -#else - lpm - mov r9,r0 -#endif - mov r30,r10 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - mov r30,r11 -#if defined(RAMPZ) - elpm r11,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r11,Z -#elif defined(__AVR_TINY__) - ld r11,Z -#else - lpm - mov r11,r0 -#endif - cp r26,r1 - breq 651f - ldi r30,lo8(table_3) - ldi r31,hi8(table_3) -#if defined(RAMPZ) - ldi r27,hh8(table_3) - out _SFR_IO_ADDR(RAMPZ),r27 -#endif - rjmp 139b -651: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+33 - ldd r27,Y+34 - st X+,r18 - st X+,r19 - st X+,r20 - st X+,r21 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - adiw r28,34 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size skinny_128_256_decrypt, .-skinny_128_256_decrypt - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.c deleted file mode 100644 index 579ced1..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.c +++ /dev/null @@ -1,801 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-skinny128.h" -#include "internal-skinnyutil.h" -#include "internal-util.h" -#include - -#if !defined(__AVR__) - -STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) -{ - /* This function is used to fast-forward the TK1 tweak value - * to the value at the end of the key schedule for decryption. - * - * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 - * with 48 rounds does not need any fast forwarding applied. - * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds - * are equivalent to applying the permutation 8 times: - * - * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] - */ - uint32_t row0 = tk[0]; - uint32_t row1 = tk[1]; - uint32_t row2 = tk[2]; - uint32_t row3 = tk[3]; - tk[0] = ((row1 >> 8) & 0x0000FFFFU) | - ((row0 >> 8) & 0x00FF0000U) | - ((row0 << 8) & 0xFF000000U); - tk[1] = ((row1 >> 24) & 0x000000FFU) | - ((row0 << 8) & 0x00FFFF00U) | - ((row1 << 24) & 0xFF000000U); - tk[2] = ((row3 >> 8) & 0x0000FFFFU) | - ((row2 >> 8) & 0x00FF0000U) | - ((row2 << 8) & 0xFF000000U); - tk[3] = ((row3 >> 24) & 0x000000FFU) | - ((row2 << 8) & 0x00FFFF00U) | - ((row3 << 24) & 0xFF000000U); -} - -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); - memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); -#else - /* Set the initial states of TK1, TK2, and TK3 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Set up the key schedule using TK2 and TK3. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); - - /* Permute TK2 and TK3 for the next round */ - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - - /* Apply the LFSR's to TK2 and TK3 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } -#endif -} - -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t TK3[4]; - uint8_t rc = 0x15; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Permute TK1 to fast-forward it to the end of the key schedule */ - skinny128_fast_forward_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_fast_forward_tk(TK2); - skinny128_fast_forward_tk(TK3); - for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2 and TK3. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - skinny128_LFSR3(TK3[2]); - skinny128_LFSR3(TK3[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_inv_permute_tk(TK3); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); - skinny128_LFSR2(TK3[2]); - skinny128_LFSR2(TK3[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK3[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); - TK2[0] = le_load_word32(tk2); - TK2[1] = le_load_word32(tk2 + 4); - TK2[2] = le_load_word32(tk2 + 8); - TK2[3] = le_load_word32(tk2 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK3[0] = le_load_word32(ks->TK3); - TK3[1] = le_load_word32(ks->TK3 + 4); - TK3[2] = le_load_word32(ks->TK3 + 8); - TK3[3] = le_load_word32(ks->TK3 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; - s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK3); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t TK3[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - TK3[0] = le_load_word32(key + 32); - TK3[1] = le_load_word32(key + 36); - TK3[2] = le_load_word32(key + 40); - TK3[3] = le_load_word32(key + 44); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1, TK2, and TK3 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_permute_tk(TK3); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR3(TK3[0]); - skinny128_LFSR3(TK3[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) -{ -#if !SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint32_t *schedule; - unsigned round; - uint8_t rc; -#endif - -#if SKINNY_128_SMALL_SCHEDULE - /* Copy the input key as-is when using the small key schedule version */ - memcpy(ks->TK1, key, sizeof(ks->TK1)); - memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); -#else - /* Set the initial states of TK1 and TK2 */ - memcpy(ks->TK1, key, 16); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Set up the key schedule using TK2. TK1 is not added - * to the key schedule because we will derive that part of the - * schedule during encryption operations */ - schedule = ks->k; - rc = 0; - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { - /* XOR the round constants with the current schedule words. - * The round constants for the 3rd and 4th rows are - * fixed and will be applied during encryption. */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - schedule[0] = TK2[0] ^ (rc & 0x0F); - schedule[1] = TK2[1] ^ (rc >> 4); - - /* Permute TK2 for the next round */ - skinny128_permute_tk(TK2); - - /* Apply the LFSR to TK2 */ - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } -#endif -} - -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0; -#else - const uint32_t *schedule = ks->k; -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1 */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); -#endif - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; -#endif - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); -#else - schedule += 2; -#endif - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; -#if SKINNY_128_SMALL_SCHEDULE - uint32_t TK2[4]; - uint8_t rc = 0x09; -#else - const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); -#endif - uint32_t temp; - unsigned round; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakable part of the state, TK1. - * There is no need to fast-forward TK1 because the value at - * the end of the key schedule is the same as at the start */ - TK1[0] = le_load_word32(ks->TK1); - TK1[1] = le_load_word32(ks->TK1 + 4); - TK1[2] = le_load_word32(ks->TK1 + 8); - TK1[3] = le_load_word32(ks->TK1 + 12); -#if SKINNY_128_SMALL_SCHEDULE - TK2[0] = le_load_word32(ks->TK2); - TK2[1] = le_load_word32(ks->TK2 + 4); - TK2[2] = le_load_word32(ks->TK2 + 8); - TK2[3] = le_load_word32(ks->TK2 + 12); - for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { - // Also fast-forward the LFSR's on every byte of TK2. - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - skinny128_LFSR2(TK2[2]); - skinny128_LFSR2(TK2[3]); - } -#endif - - /* Perform all decryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Inverse permutation on TK1 for this round */ - skinny128_inv_permute_tk(TK1); -#if SKINNY_128_SMALL_SCHEDULE - skinny128_inv_permute_tk(TK2); - skinny128_LFSR3(TK2[2]); - skinny128_LFSR3(TK2[3]); -#endif - - /* Inverse mix of the columns */ - temp = s3; - s3 = s0; - s0 = s1; - s1 = s2; - s3 ^= temp; - s2 = temp ^ s0; - s1 ^= s2; - - /* Inverse shift of the rows */ - s1 = leftRotate24(s1); - s2 = leftRotate16(s2); - s3 = leftRotate8(s3); - - /* Apply the subkey for this round */ -#if SKINNY_128_SMALL_SCHEDULE - rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); -#else - s0 ^= schedule[0] ^ TK1[0]; - s1 ^= schedule[1] ^ TK1[1]; - schedule -= 2; -#endif - s2 ^= 0x02; - - /* Apply the inverse of the S-box to all bytes in the state */ - skinny128_inv_sbox(s0); - skinny128_inv_sbox(s1); - skinny128_inv_sbox(s2); - skinny128_inv_sbox(s3); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t TK1[4]; - uint32_t TK2[4]; - uint32_t temp; - unsigned round; - uint8_t rc = 0; - - /* Unpack the input block into the state array */ - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Make a local copy of the tweakey */ - TK1[0] = le_load_word32(key); - TK1[1] = le_load_word32(key + 4); - TK1[2] = le_load_word32(key + 8); - TK1[3] = le_load_word32(key + 12); - TK2[0] = le_load_word32(key + 16); - TK2[1] = le_load_word32(key + 20); - TK2[2] = le_load_word32(key + 24); - TK2[3] = le_load_word32(key + 28); - - /* Perform all encryption rounds */ - for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { - /* Apply the S-box to all bytes in the state */ - skinny128_sbox(s0); - skinny128_sbox(s1); - skinny128_sbox(s2); - skinny128_sbox(s3); - - /* XOR the round constant and the subkey for this round */ - rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; - rc &= 0x3F; - s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); - s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); - s2 ^= 0x02; - - /* Shift the cells in the rows right, which moves the cell - * values up closer to the MSB. That is, we do a left rotate - * on the word to rotate the cells in the word right */ - s1 = leftRotate8(s1); - s2 = leftRotate16(s2); - s3 = leftRotate24(s3); - - /* Mix the columns */ - s1 ^= s2; - s2 ^= s0; - temp = s3 ^ s2; - s3 = s2; - s2 = s1; - s1 = s0; - s0 = temp; - - /* Permute TK1 and TK2 for the next round */ - skinny128_permute_tk(TK1); - skinny128_permute_tk(TK2); - skinny128_LFSR2(TK2[0]); - skinny128_LFSR2(TK2[1]); - } - - /* Pack the result into the output buffer */ - le_store_word32(output, s0); - le_store_word32(output + 4, s1); - le_store_word32(output + 8, s2); - le_store_word32(output + 12, s3); -} - -#else /* __AVR__ */ - -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2) -{ - memcpy(ks->TK2, tk2, 16); - skinny_128_384_encrypt(ks, output, input); -} - -#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.h deleted file mode 100644 index 2bfda3c..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinny128.h +++ /dev/null @@ -1,244 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNY128_H -#define LW_INTERNAL_SKINNY128_H - -/** - * \file internal-skinny128.h - * \brief SKINNY-128 block cipher family. - * - * References: https://eprint.iacr.org/2016/660.pdf, - * https://sites.google.com/site/skinnycipher/ - */ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \def SKINNY_128_SMALL_SCHEDULE - * \brief Defined to 1 to use the small key schedule version of SKINNY-128. - */ -#if defined(__AVR__) -#define SKINNY_128_SMALL_SCHEDULE 1 -#else -#define SKINNY_128_SMALL_SCHEDULE 0 -#endif - -/** - * \brief Size of a block for SKINNY-128 block ciphers. - */ -#define SKINNY_128_BLOCK_SIZE 16 - -/** - * \brief Number of rounds for SKINNY-128-384. - */ -#define SKINNY_128_384_ROUNDS 56 - -/** - * \brief Structure of the key schedule for SKINNY-128-384. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; - - /** TK3 for the small key schedule */ - uint8_t TK3[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_384_ROUNDS * 2]; -#endif - -} skinny_128_384_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-384. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_384_init - (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_encrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-384. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_384_decrypt - (const skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly - * provided TK2 value. - * - * \param ks Points to the SKINNY-128-384 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tk2 TK2 value that should be updated on the fly. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when both TK1 and TK2 change from block to block. - * When the key is initialized with skinny_128_384_init(), the TK2 part of - * the key value should be set to zero. - * - * \note Some versions of this function may modify the key schedule to - * copy tk2 into place. - */ -void skinny_128_384_encrypt_tk2 - (skinny_128_384_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, const unsigned char *tk2); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-384 and a - * fully specified tweakey value. - * - * \param key Points to the 384-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-384 but - * more memory-efficient. - */ -void skinny_128_384_encrypt_tk_full - (const unsigned char key[48], unsigned char *output, - const unsigned char *input); - -/** - * \brief Number of rounds for SKINNY-128-256. - */ -#define SKINNY_128_256_ROUNDS 48 - -/** - * \brief Structure of the key schedule for SKINNY-128-256. - */ -typedef struct -{ - /** TK1 for the tweakable part of the key schedule */ - uint8_t TK1[16]; - -#if SKINNY_128_SMALL_SCHEDULE - /** TK2 for the small key schedule */ - uint8_t TK2[16]; -#else - /** Words of the full key schedule */ - uint32_t k[SKINNY_128_256_ROUNDS * 2]; -#endif - -} skinny_128_256_key_schedule_t; - -/** - * \brief Initializes the key schedule for SKINNY-128-256. - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - */ -void skinny_128_256_init - (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_encrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with SKINNY-128-256. - * - * \param ks Points to the SKINNY-128-256 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void skinny_128_256_decrypt - (const skinny_128_256_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with SKINNY-128-256 and a - * fully specified tweakey value. - * - * \param key Points to the 256-bit tweakey value. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version is useful when the entire tweakey changes from block to - * block. It is slower than the other versions of SKINNY-128-256 but - * more memory-efficient. - */ -void skinny_128_256_encrypt_tk_full - (const unsigned char key[32], unsigned char *output, - const unsigned char *input); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinnyutil.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinnyutil.h deleted file mode 100644 index 83136cb..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-skinnyutil.h +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SKINNYUTIL_H -#define LW_INTERNAL_SKINNYUTIL_H - -/** - * \file internal-skinnyutil.h - * \brief Utilities to help implement SKINNY and its variants. - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** @cond skinnyutil */ - -/* Utilities for implementing SKINNY-128 */ - -#define skinny128_LFSR2(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ - (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ - } while (0) - - -#define skinny128_LFSR3(x) \ - do { \ - uint32_t _x = (x); \ - (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ - (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) -#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) - -#define skinny128_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint32_t row2 = tk[2]; \ - uint32_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 16) | (row3 >> 16); \ - tk[0] = ((row2 >> 8) & 0x000000FFU) | \ - ((row2 << 16) & 0x00FF0000U) | \ - ( row3 & 0xFF00FF00U); \ - tk[1] = ((row2 >> 16) & 0x000000FFU) | \ - (row2 & 0xFF000000U) | \ - ((row3 << 8) & 0x0000FF00U) | \ - ( row3 & 0x00FF0000U); \ - } while (0) - -#define skinny128_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint32_t row0 = tk[0]; \ - uint32_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 >> 16) & 0x000000FFU) | \ - ((row0 << 8) & 0x0000FF00U) | \ - ((row1 << 16) & 0x00FF0000U) | \ - ( row1 & 0xFF000000U); \ - tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ - ((row0 << 16) & 0xFF000000U) | \ - ((row1 >> 16) & 0x000000FFU) | \ - ((row1 << 8) & 0x00FF0000U); \ - } while (0) - -/* - * Apply the SKINNY sbox. The original version from the specification is - * equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE(x) - * ((((x) & 0x01010101U) << 2) | - * (((x) & 0x06060606U) << 5) | - * (((x) & 0x20202020U) >> 5) | - * (((x) & 0xC8C8C8C8U) >> 2) | - * (((x) & 0x10101010U) >> 1)) - * - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE(x); - * x = SBOX_MIX(x); - * return SBOX_SWAP(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ - y = (((x >> 5) & (x << 1)) & 0x04040404U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ - x = ((x & 0x08080808U) << 1) | \ - ((x & 0x32323232U) << 2) | \ - ((x & 0x01010101U) << 5) | \ - ((x & 0x80808080U) >> 6) | \ - ((x & 0x40404040U) >> 4) | \ - ((x & 0x04040404U) >> 2); \ -} while (0) - -/* - * Apply the inverse of the SKINNY sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) - * #define SBOX_SWAP(x) - * (((x) & 0xF9F9F9F9U) | - * (((x) >> 1) & 0x02020202U) | - * (((x) << 1) & 0x04040404U)) - * #define SBOX_PERMUTE_INV(x) - * ((((x) & 0x08080808U) << 1) | - * (((x) & 0x32323232U) << 2) | - * (((x) & 0x01010101U) << 5) | - * (((x) & 0xC0C0C0C0U) >> 5) | - * (((x) & 0x04040404U) >> 2)) - * - * x = SBOX_SWAP(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_PERMUTE_INV(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one - * final permuatation. This reduces the number of shift operations. - */ -#define skinny128_inv_sbox(x) \ -do { \ - uint32_t y; \ - \ - /* Mix the bits */ \ - x = ~x; \ - y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ - x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ - y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ - x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ - y = (((x << 2) & (x << 1)) & 0x80808080U); \ - x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ - y = (((x << 5) & (x << 1)) & 0x20202020U); \ - x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ - x = ~x; \ - \ - /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ - /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ - x = ((x & 0x01010101U) << 2) | \ - ((x & 0x04040404U) << 4) | \ - ((x & 0x02020202U) << 6) | \ - ((x & 0x20202020U) >> 5) | \ - ((x & 0xC8C8C8C8U) >> 2) | \ - ((x & 0x10101010U) >> 1); \ -} while (0) - -/* Utilities for implementing SKINNY-64 */ - -#define skinny64_LFSR2(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ - } while (0) - -#define skinny64_LFSR3(x) \ - do { \ - uint16_t _x = (x); \ - (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ - } while (0) - -/* LFSR2 and LFSR3 are inverses of each other */ -#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) -#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) - -#define skinny64_permute_tk(tk) \ - do { \ - /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ - uint16_t row2 = tk[2]; \ - uint16_t row3 = tk[3]; \ - tk[2] = tk[0]; \ - tk[3] = tk[1]; \ - row3 = (row3 << 8) | (row3 >> 8); \ - tk[0] = ((row2 << 4) & 0xF000U) | \ - ((row2 >> 8) & 0x00F0U) | \ - ( row3 & 0x0F0FU); \ - tk[1] = ((row2 << 8) & 0xF000U) | \ - ((row3 >> 4) & 0x0F00U) | \ - ( row3 & 0x00F0U) | \ - ( row2 & 0x000FU); \ - } while (0) - -#define skinny64_inv_permute_tk(tk) \ - do { \ - /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ - uint16_t row0 = tk[0]; \ - uint16_t row1 = tk[1]; \ - tk[0] = tk[2]; \ - tk[1] = tk[3]; \ - tk[2] = ((row0 << 8) & 0xF000U) | \ - ((row0 >> 4) & 0x0F00U) | \ - ((row1 >> 8) & 0x00F0U) | \ - ( row1 & 0x000FU); \ - tk[3] = ((row1 << 8) & 0xF000U) | \ - ((row0 << 8) & 0x0F00U) | \ - ((row1 >> 4) & 0x00F0U) | \ - ((row0 >> 8) & 0x000FU); \ - } while (0) - -/* - * Apply the SKINNY-64 sbox. The original version from the - * specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT(x) - * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT(x); - * return SBOX_MIX(x); - * - * However, we can mix the bits in their original positions and then - * delay the SBOX_SHIFT steps to be performed with one final rotation. - * This reduces the number of required shift operations from 14 to 10. - * - * We can further reduce the number of NOT operations from 4 to 2 - * using the technique from https://github.com/kste/skinny_avx to - * convert NOR-XOR operations into AND-XOR operations by converting - * the S-box into its NOT-inverse. - */ -#define skinny64_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ - x = ~x; \ - x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ -} while (0) - -/* - * Apply the inverse of the SKINNY-64 sbox. The original version - * from the specification is equivalent to: - * - * #define SBOX_MIX(x) - * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) - * #define SBOX_SHIFT_INV(x) - * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) - * - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * x = SBOX_MIX(x); - * x = SBOX_SHIFT_INV(x); - * return SBOX_MIX(x); - */ -#define skinny64_inv_sbox(x) \ -do { \ - x = ~x; \ - x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ - x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ - x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ - x = ~x; \ - x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ -} while (0) - -/** @endcond */ - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-util.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.c deleted file mode 100644 index 0abdeff..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "skinny-hash.h" -#include "internal-skinny128.h" -#include "internal-util.h" -#include - -aead_hash_algorithm_t const skinny_tk3_hash_algorithm = { - "SKINNY-tk3-HASH", - sizeof(int), - SKINNY_HASH_SIZE, - AEAD_FLAG_NONE, - skinny_tk3_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const skinny_tk2_hash_algorithm = { - "SKINNY-tk2-HASH", - sizeof(int), - SKINNY_HASH_SIZE, - AEAD_FLAG_NONE, - skinny_tk2_hash, - (aead_hash_init_t)0, - (aead_hash_update_t)0, - (aead_hash_finalize_t)0, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \brief Size of the permutation state for SKINNY-tk3-HASH. - */ -#define SKINNY_TK3_STATE_SIZE 48 - -/** - * \brief Size of the permutation state for SKINNY-tk2-HASH. - */ -#define SKINNY_TK2_STATE_SIZE 32 - -/** - * \brief Rate of absorbing data for SKINNY-tk3-HASH. - */ -#define SKINNY_TK3_HASH_RATE 16 - -/** - * \brief Rate of absorbing data for SKINNY-tk2-HASH. - */ -#define SKINNY_TK2_HASH_RATE 4 - -/** - * \brief Input block that is encrypted with the state for each - * block permutation of SKINNY-tk3-HASH or SKINNY-tk2-HASH. - */ -static unsigned char const skinny_hash_block[48] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -/** - * \brief Permutes the internal state for SKINNY-tk3-HASH. - * - * \param state The state to be permuted. - */ -static void skinny_tk3_permute(unsigned char state[SKINNY_TK3_STATE_SIZE]) -{ - unsigned char temp[SKINNY_TK3_STATE_SIZE]; - skinny_128_384_encrypt_tk_full(state, temp, skinny_hash_block); - skinny_128_384_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); - skinny_128_384_encrypt_tk_full(state, temp + 32, skinny_hash_block + 32); - memcpy(state, temp, SKINNY_TK3_STATE_SIZE); -} - -/** - * \brief Permutes the internal state for SKINNY-tk2-HASH. - * - * \param state The state to be permuted. - */ -static void skinny_tk2_permute(unsigned char state[SKINNY_TK2_STATE_SIZE]) -{ - unsigned char temp[SKINNY_TK2_STATE_SIZE]; - skinny_128_256_encrypt_tk_full(state, temp, skinny_hash_block); - skinny_128_256_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); - memcpy(state, temp, SKINNY_TK2_STATE_SIZE); -} - -int skinny_tk3_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[SKINNY_TK3_STATE_SIZE]; - unsigned temp; - - /* Initialize the hash state */ - memset(state, 0, sizeof(state)); - state[SKINNY_TK3_HASH_RATE] = 0x80; - - /* Process as many full blocks as possible */ - while (inlen >= SKINNY_TK3_HASH_RATE) { - lw_xor_block(state, in, SKINNY_TK3_HASH_RATE); - skinny_tk3_permute(state); - in += SKINNY_TK3_HASH_RATE; - inlen -= SKINNY_TK3_HASH_RATE; - } - - /* Pad and process the last block */ - temp = (unsigned)inlen; - lw_xor_block(state, in, temp); - state[temp] ^= 0x80; /* padding */ - skinny_tk3_permute(state); - - /* Generate the hash output */ - memcpy(out, state, 16); - skinny_tk3_permute(state); - memcpy(out + 16, state, 16); - return 0; -} - -int skinny_tk2_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - unsigned char state[SKINNY_TK2_STATE_SIZE]; - unsigned temp; - - /* Initialize the hash state */ - memset(state, 0, sizeof(state)); - state[SKINNY_TK2_HASH_RATE] = 0x80; - - /* Process as many full blocks as possible */ - while (inlen >= SKINNY_TK2_HASH_RATE) { - lw_xor_block(state, in, SKINNY_TK2_HASH_RATE); - skinny_tk2_permute(state); - in += SKINNY_TK2_HASH_RATE; - inlen -= SKINNY_TK2_HASH_RATE; - } - - /* Pad and process the last block */ - temp = (unsigned)inlen; - lw_xor_block(state, in, temp); - state[temp] ^= 0x80; /* padding */ - skinny_tk2_permute(state); - - /* Generate the hash output */ - memcpy(out, state, 16); - skinny_tk2_permute(state); - memcpy(out + 16, state, 16); - return 0; -} diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.h deleted file mode 100644 index f75ce9f..0000000 --- a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/skinny-hash.h +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SKINNY_HASH_H -#define LWCRYPTO_SKINNY_HASH_H - -#include "aead-common.h" - -/** - * \file skinny-hash.h - * \brief Hash algorithms based on the SKINNY block cipher. - * - * The SKINNY-AEAD family includes two hash algorithms: - * - * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the - * SKINNY-128-384 tweakable block cipher. This is the primary hashing - * member of the family. - * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the - * SKINNY-128-256 tweakable block cipher. - * - * References: https://sites.google.com/site/skinnycipher/home - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the hash output for SKINNY-tk3-HASH and SKINNY-tk2-HASH. - */ -#define SKINNY_HASH_SIZE 32 - -/** - * \brief Meta-information block for the SKINNY-tk3-HASH algorithm. - */ -extern aead_hash_algorithm_t const skinny_tk3_hash_algorithm; - -/** - * \brief Meta-information block for the SKINNY-tk2-HASH algorithm. - */ -extern aead_hash_algorithm_t const skinny_tk2_hash_algorithm; - -/** - * \brief Hashes a block of input data with SKINNY-tk3-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SKINNY_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int skinny_tk3_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Hashes a block of input data with SKINNY-tk2-HASH to - * generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * SKINNY_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int skinny_tk2_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/aead-common.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/aead-common.c similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/aead-common.c rename to skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/aead-common.c diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/aead-common.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/aead-common.h similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/aead-common.h rename to skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/aead-common.h diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/api.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/hash.c similarity index 100% rename from skinny/Implementations/crypto_hash/skinnyhashtk3/rhys-avr/hash.c rename to skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/hash.c diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128-avr.S b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128-avr.S new file mode 100644 index 0000000..d342cd5 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128-avr.S @@ -0,0 +1,10099 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 256 +table_0: + .byte 101 + .byte 76 + .byte 106 + .byte 66 + .byte 75 + .byte 99 + .byte 67 + .byte 107 + .byte 85 + .byte 117 + .byte 90 + .byte 122 + .byte 83 + .byte 115 + .byte 91 + .byte 123 + .byte 53 + .byte 140 + .byte 58 + .byte 129 + .byte 137 + .byte 51 + .byte 128 + .byte 59 + .byte 149 + .byte 37 + .byte 152 + .byte 42 + .byte 144 + .byte 35 + .byte 153 + .byte 43 + .byte 229 + .byte 204 + .byte 232 + .byte 193 + .byte 201 + .byte 224 + .byte 192 + .byte 233 + .byte 213 + .byte 245 + .byte 216 + .byte 248 + .byte 208 + .byte 240 + .byte 217 + .byte 249 + .byte 165 + .byte 28 + .byte 168 + .byte 18 + .byte 27 + .byte 160 + .byte 19 + .byte 169 + .byte 5 + .byte 181 + .byte 10 + .byte 184 + .byte 3 + .byte 176 + .byte 11 + .byte 185 + .byte 50 + .byte 136 + .byte 60 + .byte 133 + .byte 141 + .byte 52 + .byte 132 + .byte 61 + .byte 145 + .byte 34 + .byte 156 + .byte 44 + .byte 148 + .byte 36 + .byte 157 + .byte 45 + .byte 98 + .byte 74 + .byte 108 + .byte 69 + .byte 77 + .byte 100 + .byte 68 + .byte 109 + .byte 82 + .byte 114 + .byte 92 + .byte 124 + .byte 84 + .byte 116 + .byte 93 + .byte 125 + .byte 161 + .byte 26 + .byte 172 + .byte 21 + .byte 29 + .byte 164 + .byte 20 + .byte 173 + .byte 2 + .byte 177 + .byte 12 + .byte 188 + .byte 4 + .byte 180 + .byte 13 + .byte 189 + .byte 225 + .byte 200 + .byte 236 + .byte 197 + .byte 205 + .byte 228 + .byte 196 + .byte 237 + .byte 209 + .byte 241 + .byte 220 + .byte 252 + .byte 212 + .byte 244 + .byte 221 + .byte 253 + .byte 54 + .byte 142 + .byte 56 + .byte 130 + .byte 139 + .byte 48 + .byte 131 + .byte 57 + .byte 150 + .byte 38 + .byte 154 + .byte 40 + .byte 147 + .byte 32 + .byte 155 + .byte 41 + .byte 102 + .byte 78 + .byte 104 + .byte 65 + .byte 73 + .byte 96 + .byte 64 + .byte 105 + .byte 86 + .byte 118 + .byte 88 + .byte 120 + .byte 80 + .byte 112 + .byte 89 + .byte 121 + .byte 166 + .byte 30 + .byte 170 + .byte 17 + .byte 25 + .byte 163 + .byte 16 + .byte 171 + .byte 6 + .byte 182 + .byte 8 + .byte 186 + .byte 0 + .byte 179 + .byte 9 + .byte 187 + .byte 230 + .byte 206 + .byte 234 + .byte 194 + .byte 203 + .byte 227 + .byte 195 + .byte 235 + .byte 214 + .byte 246 + .byte 218 + .byte 250 + .byte 211 + .byte 243 + .byte 219 + .byte 251 + .byte 49 + .byte 138 + .byte 62 + .byte 134 + .byte 143 + .byte 55 + .byte 135 + .byte 63 + .byte 146 + .byte 33 + .byte 158 + .byte 46 + .byte 151 + .byte 39 + .byte 159 + .byte 47 + .byte 97 + .byte 72 + .byte 110 + .byte 70 + .byte 79 + .byte 103 + .byte 71 + .byte 111 + .byte 81 + .byte 113 + .byte 94 + .byte 126 + .byte 87 + .byte 119 + .byte 95 + .byte 127 + .byte 162 + .byte 24 + .byte 174 + .byte 22 + .byte 31 + .byte 167 + .byte 23 + .byte 175 + .byte 1 + .byte 178 + .byte 14 + .byte 190 + .byte 7 + .byte 183 + .byte 15 + .byte 191 + .byte 226 + .byte 202 + .byte 238 + .byte 198 + .byte 207 + .byte 231 + .byte 199 + .byte 239 + .byte 210 + .byte 242 + .byte 222 + .byte 254 + .byte 215 + .byte 247 + .byte 223 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 256 +table_1: + .byte 172 + .byte 232 + .byte 104 + .byte 60 + .byte 108 + .byte 56 + .byte 168 + .byte 236 + .byte 170 + .byte 174 + .byte 58 + .byte 62 + .byte 106 + .byte 110 + .byte 234 + .byte 238 + .byte 166 + .byte 163 + .byte 51 + .byte 54 + .byte 102 + .byte 99 + .byte 227 + .byte 230 + .byte 225 + .byte 164 + .byte 97 + .byte 52 + .byte 49 + .byte 100 + .byte 161 + .byte 228 + .byte 141 + .byte 201 + .byte 73 + .byte 29 + .byte 77 + .byte 25 + .byte 137 + .byte 205 + .byte 139 + .byte 143 + .byte 27 + .byte 31 + .byte 75 + .byte 79 + .byte 203 + .byte 207 + .byte 133 + .byte 192 + .byte 64 + .byte 21 + .byte 69 + .byte 16 + .byte 128 + .byte 197 + .byte 130 + .byte 135 + .byte 18 + .byte 23 + .byte 66 + .byte 71 + .byte 194 + .byte 199 + .byte 150 + .byte 147 + .byte 3 + .byte 6 + .byte 86 + .byte 83 + .byte 211 + .byte 214 + .byte 209 + .byte 148 + .byte 81 + .byte 4 + .byte 1 + .byte 84 + .byte 145 + .byte 212 + .byte 156 + .byte 216 + .byte 88 + .byte 12 + .byte 92 + .byte 8 + .byte 152 + .byte 220 + .byte 154 + .byte 158 + .byte 10 + .byte 14 + .byte 90 + .byte 94 + .byte 218 + .byte 222 + .byte 149 + .byte 208 + .byte 80 + .byte 5 + .byte 85 + .byte 0 + .byte 144 + .byte 213 + .byte 146 + .byte 151 + .byte 2 + .byte 7 + .byte 82 + .byte 87 + .byte 210 + .byte 215 + .byte 157 + .byte 217 + .byte 89 + .byte 13 + .byte 93 + .byte 9 + .byte 153 + .byte 221 + .byte 155 + .byte 159 + .byte 11 + .byte 15 + .byte 91 + .byte 95 + .byte 219 + .byte 223 + .byte 22 + .byte 19 + .byte 131 + .byte 134 + .byte 70 + .byte 67 + .byte 195 + .byte 198 + .byte 65 + .byte 20 + .byte 193 + .byte 132 + .byte 17 + .byte 68 + .byte 129 + .byte 196 + .byte 28 + .byte 72 + .byte 200 + .byte 140 + .byte 76 + .byte 24 + .byte 136 + .byte 204 + .byte 26 + .byte 30 + .byte 138 + .byte 142 + .byte 74 + .byte 78 + .byte 202 + .byte 206 + .byte 53 + .byte 96 + .byte 224 + .byte 165 + .byte 101 + .byte 48 + .byte 160 + .byte 229 + .byte 50 + .byte 55 + .byte 162 + .byte 167 + .byte 98 + .byte 103 + .byte 226 + .byte 231 + .byte 61 + .byte 105 + .byte 233 + .byte 173 + .byte 109 + .byte 57 + .byte 169 + .byte 237 + .byte 59 + .byte 63 + .byte 171 + .byte 175 + .byte 107 + .byte 111 + .byte 235 + .byte 239 + .byte 38 + .byte 35 + .byte 179 + .byte 182 + .byte 118 + .byte 115 + .byte 243 + .byte 246 + .byte 113 + .byte 36 + .byte 241 + .byte 180 + .byte 33 + .byte 116 + .byte 177 + .byte 244 + .byte 44 + .byte 120 + .byte 248 + .byte 188 + .byte 124 + .byte 40 + .byte 184 + .byte 252 + .byte 42 + .byte 46 + .byte 186 + .byte 190 + .byte 122 + .byte 126 + .byte 250 + .byte 254 + .byte 37 + .byte 112 + .byte 240 + .byte 181 + .byte 117 + .byte 32 + .byte 176 + .byte 245 + .byte 34 + .byte 39 + .byte 178 + .byte 183 + .byte 114 + .byte 119 + .byte 242 + .byte 247 + .byte 45 + .byte 121 + .byte 249 + .byte 189 + .byte 125 + .byte 41 + .byte 185 + .byte 253 + .byte 43 + .byte 47 + .byte 187 + .byte 191 + .byte 123 + .byte 127 + .byte 251 + .byte 255 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_2, @object + .size table_2, 256 +table_2: + .byte 0 + .byte 2 + .byte 4 + .byte 6 + .byte 8 + .byte 10 + .byte 12 + .byte 14 + .byte 16 + .byte 18 + .byte 20 + .byte 22 + .byte 24 + .byte 26 + .byte 28 + .byte 30 + .byte 32 + .byte 34 + .byte 36 + .byte 38 + .byte 40 + .byte 42 + .byte 44 + .byte 46 + .byte 48 + .byte 50 + .byte 52 + .byte 54 + .byte 56 + .byte 58 + .byte 60 + .byte 62 + .byte 65 + .byte 67 + .byte 69 + .byte 71 + .byte 73 + .byte 75 + .byte 77 + .byte 79 + .byte 81 + .byte 83 + .byte 85 + .byte 87 + .byte 89 + .byte 91 + .byte 93 + .byte 95 + .byte 97 + .byte 99 + .byte 101 + .byte 103 + .byte 105 + .byte 107 + .byte 109 + .byte 111 + .byte 113 + .byte 115 + .byte 117 + .byte 119 + .byte 121 + .byte 123 + .byte 125 + .byte 127 + .byte 128 + .byte 130 + .byte 132 + .byte 134 + .byte 136 + .byte 138 + .byte 140 + .byte 142 + .byte 144 + .byte 146 + .byte 148 + .byte 150 + .byte 152 + .byte 154 + .byte 156 + .byte 158 + .byte 160 + .byte 162 + .byte 164 + .byte 166 + .byte 168 + .byte 170 + .byte 172 + .byte 174 + .byte 176 + .byte 178 + .byte 180 + .byte 182 + .byte 184 + .byte 186 + .byte 188 + .byte 190 + .byte 193 + .byte 195 + .byte 197 + .byte 199 + .byte 201 + .byte 203 + .byte 205 + .byte 207 + .byte 209 + .byte 211 + .byte 213 + .byte 215 + .byte 217 + .byte 219 + .byte 221 + .byte 223 + .byte 225 + .byte 227 + .byte 229 + .byte 231 + .byte 233 + .byte 235 + .byte 237 + .byte 239 + .byte 241 + .byte 243 + .byte 245 + .byte 247 + .byte 249 + .byte 251 + .byte 253 + .byte 255 + .byte 1 + .byte 3 + .byte 5 + .byte 7 + .byte 9 + .byte 11 + .byte 13 + .byte 15 + .byte 17 + .byte 19 + .byte 21 + .byte 23 + .byte 25 + .byte 27 + .byte 29 + .byte 31 + .byte 33 + .byte 35 + .byte 37 + .byte 39 + .byte 41 + .byte 43 + .byte 45 + .byte 47 + .byte 49 + .byte 51 + .byte 53 + .byte 55 + .byte 57 + .byte 59 + .byte 61 + .byte 63 + .byte 64 + .byte 66 + .byte 68 + .byte 70 + .byte 72 + .byte 74 + .byte 76 + .byte 78 + .byte 80 + .byte 82 + .byte 84 + .byte 86 + .byte 88 + .byte 90 + .byte 92 + .byte 94 + .byte 96 + .byte 98 + .byte 100 + .byte 102 + .byte 104 + .byte 106 + .byte 108 + .byte 110 + .byte 112 + .byte 114 + .byte 116 + .byte 118 + .byte 120 + .byte 122 + .byte 124 + .byte 126 + .byte 129 + .byte 131 + .byte 133 + .byte 135 + .byte 137 + .byte 139 + .byte 141 + .byte 143 + .byte 145 + .byte 147 + .byte 149 + .byte 151 + .byte 153 + .byte 155 + .byte 157 + .byte 159 + .byte 161 + .byte 163 + .byte 165 + .byte 167 + .byte 169 + .byte 171 + .byte 173 + .byte 175 + .byte 177 + .byte 179 + .byte 181 + .byte 183 + .byte 185 + .byte 187 + .byte 189 + .byte 191 + .byte 192 + .byte 194 + .byte 196 + .byte 198 + .byte 200 + .byte 202 + .byte 204 + .byte 206 + .byte 208 + .byte 210 + .byte 212 + .byte 214 + .byte 216 + .byte 218 + .byte 220 + .byte 222 + .byte 224 + .byte 226 + .byte 228 + .byte 230 + .byte 232 + .byte 234 + .byte 236 + .byte 238 + .byte 240 + .byte 242 + .byte 244 + .byte 246 + .byte 248 + .byte 250 + .byte 252 + .byte 254 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_3, @object + .size table_3, 256 +table_3: + .byte 0 + .byte 128 + .byte 1 + .byte 129 + .byte 2 + .byte 130 + .byte 3 + .byte 131 + .byte 4 + .byte 132 + .byte 5 + .byte 133 + .byte 6 + .byte 134 + .byte 7 + .byte 135 + .byte 8 + .byte 136 + .byte 9 + .byte 137 + .byte 10 + .byte 138 + .byte 11 + .byte 139 + .byte 12 + .byte 140 + .byte 13 + .byte 141 + .byte 14 + .byte 142 + .byte 15 + .byte 143 + .byte 16 + .byte 144 + .byte 17 + .byte 145 + .byte 18 + .byte 146 + .byte 19 + .byte 147 + .byte 20 + .byte 148 + .byte 21 + .byte 149 + .byte 22 + .byte 150 + .byte 23 + .byte 151 + .byte 24 + .byte 152 + .byte 25 + .byte 153 + .byte 26 + .byte 154 + .byte 27 + .byte 155 + .byte 28 + .byte 156 + .byte 29 + .byte 157 + .byte 30 + .byte 158 + .byte 31 + .byte 159 + .byte 160 + .byte 32 + .byte 161 + .byte 33 + .byte 162 + .byte 34 + .byte 163 + .byte 35 + .byte 164 + .byte 36 + .byte 165 + .byte 37 + .byte 166 + .byte 38 + .byte 167 + .byte 39 + .byte 168 + .byte 40 + .byte 169 + .byte 41 + .byte 170 + .byte 42 + .byte 171 + .byte 43 + .byte 172 + .byte 44 + .byte 173 + .byte 45 + .byte 174 + .byte 46 + .byte 175 + .byte 47 + .byte 176 + .byte 48 + .byte 177 + .byte 49 + .byte 178 + .byte 50 + .byte 179 + .byte 51 + .byte 180 + .byte 52 + .byte 181 + .byte 53 + .byte 182 + .byte 54 + .byte 183 + .byte 55 + .byte 184 + .byte 56 + .byte 185 + .byte 57 + .byte 186 + .byte 58 + .byte 187 + .byte 59 + .byte 188 + .byte 60 + .byte 189 + .byte 61 + .byte 190 + .byte 62 + .byte 191 + .byte 63 + .byte 64 + .byte 192 + .byte 65 + .byte 193 + .byte 66 + .byte 194 + .byte 67 + .byte 195 + .byte 68 + .byte 196 + .byte 69 + .byte 197 + .byte 70 + .byte 198 + .byte 71 + .byte 199 + .byte 72 + .byte 200 + .byte 73 + .byte 201 + .byte 74 + .byte 202 + .byte 75 + .byte 203 + .byte 76 + .byte 204 + .byte 77 + .byte 205 + .byte 78 + .byte 206 + .byte 79 + .byte 207 + .byte 80 + .byte 208 + .byte 81 + .byte 209 + .byte 82 + .byte 210 + .byte 83 + .byte 211 + .byte 84 + .byte 212 + .byte 85 + .byte 213 + .byte 86 + .byte 214 + .byte 87 + .byte 215 + .byte 88 + .byte 216 + .byte 89 + .byte 217 + .byte 90 + .byte 218 + .byte 91 + .byte 219 + .byte 92 + .byte 220 + .byte 93 + .byte 221 + .byte 94 + .byte 222 + .byte 95 + .byte 223 + .byte 224 + .byte 96 + .byte 225 + .byte 97 + .byte 226 + .byte 98 + .byte 227 + .byte 99 + .byte 228 + .byte 100 + .byte 229 + .byte 101 + .byte 230 + .byte 102 + .byte 231 + .byte 103 + .byte 232 + .byte 104 + .byte 233 + .byte 105 + .byte 234 + .byte 106 + .byte 235 + .byte 107 + .byte 236 + .byte 108 + .byte 237 + .byte 109 + .byte 238 + .byte 110 + .byte 239 + .byte 111 + .byte 240 + .byte 112 + .byte 241 + .byte 113 + .byte 242 + .byte 114 + .byte 243 + .byte 115 + .byte 244 + .byte 116 + .byte 245 + .byte 117 + .byte 246 + .byte 118 + .byte 247 + .byte 119 + .byte 248 + .byte 120 + .byte 249 + .byte 121 + .byte 250 + .byte 122 + .byte 251 + .byte 123 + .byte 252 + .byte 124 + .byte 253 + .byte 125 + .byte 254 + .byte 126 + .byte 255 + .byte 127 + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_4, @object + .size table_4, 112 +table_4: + .byte 1 + .byte 0 + .byte 3 + .byte 0 + .byte 7 + .byte 0 + .byte 15 + .byte 0 + .byte 15 + .byte 1 + .byte 14 + .byte 3 + .byte 13 + .byte 3 + .byte 11 + .byte 3 + .byte 7 + .byte 3 + .byte 15 + .byte 2 + .byte 14 + .byte 1 + .byte 12 + .byte 3 + .byte 9 + .byte 3 + .byte 3 + .byte 3 + .byte 7 + .byte 2 + .byte 14 + .byte 0 + .byte 13 + .byte 1 + .byte 10 + .byte 3 + .byte 5 + .byte 3 + .byte 11 + .byte 2 + .byte 6 + .byte 1 + .byte 12 + .byte 2 + .byte 8 + .byte 1 + .byte 0 + .byte 3 + .byte 1 + .byte 2 + .byte 2 + .byte 0 + .byte 5 + .byte 0 + .byte 11 + .byte 0 + .byte 7 + .byte 1 + .byte 14 + .byte 2 + .byte 12 + .byte 1 + .byte 8 + .byte 3 + .byte 1 + .byte 3 + .byte 3 + .byte 2 + .byte 6 + .byte 0 + .byte 13 + .byte 0 + .byte 11 + .byte 1 + .byte 6 + .byte 3 + .byte 13 + .byte 2 + .byte 10 + .byte 1 + .byte 4 + .byte 3 + .byte 9 + .byte 2 + .byte 2 + .byte 1 + .byte 4 + .byte 2 + .byte 8 + .byte 0 + .byte 1 + .byte 1 + .byte 2 + .byte 2 + .byte 4 + .byte 0 + .byte 9 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 2 + .byte 12 + .byte 0 + .byte 9 + .byte 1 + .byte 2 + .byte 3 + .byte 5 + .byte 2 + .byte 10 + .byte 0 + + .text +.global skinny_128_384_init + .type skinny_128_384_init, @function +skinny_128_384_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,12 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_384_init, .-skinny_128_384_init + + .text +.global skinny_128_384_encrypt + .type skinny_128_384_encrypt, @function +skinny_128_384_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + std Y+33,r18 + std Y+34,r19 + std Y+35,r20 + std Y+36,r21 + ldd r18,Z+36 + ldd r19,Z+37 + ldd r20,Z+38 + ldd r21,Z+39 + std Y+37,r18 + std Y+38,r19 + std Y+39,r20 + std Y+40,r21 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + std Y+41,r18 + std Y+42,r19 + std Y+43,r20 + std Y+44,r21 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + std Y+45,r18 + std Y+46,r19 + std Y+47,r20 + std Y+48,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +114: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r13 + std Y+42,r17 + std Y+43,r12 + std Y+44,r25 + std Y+45,r14 + std Y+46,r16 + std Y+47,r24 + std Y+48,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,112 + brne 5721f + rjmp 790f +5721: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r13 + std Y+34,r17 + std Y+35,r12 + std Y+36,r25 + std Y+37,r14 + std Y+38,r16 + std Y+39,r24 + std Y+40,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 114b +790: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_encrypt, .-skinny_128_384_encrypt + +.global skinny_128_384_encrypt_tk_full + .set skinny_128_384_encrypt_tk_full,skinny_128_384_encrypt + + .text +.global skinny_128_384_decrypt + .type skinny_128_384_decrypt, @function +skinny_128_384_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,48 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 68 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r23 + std Y+2,r2 + std Y+3,r21 + std Y+4,r20 + std Y+5,r3 + std Y+6,r18 + std Y+7,r19 + std Y+8,r22 + std Y+9,r9 + std Y+10,r10 + std Y+11,r7 + std Y+12,r6 + std Y+13,r11 + std Y+14,r4 + std Y+15,r5 + std Y+16,r8 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r23 + std Y+18,r2 + std Y+19,r21 + std Y+20,r20 + std Y+21,r3 + std Y+22,r18 + std Y+23,r19 + std Y+24,r22 + std Y+25,r9 + std Y+26,r10 + std Y+27,r7 + std Y+28,r6 + std Y+29,r11 + std Y+30,r4 + std Y+31,r5 + std Y+32,r8 + ldd r18,Z+32 + ldd r19,Z+33 + ldd r20,Z+34 + ldd r21,Z+35 + ldd r22,Z+36 + ldd r23,Z+37 + ldd r2,Z+38 + ldd r3,Z+39 + ldd r4,Z+40 + ldd r5,Z+41 + ldd r6,Z+42 + ldd r7,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + std Y+33,r23 + std Y+34,r2 + std Y+35,r21 + std Y+36,r20 + std Y+37,r3 + std Y+38,r18 + std Y+39,r19 + std Y+40,r22 + std Y+41,r9 + std Y+42,r10 + std Y+43,r7 + std Y+44,r6 + std Y+45,r11 + std Y+46,r4 + std Y+47,r5 + std Y+48,r8 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +122: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 122b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,28 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +150: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 150b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,28 + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 +179: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 179b + std Y+33,r12 + std Y+34,r13 + std Y+35,r14 + std Y+36,r15 + std Y+37,r24 + std Y+38,r25 + std Y+39,r16 + std Y+40,r17 + ldi r26,28 + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 +207: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 207b + std Y+41,r12 + std Y+42,r13 + std Y+43,r14 + std Y+44,r15 + std Y+45,r24 + std Y+46,r25 + std Y+47,r16 + std Y+48,r17 + ldi r26,112 +227: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+41 + eor r22,r0 + ldd r0,Y+42 + eor r23,r0 + ldd r0,Y+43 + eor r2,r0 + ldd r0,Y+44 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldd r0,Y+45 + eor r4,r0 + ldd r0,Y+46 + eor r5,r0 + ldd r0,Y+47 + eor r6,r0 + ldd r0,Y+48 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+33 + eor r4,r0 + ldd r0,Y+34 + eor r5,r0 + ldd r0,Y+35 + eor r6,r0 + ldd r0,Y+36 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldd r0,Y+37 + eor r8,r0 + ldd r0,Y+38 + eor r9,r0 + ldd r0,Y+39 + eor r10,r0 + ldd r0,Y+40 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+33 + ldd r13,Y+34 + ldd r14,Y+35 + ldd r15,Y+36 + ldd r24,Y+37 + ldd r25,Y+38 + ldd r16,Y+39 + ldd r17,Y+40 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+33,r14 + std Y+34,r12 + std Y+35,r24 + std Y+36,r17 + std Y+37,r16 + std Y+38,r15 + std Y+39,r25 + std Y+40,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+41 + eor r8,r0 + ldd r0,Y+42 + eor r9,r0 + ldd r0,Y+43 + eor r10,r0 + ldd r0,Y+44 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldd r0,Y+45 + eor r18,r0 + ldd r0,Y+46 + eor r19,r0 + ldd r0,Y+47 + eor r20,r0 + ldd r0,Y+48 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+41 + ldd r13,Y+42 + ldd r14,Y+43 + ldd r15,Y+44 + ldd r24,Y+45 + ldd r25,Y+46 + ldd r16,Y+47 + ldd r17,Y+48 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+41,r14 + std Y+42,r12 + std Y+43,r24 + std Y+44,r17 + std Y+45,r16 + std Y+46,r15 + std Y+47,r25 + std Y+48,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+33 + eor r18,r0 + ldd r0,Y+34 + eor r19,r0 + ldd r0,Y+35 + eor r20,r0 + ldd r0,Y+36 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldd r0,Y+37 + eor r22,r0 + ldd r0,Y+38 + eor r23,r0 + ldd r0,Y+39 + eor r2,r0 + ldd r0,Y+40 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 903f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 227b +903: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+49 + ldd r27,Y+50 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,50 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_384_decrypt, .-skinny_128_384_decrypt + + .text +.global skinny_128_256_init + .type skinny_128_256_init, @function +skinny_128_256_init: + movw r30,r24 + movw r26,r22 +.L__stack_usage = 2 + ldi r22,8 +1: + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + st Z+,r18 + st Z+,r19 + st Z+,r20 + st Z+,r21 + dec r22 + brne 1b + ret + .size skinny_128_256_init, .-skinny_128_256_init + + .text +.global skinny_128_256_encrypt + .type skinny_128_256_encrypt, @function +skinny_128_256_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Y+5,r18 + std Y+6,r19 + std Y+7,r20 + std Y+8,r21 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + std Y+9,r18 + std Y+10,r19 + std Y+11,r20 + std Y+12,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + std Y+13,r18 + std Y+14,r19 + std Y+15,r20 + std Y+16,r21 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + ldd r18,Z+20 + ldd r19,Z+21 + ldd r20,Z+22 + ldd r21,Z+23 + std Y+21,r18 + std Y+22,r19 + std Y+23,r20 + std Y+24,r21 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + std Y+25,r18 + std Y+26,r19 + std Y+27,r20 + std Y+28,r21 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + std Y+29,r18 + std Y+30,r19 + std Y+31,r20 + std Y+32,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r26,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + mov r26,r1 +82: + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + ldi r27,2 + eor r4,r27 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + inc r26 + ldi r27,2 + eor r22,r27 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + mov r0,r2 + mov r2,r22 + mov r22,r0 + mov r0,r3 + mov r3,r23 + mov r23,r0 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + inc r26 + ldi r27,2 + eor r18,r27 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r20 + mov r20,r18 + mov r18,r0 + mov r0,r21 + mov r21,r19 + mov r19,r0 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r13 + std Y+10,r17 + std Y+11,r12 + std Y+12,r25 + std Y+13,r14 + std Y+14,r16 + std Y+15,r24 + std Y+16,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r13 + std Y+26,r17 + std Y+27,r12 + std Y+28,r25 + std Y+29,r14 + std Y+30,r16 + std Y+31,r24 + std Y+32,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + inc r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + inc r26 + ldi r27,2 + eor r8,r27 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + cpi r26,96 + breq 594f + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r13 + std Y+2,r17 + std Y+3,r12 + std Y+4,r25 + std Y+5,r14 + std Y+6,r16 + std Y+7,r24 + std Y+8,r15 + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r27,hh8(table_2) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r13 + std Y+18,r17 + std Y+19,r12 + std Y+20,r25 + std Y+21,r14 + std Y+22,r16 + std Y+23,r24 + std Y+24,r15 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r27,hh8(table_0) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 82b +594: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_encrypt, .-skinny_128_256_encrypt + +.global skinny_128_256_encrypt_tk_full + .set skinny_128_256_encrypt_tk_full,skinny_128_256_encrypt + + .text +.global skinny_128_256_decrypt + .type skinny_128_256_decrypt, @function +skinny_128_256_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,32 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 52 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + ldd r4,Z+8 + ldd r5,Z+9 + ldd r6,Z+10 + ldd r7,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r18,Z+16 + ldd r19,Z+17 + ldd r20,Z+18 + ldd r21,Z+19 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + ldd r4,Z+24 + ldd r5,Z+25 + ldd r6,Z+26 + ldd r7,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Y+17,r18 + std Y+18,r19 + std Y+19,r20 + std Y+20,r21 + std Y+21,r22 + std Y+22,r23 + std Y+23,r2 + std Y+24,r3 + std Y+25,r4 + std Y+26,r5 + std Y+27,r6 + std Y+28,r7 + std Y+29,r8 + std Y+30,r9 + std Y+31,r10 + std Y+32,r11 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ldi r30,lo8(table_2) + ldi r31,hi8(table_2) +#if defined(RAMPZ) + ldi r26,hh8(table_2) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,24 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 +90: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 90b + std Y+17,r12 + std Y+18,r13 + std Y+19,r14 + std Y+20,r15 + std Y+21,r24 + std Y+22,r25 + std Y+23,r16 + std Y+24,r17 + ldi r26,24 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 +118: + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + dec r26 + brne 118b + std Y+25,r12 + std Y+26,r13 + std Y+27,r14 + std Y+28,r15 + std Y+29,r24 + std Y+30,r25 + std Y+31,r16 + std Y+32,r17 + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r26,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r26 +#endif + ldi r26,96 +139: + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + eor r8,r22 + eor r9,r23 + eor r10,r2 + eor r11,r3 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + mov r0,r4 + mov r4,r5 + mov r5,r6 + mov r6,r7 + mov r7,r0 + mov r0,r8 + mov r8,r10 + mov r10,r0 + mov r0,r9 + mov r9,r11 + mov r11,r0 + mov r0,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + ldd r0,Y+9 + eor r22,r0 + ldd r0,Y+10 + eor r23,r0 + ldd r0,Y+11 + eor r2,r0 + ldd r0,Y+12 + eor r3,r0 + ldd r0,Y+25 + eor r22,r0 + ldd r0,Y+26 + eor r23,r0 + ldd r0,Y+27 + eor r2,r0 + ldd r0,Y+28 + eor r3,r0 + ldd r0,Y+13 + eor r4,r0 + ldd r0,Y+14 + eor r5,r0 + ldd r0,Y+15 + eor r6,r0 + ldd r0,Y+16 + eor r7,r0 + ldd r0,Y+29 + eor r4,r0 + ldd r0,Y+30 + eor r5,r0 + ldd r0,Y+31 + eor r6,r0 + ldd r0,Y+32 + eor r7,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + ldi r27,2 + eor r8,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r18 + mov r18,r20 + mov r20,r0 + mov r0,r19 + mov r19,r21 + mov r21,r0 + mov r0,r3 + mov r3,r2 + mov r2,r23 + mov r23,r22 + mov r22,r0 + ldd r0,Y+1 + eor r4,r0 + ldd r0,Y+2 + eor r5,r0 + ldd r0,Y+3 + eor r6,r0 + ldd r0,Y+4 + eor r7,r0 + ldd r0,Y+17 + eor r4,r0 + ldd r0,Y+18 + eor r5,r0 + ldd r0,Y+19 + eor r6,r0 + ldd r0,Y+20 + eor r7,r0 + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + ldd r0,Y+21 + eor r8,r0 + ldd r0,Y+22 + eor r9,r0 + ldd r0,Y+23 + eor r10,r0 + ldd r0,Y+24 + eor r11,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r4,r27 + ldi r27,2 + eor r18,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + ldd r24,Y+5 + ldd r25,Y+6 + ldd r16,Y+7 + ldd r17,Y+8 + std Y+1,r14 + std Y+2,r12 + std Y+3,r24 + std Y+4,r17 + std Y+5,r16 + std Y+6,r15 + std Y+7,r25 + std Y+8,r13 + ldd r12,Y+17 + ldd r13,Y+18 + ldd r14,Y+19 + ldd r15,Y+20 + ldd r24,Y+21 + ldd r25,Y+22 + ldd r16,Y+23 + ldd r17,Y+24 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+17,r14 + std Y+18,r12 + std Y+19,r24 + std Y+20,r17 + std Y+21,r16 + std Y+22,r15 + std Y+23,r25 + std Y+24,r13 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + mov r0,r18 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r7 + mov r7,r6 + mov r6,r5 + mov r5,r4 + mov r4,r0 + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + ldd r0,Y+25 + eor r8,r0 + ldd r0,Y+26 + eor r9,r0 + ldd r0,Y+27 + eor r10,r0 + ldd r0,Y+28 + eor r11,r0 + ldd r0,Y+13 + eor r18,r0 + ldd r0,Y+14 + eor r19,r0 + ldd r0,Y+15 + eor r20,r0 + ldd r0,Y+16 + eor r21,r0 + ldd r0,Y+29 + eor r18,r0 + ldd r0,Y+30 + eor r19,r0 + ldd r0,Y+31 + eor r20,r0 + ldd r0,Y+32 + eor r21,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r8,r27 + ldi r27,2 + eor r22,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + ldd r12,Y+9 + ldd r13,Y+10 + ldd r14,Y+11 + ldd r15,Y+12 + ldd r24,Y+13 + ldd r25,Y+14 + ldd r16,Y+15 + ldd r17,Y+16 + std Y+9,r14 + std Y+10,r12 + std Y+11,r24 + std Y+12,r17 + std Y+13,r16 + std Y+14,r15 + std Y+15,r25 + std Y+16,r13 + ldd r12,Y+25 + ldd r13,Y+26 + ldd r14,Y+27 + ldd r15,Y+28 + ldd r24,Y+29 + ldd r25,Y+30 + ldd r16,Y+31 + ldd r17,Y+32 + mov r30,r12 +#if defined(RAMPZ) + elpm r12,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r12,Z +#elif defined(__AVR_TINY__) + ld r12,Z +#else + lpm + mov r12,r0 +#endif + mov r30,r13 +#if defined(RAMPZ) + elpm r13,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r13,Z +#elif defined(__AVR_TINY__) + ld r13,Z +#else + lpm + mov r13,r0 +#endif + mov r30,r14 +#if defined(RAMPZ) + elpm r14,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r14,Z +#elif defined(__AVR_TINY__) + ld r14,Z +#else + lpm + mov r14,r0 +#endif + mov r30,r15 +#if defined(RAMPZ) + elpm r15,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r15,Z +#elif defined(__AVR_TINY__) + ld r15,Z +#else + lpm + mov r15,r0 +#endif + mov r30,r24 +#if defined(RAMPZ) + elpm r24,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r24,Z +#elif defined(__AVR_TINY__) + ld r24,Z +#else + lpm + mov r24,r0 +#endif + mov r30,r25 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + mov r30,r16 +#if defined(RAMPZ) + elpm r16,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r16,Z +#elif defined(__AVR_TINY__) + ld r16,Z +#else + lpm + mov r16,r0 +#endif + mov r30,r17 +#if defined(RAMPZ) + elpm r17,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r17,Z +#elif defined(__AVR_TINY__) + ld r17,Z +#else + lpm + mov r17,r0 +#endif + std Y+25,r14 + std Y+26,r12 + std Y+27,r24 + std Y+28,r17 + std Y+29,r16 + std Y+30,r15 + std Y+31,r25 + std Y+32,r13 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + eor r22,r4 + eor r23,r5 + eor r2,r6 + eor r3,r7 + mov r0,r22 + mov r22,r23 + mov r23,r2 + mov r2,r3 + mov r3,r0 + mov r0,r4 + mov r4,r6 + mov r6,r0 + mov r0,r5 + mov r5,r7 + mov r7,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + ldd r0,Y+1 + eor r18,r0 + ldd r0,Y+2 + eor r19,r0 + ldd r0,Y+3 + eor r20,r0 + ldd r0,Y+4 + eor r21,r0 + ldd r0,Y+17 + eor r18,r0 + ldd r0,Y+18 + eor r19,r0 + ldd r0,Y+19 + eor r20,r0 + ldd r0,Y+20 + eor r21,r0 + ldd r0,Y+5 + eor r22,r0 + ldd r0,Y+6 + eor r23,r0 + ldd r0,Y+7 + eor r2,r0 + ldd r0,Y+8 + eor r3,r0 + ldd r0,Y+21 + eor r22,r0 + ldd r0,Y+22 + eor r23,r0 + ldd r0,Y+23 + eor r2,r0 + ldd r0,Y+24 + eor r3,r0 + ldi r30,lo8(table_4) + ldi r31,hi8(table_4) +#if defined(RAMPZ) + ldi r24,hh8(table_4) + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r22,r27 + dec r26 + mov r30,r26 +#if defined(RAMPZ) + elpm r27,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r27,Z +#elif defined(__AVR_TINY__) + ld r27,Z +#else + lpm + mov r27,r0 +#endif + eor r18,r27 + ldi r27,2 + eor r4,r27 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r27,hh8(table_1) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + mov r30,r18 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + mov r30,r19 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + mov r30,r20 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + mov r30,r21 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + mov r30,r22 +#if defined(RAMPZ) + elpm r22,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r22,Z +#elif defined(__AVR_TINY__) + ld r22,Z +#else + lpm + mov r22,r0 +#endif + mov r30,r23 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + mov r30,r2 +#if defined(RAMPZ) + elpm r2,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r2,Z +#elif defined(__AVR_TINY__) + ld r2,Z +#else + lpm + mov r2,r0 +#endif + mov r30,r3 +#if defined(RAMPZ) + elpm r3,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r3,Z +#elif defined(__AVR_TINY__) + ld r3,Z +#else + lpm + mov r3,r0 +#endif + mov r30,r4 +#if defined(RAMPZ) + elpm r4,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r4,Z +#elif defined(__AVR_TINY__) + ld r4,Z +#else + lpm + mov r4,r0 +#endif + mov r30,r5 +#if defined(RAMPZ) + elpm r5,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r5,Z +#elif defined(__AVR_TINY__) + ld r5,Z +#else + lpm + mov r5,r0 +#endif + mov r30,r6 +#if defined(RAMPZ) + elpm r6,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r6,Z +#elif defined(__AVR_TINY__) + ld r6,Z +#else + lpm + mov r6,r0 +#endif + mov r30,r7 +#if defined(RAMPZ) + elpm r7,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r7,Z +#elif defined(__AVR_TINY__) + ld r7,Z +#else + lpm + mov r7,r0 +#endif + mov r30,r8 +#if defined(RAMPZ) + elpm r8,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r8,Z +#elif defined(__AVR_TINY__) + ld r8,Z +#else + lpm + mov r8,r0 +#endif + mov r30,r9 +#if defined(RAMPZ) + elpm r9,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r9,Z +#elif defined(__AVR_TINY__) + ld r9,Z +#else + lpm + mov r9,r0 +#endif + mov r30,r10 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + mov r30,r11 +#if defined(RAMPZ) + elpm r11,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r11,Z +#elif defined(__AVR_TINY__) + ld r11,Z +#else + lpm + mov r11,r0 +#endif + cp r26,r1 + breq 651f + ldi r30,lo8(table_3) + ldi r31,hi8(table_3) +#if defined(RAMPZ) + ldi r27,hh8(table_3) + out _SFR_IO_ADDR(RAMPZ),r27 +#endif + rjmp 139b +651: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+33 + ldd r27,Y+34 + st X+,r18 + st X+,r19 + st X+,r20 + st X+,r21 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + adiw r28,34 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size skinny_128_256_decrypt, .-skinny_128_256_decrypt + +#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.c new file mode 100644 index 0000000..579ced1 --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.c @@ -0,0 +1,801 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-skinny128.h" +#include "internal-skinnyutil.h" +#include "internal-util.h" +#include + +#if !defined(__AVR__) + +STATIC_INLINE void skinny128_fast_forward_tk(uint32_t *tk) +{ + /* This function is used to fast-forward the TK1 tweak value + * to the value at the end of the key schedule for decryption. + * + * The tweak permutation repeats every 16 rounds, so SKINNY-128-256 + * with 48 rounds does not need any fast forwarding applied. + * SKINNY-128-128 with 40 rounds and SKINNY-128-384 with 56 rounds + * are equivalent to applying the permutation 8 times: + * + * PT*8 = [5, 6, 3, 2, 7, 0, 1, 4, 13, 14, 11, 10, 15, 8, 9, 12] + */ + uint32_t row0 = tk[0]; + uint32_t row1 = tk[1]; + uint32_t row2 = tk[2]; + uint32_t row3 = tk[3]; + tk[0] = ((row1 >> 8) & 0x0000FFFFU) | + ((row0 >> 8) & 0x00FF0000U) | + ((row0 << 8) & 0xFF000000U); + tk[1] = ((row1 >> 24) & 0x000000FFU) | + ((row0 << 8) & 0x00FFFF00U) | + ((row1 << 24) & 0xFF000000U); + tk[2] = ((row3 >> 8) & 0x0000FFFFU) | + ((row2 >> 8) & 0x00FF0000U) | + ((row2 << 8) & 0xFF000000U); + tk[3] = ((row3 >> 24) & 0x000000FFU) | + ((row2 << 8) & 0x00FFFF00U) | + ((row3 << 24) & 0xFF000000U); +} + +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); + memcpy(ks->TK3, key + 32, sizeof(ks->TK3)); +#else + /* Set the initial states of TK1, TK2, and TK3 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Set up the key schedule using TK2 and TK3. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ TK3[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ TK3[1] ^ (rc >> 4); + + /* Permute TK2 and TK3 for the next round */ + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + + /* Apply the LFSR's to TK2 and TK3 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } +#endif +} + +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t TK3[4]; + uint8_t rc = 0x15; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_384_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Permute TK1 to fast-forward it to the end of the key schedule */ + skinny128_fast_forward_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_fast_forward_tk(TK2); + skinny128_fast_forward_tk(TK3); + for (round = 0; round < SKINNY_128_384_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2 and TK3. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + skinny128_LFSR3(TK3[2]); + skinny128_LFSR3(TK3[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_inv_permute_tk(TK3); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); + skinny128_LFSR2(TK3[2]); + skinny128_LFSR2(TK3[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK3[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); + TK2[0] = le_load_word32(tk2); + TK2[1] = le_load_word32(tk2 + 4); + TK2[2] = le_load_word32(tk2 + 8); + TK2[3] = le_load_word32(tk2 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK3[0] = le_load_word32(ks->TK3); + TK3[1] = le_load_word32(ks->TK3 + 4); + TK3[2] = le_load_word32(ks->TK3 + 8); + TK3[3] = le_load_word32(ks->TK3 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0] ^ TK2[0]; + s1 ^= schedule[1] ^ TK1[1] ^ TK2[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK3); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t TK3[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + TK3[0] = le_load_word32(key + 32); + TK3[1] = le_load_word32(key + 36); + TK3[2] = le_load_word32(key + 40); + TK3[3] = le_load_word32(key + 44); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_384_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ TK3[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ TK3[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1, TK2, and TK3 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_permute_tk(TK3); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR3(TK3[0]); + skinny128_LFSR3(TK3[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]) +{ +#if !SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint32_t *schedule; + unsigned round; + uint8_t rc; +#endif + +#if SKINNY_128_SMALL_SCHEDULE + /* Copy the input key as-is when using the small key schedule version */ + memcpy(ks->TK1, key, sizeof(ks->TK1)); + memcpy(ks->TK2, key + 16, sizeof(ks->TK2)); +#else + /* Set the initial states of TK1 and TK2 */ + memcpy(ks->TK1, key, 16); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Set up the key schedule using TK2. TK1 is not added + * to the key schedule because we will derive that part of the + * schedule during encryption operations */ + schedule = ks->k; + rc = 0; + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round, schedule += 2) { + /* XOR the round constants with the current schedule words. + * The round constants for the 3rd and 4th rows are + * fixed and will be applied during encryption. */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + schedule[0] = TK2[0] ^ (rc & 0x0F); + schedule[1] = TK2[1] ^ (rc >> 4); + + /* Permute TK2 for the next round */ + skinny128_permute_tk(TK2); + + /* Apply the LFSR to TK2 */ + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } +#endif +} + +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0; +#else + const uint32_t *schedule = ks->k; +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1 */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); +#endif + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; +#endif + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); +#else + schedule += 2; +#endif + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; +#if SKINNY_128_SMALL_SCHEDULE + uint32_t TK2[4]; + uint8_t rc = 0x09; +#else + const uint32_t *schedule = &(ks->k[SKINNY_128_256_ROUNDS * 2 - 2]); +#endif + uint32_t temp; + unsigned round; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakable part of the state, TK1. + * There is no need to fast-forward TK1 because the value at + * the end of the key schedule is the same as at the start */ + TK1[0] = le_load_word32(ks->TK1); + TK1[1] = le_load_word32(ks->TK1 + 4); + TK1[2] = le_load_word32(ks->TK1 + 8); + TK1[3] = le_load_word32(ks->TK1 + 12); +#if SKINNY_128_SMALL_SCHEDULE + TK2[0] = le_load_word32(ks->TK2); + TK2[1] = le_load_word32(ks->TK2 + 4); + TK2[2] = le_load_word32(ks->TK2 + 8); + TK2[3] = le_load_word32(ks->TK2 + 12); + for (round = 0; round < SKINNY_128_256_ROUNDS; round += 2) { + // Also fast-forward the LFSR's on every byte of TK2. + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + skinny128_LFSR2(TK2[2]); + skinny128_LFSR2(TK2[3]); + } +#endif + + /* Perform all decryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Inverse permutation on TK1 for this round */ + skinny128_inv_permute_tk(TK1); +#if SKINNY_128_SMALL_SCHEDULE + skinny128_inv_permute_tk(TK2); + skinny128_LFSR3(TK2[2]); + skinny128_LFSR3(TK2[3]); +#endif + + /* Inverse mix of the columns */ + temp = s3; + s3 = s0; + s0 = s1; + s1 = s2; + s3 ^= temp; + s2 = temp ^ s0; + s1 ^= s2; + + /* Inverse shift of the rows */ + s1 = leftRotate24(s1); + s2 = leftRotate16(s2); + s3 = leftRotate8(s3); + + /* Apply the subkey for this round */ +#if SKINNY_128_SMALL_SCHEDULE + rc = (rc >> 1) ^ (((rc << 5) ^ rc ^ 0x20) & 0x20); + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); +#else + s0 ^= schedule[0] ^ TK1[0]; + s1 ^= schedule[1] ^ TK1[1]; + schedule -= 2; +#endif + s2 ^= 0x02; + + /* Apply the inverse of the S-box to all bytes in the state */ + skinny128_inv_sbox(s0); + skinny128_inv_sbox(s1); + skinny128_inv_sbox(s2); + skinny128_inv_sbox(s3); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t TK1[4]; + uint32_t TK2[4]; + uint32_t temp; + unsigned round; + uint8_t rc = 0; + + /* Unpack the input block into the state array */ + s0 = le_load_word32(input); + s1 = le_load_word32(input + 4); + s2 = le_load_word32(input + 8); + s3 = le_load_word32(input + 12); + + /* Make a local copy of the tweakey */ + TK1[0] = le_load_word32(key); + TK1[1] = le_load_word32(key + 4); + TK1[2] = le_load_word32(key + 8); + TK1[3] = le_load_word32(key + 12); + TK2[0] = le_load_word32(key + 16); + TK2[1] = le_load_word32(key + 20); + TK2[2] = le_load_word32(key + 24); + TK2[3] = le_load_word32(key + 28); + + /* Perform all encryption rounds */ + for (round = 0; round < SKINNY_128_256_ROUNDS; ++round) { + /* Apply the S-box to all bytes in the state */ + skinny128_sbox(s0); + skinny128_sbox(s1); + skinny128_sbox(s2); + skinny128_sbox(s3); + + /* XOR the round constant and the subkey for this round */ + rc = (rc << 1) ^ ((rc >> 5) & 0x01) ^ ((rc >> 4) & 0x01) ^ 0x01; + rc &= 0x3F; + s0 ^= TK1[0] ^ TK2[0] ^ (rc & 0x0F); + s1 ^= TK1[1] ^ TK2[1] ^ (rc >> 4); + s2 ^= 0x02; + + /* Shift the cells in the rows right, which moves the cell + * values up closer to the MSB. That is, we do a left rotate + * on the word to rotate the cells in the word right */ + s1 = leftRotate8(s1); + s2 = leftRotate16(s2); + s3 = leftRotate24(s3); + + /* Mix the columns */ + s1 ^= s2; + s2 ^= s0; + temp = s3 ^ s2; + s3 = s2; + s2 = s1; + s1 = s0; + s0 = temp; + + /* Permute TK1 and TK2 for the next round */ + skinny128_permute_tk(TK1); + skinny128_permute_tk(TK2); + skinny128_LFSR2(TK2[0]); + skinny128_LFSR2(TK2[1]); + } + + /* Pack the result into the output buffer */ + le_store_word32(output, s0); + le_store_word32(output + 4, s1); + le_store_word32(output + 8, s2); + le_store_word32(output + 12, s3); +} + +#else /* __AVR__ */ + +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2) +{ + memcpy(ks->TK2, tk2, 16); + skinny_128_384_encrypt(ks, output, input); +} + +#endif /* __AVR__ */ diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.h new file mode 100644 index 0000000..2bfda3c --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinny128.h @@ -0,0 +1,244 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNY128_H +#define LW_INTERNAL_SKINNY128_H + +/** + * \file internal-skinny128.h + * \brief SKINNY-128 block cipher family. + * + * References: https://eprint.iacr.org/2016/660.pdf, + * https://sites.google.com/site/skinnycipher/ + */ + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \def SKINNY_128_SMALL_SCHEDULE + * \brief Defined to 1 to use the small key schedule version of SKINNY-128. + */ +#if defined(__AVR__) +#define SKINNY_128_SMALL_SCHEDULE 1 +#else +#define SKINNY_128_SMALL_SCHEDULE 0 +#endif + +/** + * \brief Size of a block for SKINNY-128 block ciphers. + */ +#define SKINNY_128_BLOCK_SIZE 16 + +/** + * \brief Number of rounds for SKINNY-128-384. + */ +#define SKINNY_128_384_ROUNDS 56 + +/** + * \brief Structure of the key schedule for SKINNY-128-384. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; + + /** TK3 for the small key schedule */ + uint8_t TK3[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_384_ROUNDS * 2]; +#endif + +} skinny_128_384_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-384. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_384_init + (skinny_128_384_key_schedule_t *ks, const unsigned char key[48]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_encrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-384. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_384_decrypt + (const skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and an explicitly + * provided TK2 value. + * + * \param ks Points to the SKINNY-128-384 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * \param tk2 TK2 value that should be updated on the fly. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when both TK1 and TK2 change from block to block. + * When the key is initialized with skinny_128_384_init(), the TK2 part of + * the key value should be set to zero. + * + * \note Some versions of this function may modify the key schedule to + * copy tk2 into place. + */ +void skinny_128_384_encrypt_tk2 + (skinny_128_384_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, const unsigned char *tk2); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-384 and a + * fully specified tweakey value. + * + * \param key Points to the 384-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-384 but + * more memory-efficient. + */ +void skinny_128_384_encrypt_tk_full + (const unsigned char key[48], unsigned char *output, + const unsigned char *input); + +/** + * \brief Number of rounds for SKINNY-128-256. + */ +#define SKINNY_128_256_ROUNDS 48 + +/** + * \brief Structure of the key schedule for SKINNY-128-256. + */ +typedef struct +{ + /** TK1 for the tweakable part of the key schedule */ + uint8_t TK1[16]; + +#if SKINNY_128_SMALL_SCHEDULE + /** TK2 for the small key schedule */ + uint8_t TK2[16]; +#else + /** Words of the full key schedule */ + uint32_t k[SKINNY_128_256_ROUNDS * 2]; +#endif + +} skinny_128_256_key_schedule_t; + +/** + * \brief Initializes the key schedule for SKINNY-128-256. + * + * \param ks Points to the key schedule to initialize. + * \param key Points to the key data. + */ +void skinny_128_256_init + (skinny_128_256_key_schedule_t *ks, const unsigned char key[32]); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_encrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Decrypts a 128-bit block with SKINNY-128-256. + * + * \param ks Points to the SKINNY-128-256 key schedule. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + */ +void skinny_128_256_decrypt + (const skinny_128_256_key_schedule_t *ks, unsigned char *output, + const unsigned char *input); + +/** + * \brief Encrypts a 128-bit block with SKINNY-128-256 and a + * fully specified tweakey value. + * + * \param key Points to the 256-bit tweakey value. + * \param output Output buffer which must be at least 16 bytes in length. + * \param input Input buffer which must be at least 16 bytes in length. + * + * The \a input and \a output buffers can be the same buffer for + * in-place encryption. + * + * This version is useful when the entire tweakey changes from block to + * block. It is slower than the other versions of SKINNY-128-256 but + * more memory-efficient. + */ +void skinny_128_256_encrypt_tk_full + (const unsigned char key[32], unsigned char *output, + const unsigned char *input); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinnyutil.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinnyutil.h new file mode 100644 index 0000000..83136cb --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-skinnyutil.h @@ -0,0 +1,328 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SKINNYUTIL_H +#define LW_INTERNAL_SKINNYUTIL_H + +/** + * \file internal-skinnyutil.h + * \brief Utilities to help implement SKINNY and its variants. + */ + +#include "internal-util.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** @cond skinnyutil */ + +/* Utilities for implementing SKINNY-128 */ + +#define skinny128_LFSR2(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x << 1) & 0xFEFEFEFEU) ^ \ + (((_x >> 7) ^ (_x >> 5)) & 0x01010101U); \ + } while (0) + + +#define skinny128_LFSR3(x) \ + do { \ + uint32_t _x = (x); \ + (x) = ((_x >> 1) & 0x7F7F7F7FU) ^ \ + (((_x << 7) ^ (_x << 1)) & 0x80808080U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny128_inv_LFSR2(x) skinny128_LFSR3(x) +#define skinny128_inv_LFSR3(x) skinny128_LFSR2(x) + +#define skinny128_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint32_t row2 = tk[2]; \ + uint32_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 16) | (row3 >> 16); \ + tk[0] = ((row2 >> 8) & 0x000000FFU) | \ + ((row2 << 16) & 0x00FF0000U) | \ + ( row3 & 0xFF00FF00U); \ + tk[1] = ((row2 >> 16) & 0x000000FFU) | \ + (row2 & 0xFF000000U) | \ + ((row3 << 8) & 0x0000FF00U) | \ + ( row3 & 0x00FF0000U); \ + } while (0) + +#define skinny128_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint32_t row0 = tk[0]; \ + uint32_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 >> 16) & 0x000000FFU) | \ + ((row0 << 8) & 0x0000FF00U) | \ + ((row1 << 16) & 0x00FF0000U) | \ + ( row1 & 0xFF000000U); \ + tk[3] = ((row0 >> 16) & 0x0000FF00U) | \ + ((row0 << 16) & 0xFF000000U) | \ + ((row1 >> 16) & 0x000000FFU) | \ + ((row1 << 8) & 0x00FF0000U); \ + } while (0) + +/* + * Apply the SKINNY sbox. The original version from the specification is + * equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE(x) + * ((((x) & 0x01010101U) << 2) | + * (((x) & 0x06060606U) << 5) | + * (((x) & 0x20202020U) >> 5) | + * (((x) & 0xC8C8C8C8U) >> 2) | + * (((x) & 0x10101010U) >> 1)) + * + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE(x); + * x = SBOX_MIX(x); + * return SBOX_SWAP(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + x ^= (((x >> 2) & (x >> 3)) & 0x11111111U); \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 5) & (x << 4)) & 0x40404040U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 2) & (x << 1)) & 0x02020202U) ^ y; \ + y = (((x >> 5) & (x << 1)) & 0x04040404U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [2 7 6 1 3 0 4 5] */ \ + x = ((x & 0x08080808U) << 1) | \ + ((x & 0x32323232U) << 2) | \ + ((x & 0x01010101U) << 5) | \ + ((x & 0x80808080U) >> 6) | \ + ((x & 0x40404040U) >> 4) | \ + ((x & 0x04040404U) >> 2); \ +} while (0) + +/* + * Apply the inverse of the SKINNY sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x11111111U) ^ (x)) + * #define SBOX_SWAP(x) + * (((x) & 0xF9F9F9F9U) | + * (((x) >> 1) & 0x02020202U) | + * (((x) << 1) & 0x04040404U)) + * #define SBOX_PERMUTE_INV(x) + * ((((x) & 0x08080808U) << 1) | + * (((x) & 0x32323232U) << 2) | + * (((x) & 0x01010101U) << 5) | + * (((x) & 0xC0C0C0C0U) >> 5) | + * (((x) & 0x04040404U) >> 2)) + * + * x = SBOX_SWAP(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_PERMUTE_INV(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_PERMUTE_INV and SBOX_SWAP steps to be performed with one + * final permuatation. This reduces the number of shift operations. + */ +#define skinny128_inv_sbox(x) \ +do { \ + uint32_t y; \ + \ + /* Mix the bits */ \ + x = ~x; \ + y = (((x >> 1) & (x >> 3)) & 0x01010101U); \ + x ^= (((x >> 2) & (x >> 3)) & 0x10101010U) ^ y; \ + y = (((x >> 6) & (x >> 1)) & 0x02020202U); \ + x ^= (((x >> 1) & (x >> 2)) & 0x08080808U) ^ y; \ + y = (((x << 2) & (x << 1)) & 0x80808080U); \ + x ^= (((x >> 1) & (x << 2)) & 0x04040404U) ^ y; \ + y = (((x << 5) & (x << 1)) & 0x20202020U); \ + x ^= (((x << 4) & (x << 5)) & 0x40404040U) ^ y; \ + x = ~x; \ + \ + /* Permutation generated by http://programming.sirrida.de/calcperm.php */ \ + /* The final permutation for each byte is [5 3 0 4 6 7 2 1] */ \ + x = ((x & 0x01010101U) << 2) | \ + ((x & 0x04040404U) << 4) | \ + ((x & 0x02020202U) << 6) | \ + ((x & 0x20202020U) >> 5) | \ + ((x & 0xC8C8C8C8U) >> 2) | \ + ((x & 0x10101010U) >> 1); \ +} while (0) + +/* Utilities for implementing SKINNY-64 */ + +#define skinny64_LFSR2(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x << 1) & 0xEEEEU) ^ (((_x >> 3) ^ (_x >> 2)) & 0x1111U); \ + } while (0) + +#define skinny64_LFSR3(x) \ + do { \ + uint16_t _x = (x); \ + (x) = ((_x >> 1) & 0x7777U) ^ ((_x ^ (_x << 3)) & 0x8888U); \ + } while (0) + +/* LFSR2 and LFSR3 are inverses of each other */ +#define skinny64_inv_LFSR2(x) skinny64_LFSR3(x) +#define skinny64_inv_LFSR3(x) skinny64_LFSR2(x) + +#define skinny64_permute_tk(tk) \ + do { \ + /* PT = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] */ \ + uint16_t row2 = tk[2]; \ + uint16_t row3 = tk[3]; \ + tk[2] = tk[0]; \ + tk[3] = tk[1]; \ + row3 = (row3 << 8) | (row3 >> 8); \ + tk[0] = ((row2 << 4) & 0xF000U) | \ + ((row2 >> 8) & 0x00F0U) | \ + ( row3 & 0x0F0FU); \ + tk[1] = ((row2 << 8) & 0xF000U) | \ + ((row3 >> 4) & 0x0F00U) | \ + ( row3 & 0x00F0U) | \ + ( row2 & 0x000FU); \ + } while (0) + +#define skinny64_inv_permute_tk(tk) \ + do { \ + /* PT' = [8, 9, 10, 11, 12, 13, 14, 15, 2, 0, 4, 7, 6, 3, 5, 1] */ \ + uint16_t row0 = tk[0]; \ + uint16_t row1 = tk[1]; \ + tk[0] = tk[2]; \ + tk[1] = tk[3]; \ + tk[2] = ((row0 << 8) & 0xF000U) | \ + ((row0 >> 4) & 0x0F00U) | \ + ((row1 >> 8) & 0x00F0U) | \ + ( row1 & 0x000FU); \ + tk[3] = ((row1 << 8) & 0xF000U) | \ + ((row0 << 8) & 0x0F00U) | \ + ((row1 >> 4) & 0x00F0U) | \ + ((row0 >> 8) & 0x000FU); \ + } while (0) + +/* + * Apply the SKINNY-64 sbox. The original version from the + * specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT(x) + * ((((x) << 1) & 0xEEEEU) | (((x) >> 3) & 0x1111U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT(x); + * return SBOX_MIX(x); + * + * However, we can mix the bits in their original positions and then + * delay the SBOX_SHIFT steps to be performed with one final rotation. + * This reduces the number of required shift operations from 14 to 10. + * + * We can further reduce the number of NOT operations from 4 to 2 + * using the technique from https://github.com/kste/skinny_avx to + * convert NOR-XOR operations into AND-XOR operations by converting + * the S-box into its NOT-inverse. + */ +#define skinny64_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x >> 2) & (x << 1)) & 0x2222U) ^ x; \ + x = ~x; \ + x = ((x >> 1) & 0x7777U) | ((x << 3) & 0x8888U); \ +} while (0) + +/* + * Apply the inverse of the SKINNY-64 sbox. The original version + * from the specification is equivalent to: + * + * #define SBOX_MIX(x) + * (((~((((x) >> 1) | (x)) >> 2)) & 0x1111U) ^ (x)) + * #define SBOX_SHIFT_INV(x) + * ((((x) >> 1) & 0x7777U) | (((x) << 3) & 0x8888U)) + * + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * x = SBOX_MIX(x); + * x = SBOX_SHIFT_INV(x); + * return SBOX_MIX(x); + */ +#define skinny64_inv_sbox(x) \ +do { \ + x = ~x; \ + x = (((x >> 3) & (x >> 2)) & 0x1111U) ^ x; \ + x = (((x << 1) & (x >> 2)) & 0x2222U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x4444U) ^ x; \ + x = (((x << 1) & (x << 2)) & 0x8888U) ^ x; \ + x = ~x; \ + x = ((x << 1) & 0xEEEEU) | ((x >> 3) & 0x1111U); \ +} while (0) + +/** @endcond */ + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-util.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-util.h similarity index 100% rename from estate/Implementations/crypto_aead/estatetwegift128v1/rhys-avr/internal-util.h rename to skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/internal-util.h diff --git a/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.c b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.c new file mode 100644 index 0000000..0abdeff --- /dev/null +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.c @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "skinny-hash.h" +#include "internal-skinny128.h" +#include "internal-util.h" +#include + +aead_hash_algorithm_t const skinny_tk3_hash_algorithm = { + "SKINNY-tk3-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk3_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const skinny_tk2_hash_algorithm = { + "SKINNY-tk2-HASH", + sizeof(int), + SKINNY_HASH_SIZE, + AEAD_FLAG_NONE, + skinny_tk2_hash, + (aead_hash_init_t)0, + (aead_hash_update_t)0, + (aead_hash_finalize_t)0, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \brief Size of the permutation state for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_STATE_SIZE 48 + +/** + * \brief Size of the permutation state for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_STATE_SIZE 32 + +/** + * \brief Rate of absorbing data for SKINNY-tk3-HASH. + */ +#define SKINNY_TK3_HASH_RATE 16 + +/** + * \brief Rate of absorbing data for SKINNY-tk2-HASH. + */ +#define SKINNY_TK2_HASH_RATE 4 + +/** + * \brief Input block that is encrypted with the state for each + * block permutation of SKINNY-tk3-HASH or SKINNY-tk2-HASH. + */ +static unsigned char const skinny_hash_block[48] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +/** + * \brief Permutes the internal state for SKINNY-tk3-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk3_permute(unsigned char state[SKINNY_TK3_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK3_STATE_SIZE]; + skinny_128_384_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_384_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + skinny_128_384_encrypt_tk_full(state, temp + 32, skinny_hash_block + 32); + memcpy(state, temp, SKINNY_TK3_STATE_SIZE); +} + +/** + * \brief Permutes the internal state for SKINNY-tk2-HASH. + * + * \param state The state to be permuted. + */ +static void skinny_tk2_permute(unsigned char state[SKINNY_TK2_STATE_SIZE]) +{ + unsigned char temp[SKINNY_TK2_STATE_SIZE]; + skinny_128_256_encrypt_tk_full(state, temp, skinny_hash_block); + skinny_128_256_encrypt_tk_full(state, temp + 16, skinny_hash_block + 16); + memcpy(state, temp, SKINNY_TK2_STATE_SIZE); +} + +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK3_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK3_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK3_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK3_HASH_RATE); + skinny_tk3_permute(state); + in += SKINNY_TK3_HASH_RATE; + inlen -= SKINNY_TK3_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk3_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk3_permute(state); + memcpy(out + 16, state, 16); + return 0; +} + +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + unsigned char state[SKINNY_TK2_STATE_SIZE]; + unsigned temp; + + /* Initialize the hash state */ + memset(state, 0, sizeof(state)); + state[SKINNY_TK2_HASH_RATE] = 0x80; + + /* Process as many full blocks as possible */ + while (inlen >= SKINNY_TK2_HASH_RATE) { + lw_xor_block(state, in, SKINNY_TK2_HASH_RATE); + skinny_tk2_permute(state); + in += SKINNY_TK2_HASH_RATE; + inlen -= SKINNY_TK2_HASH_RATE; + } + + /* Pad and process the last block */ + temp = (unsigned)inlen; + lw_xor_block(state, in, temp); + state[temp] ^= 0x80; /* padding */ + skinny_tk2_permute(state); + + /* Generate the hash output */ + memcpy(out, state, 16); + skinny_tk2_permute(state); + memcpy(out + 16, state, 16); + return 0; +} diff --git a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.h b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.h similarity index 54% rename from elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.h rename to skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.h index bb9823f..f75ce9f 100644 --- a/elephant/Implementations/crypto_aead/elephant200v1/rhys-avr/internal-spongent.h +++ b/skinny/Implementations/crypto_hash/skinnyhashtk3/rhys/skinny-hash.h @@ -20,16 +20,24 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_SPONGENT_H -#define LW_INTERNAL_SPONGENT_H +#ifndef LWCRYPTO_SKINNY_HASH_H +#define LWCRYPTO_SKINNY_HASH_H -#include "internal-util.h" +#include "aead-common.h" /** - * \file internal-spongent.h - * \brief Internal implementation of the Spongent-pi permutation. + * \file skinny-hash.h + * \brief Hash algorithms based on the SKINNY block cipher. * - * References: https://www.esat.kuleuven.be/cosic/elephant/ + * The SKINNY-AEAD family includes two hash algorithms: + * + * \li SKINNY-tk3-HASH with a 256-bit hash output, based around the + * SKINNY-128-384 tweakable block cipher. This is the primary hashing + * member of the family. + * \li SKINNY-tk2-HASH with a 256-bit hash output, based around the + * SKINNY-128-256 tweakable block cipher. + * + * References: https://sites.google.com/site/skinnycipher/home */ #ifdef __cplusplus @@ -37,52 +45,49 @@ extern "C" { #endif /** - * \brief Size of the Spongent-pi[160] state in bytes. + * \brief Size of the hash output for SKINNY-tk3-HASH and SKINNY-tk2-HASH. */ -#define SPONGENT160_STATE_SIZE 20 +#define SKINNY_HASH_SIZE 32 /** - * \brief Size of the Spongent-pi[176] state in bytes. + * \brief Meta-information block for the SKINNY-tk3-HASH algorithm. */ -#define SPONGENT176_STATE_SIZE 22 +extern aead_hash_algorithm_t const skinny_tk3_hash_algorithm; /** - * \brief Structure of the internal state of the Spongent-pi[160] permutation. + * \brief Meta-information block for the SKINNY-tk2-HASH algorithm. */ -typedef union -{ - uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ - uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ - -} spongent160_state_t; +extern aead_hash_algorithm_t const skinny_tk2_hash_algorithm; /** - * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * \brief Hashes a block of input data with SKINNY-tk3-HASH to + * generate a hash value. * - * Note: The state is technically only 176 bits, but we increase it to - * 192 bits so that we can use 32-bit word operations to manipulate the - * state. The extra bits in the last word are fixed to zero. - */ -typedef union -{ - uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ - uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ - -} spongent176_state_t; - -/** - * \brief Permutes the Spongent-pi[160] state. + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \param state The Spongent-pi[160] state to be permuted. + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void spongent160_permute(spongent160_state_t *state); +int skinny_tk3_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Permutes the Spongent-pi[176] state. + * \brief Hashes a block of input data with SKINNY-tk2-HASH to + * generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * SKINNY_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \param state The Spongent-pi[176] state to be permuted. + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -void spongent176_permute(spongent176_state_t *state); +int skinny_tk2_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); #ifdef __cplusplus } diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/api.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/encrypt.c deleted file mode 100644 index a56e57a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sparkle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_128_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_128_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c index 822af50..4a4c0fb 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-sparkle.c @@ -22,6 +22,8 @@ #include "internal-sparkle.h" +#if !defined(__AVR__) + /* The 8 basic round constants from the specification */ #define RC_0 0xB7E15162 #define RC_1 0xBF715880 @@ -66,7 +68,7 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3; uint32_t y0, y1, y2, y3; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-256 state up into local variables */ @@ -105,18 +107,20 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1; ty = y0 ^ y1; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x3 ^ x1 ^ ty; - x3 = x1; - y0 = y3 ^ y1 ^ tx; + y2 ^= tx; + tx ^= y3; y3 = y1; - x1 = x2 ^ tw ^ ty; - x2 = tw; - y1 = y2 ^ tz ^ tx; - y2 = tz; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; } /* Write the local variables back to the SPARKLE-256 state */ @@ -145,7 +149,7 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5; uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-384 state up into local variables */ @@ -194,22 +198,26 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2; ty = y0 ^ y1 ^ y2; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x4 ^ x1 ^ ty; - x4 = x1; - y0 = y4 ^ y1 ^ tx; + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; y4 = y1; - x1 = x5 ^ x2 ^ ty; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; x5 = x2; - y1 = y5 ^ y2 ^ tx; - y5 = y2; - x2 = x3 ^ tw ^ ty; - x3 = tw; - y2 = y3 ^ tz ^ tx; - y3 = tz; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; } /* Write the local variables back to the SPARKLE-384 state */ @@ -246,7 +254,7 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-512 state up into local variables */ @@ -305,26 +313,32 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2 ^ x3; ty = y0 ^ y1 ^ y2 ^ y3; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x5 ^ x1 ^ ty; - x5 = x1; - y0 = y5 ^ y1 ^ tx; + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; y5 = y1; - x1 = x6 ^ x2 ^ ty; - x6 = x2; - y1 = y6 ^ y2 ^ tx; + y1 = y6 ^ y2; y6 = y2; - x2 = x7 ^ x3 ^ ty; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; x7 = x3; - y2 = y7 ^ y3 ^ tx; - y7 = y3; - x3 = x4 ^ tw ^ ty; - x4 = tw; - y3 = y4 ^ tz ^ tx; - y4 = tz; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; } /* Write the local variables back to the SPARKLE-512 state */ @@ -364,3 +378,5 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) le_store_word32((uint8_t *)&(s[15]), y7); #endif } + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c index b357de6..e2aa25a 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm128128v1/rhys/sparkle.c @@ -123,24 +123,21 @@ aead_hash_algorithm_t const esch_384_hash_algorithm = { * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_128_rho(s, domain) \ +#define schwaemm_256_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[8]; \ - s[5] ^= t1 ^ s[9]; \ - s[6] ^= t2 ^ s[10]; \ - s[7] ^= t3 ^ s[11]; \ + s[7] ^= t ^ s[11]; \ } while (0) /** @@ -155,18 +152,20 @@ static void schwaemm_256_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); ad += SCHWAEMM_256_128_RATE; adlen -= SCHWAEMM_256_128_RATE; } if (adlen == SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x05); + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_128_rho(s, 0x04); + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -202,7 +201,7 @@ int schwaemm_256_128_aead_encrypt while (mlen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_256_128_RATE); @@ -213,13 +212,15 @@ int schwaemm_256_128_aead_encrypt if (mlen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); memcpy(c, block, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -266,7 +267,7 @@ int schwaemm_256_128_aead_decrypt while (clen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); c += SCHWAEMM_256_128_RATE; @@ -276,12 +277,14 @@ int schwaemm_256_128_aead_decrypt if (clen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -315,21 +318,18 @@ int schwaemm_256_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_192_192_rho(s, domain) \ +#define schwaemm_192_192_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ s[2] = s[5] ^ s[8]; \ - s[3] ^= t0 ^ s[9]; \ - s[4] ^= t1 ^ s[10]; \ - s[5] ^= t2 ^ s[11]; \ + s[5] ^= t ^ s[11]; \ } while (0) /** @@ -344,18 +344,20 @@ static void schwaemm_192_192_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); ad += SCHWAEMM_192_192_RATE; adlen -= SCHWAEMM_192_192_RATE; } if (adlen == SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x09); + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_192_192_rho(s, 0x08); + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -391,7 +393,7 @@ int schwaemm_192_192_aead_encrypt while (mlen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_192_192_RATE); @@ -402,13 +404,15 @@ int schwaemm_192_192_aead_encrypt if (mlen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); memcpy(c, block, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -455,7 +459,7 @@ int schwaemm_192_192_aead_decrypt while (clen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); c += SCHWAEMM_192_192_RATE; @@ -465,12 +469,14 @@ int schwaemm_192_192_aead_decrypt if (clen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -504,18 +510,15 @@ int schwaemm_192_192_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. * * \param s SPARKLE-256 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_128_128_rho(s, domain) \ +#define schwaemm_128_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ s[1] = s[3] ^ s[5]; \ - s[2] ^= t0 ^ s[6]; \ - s[3] ^= t1 ^ s[7]; \ + s[3] ^= t ^ s[7]; \ } while (0) /** @@ -530,18 +533,20 @@ static void schwaemm_128_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); ad += SCHWAEMM_128_128_RATE; adlen -= SCHWAEMM_128_128_RATE; } if (adlen == SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x05); + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_128_128_rho(s, 0x04); + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -577,7 +582,7 @@ int schwaemm_128_128_aead_encrypt while (mlen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); memcpy(c, block, SCHWAEMM_128_128_RATE); @@ -588,13 +593,15 @@ int schwaemm_128_128_aead_encrypt if (mlen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); memcpy(c, block, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -641,7 +648,7 @@ int schwaemm_128_128_aead_decrypt while (clen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); c += SCHWAEMM_128_128_RATE; @@ -651,12 +658,14 @@ int schwaemm_128_128_aead_decrypt if (clen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -690,24 +699,21 @@ int schwaemm_128_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. * * \param s SPARKLE-512 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_256_rho(s, domain) \ +#define schwaemm_256_256_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[15] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[12]; \ - s[5] ^= t1 ^ s[13]; \ - s[6] ^= t2 ^ s[14]; \ - s[7] ^= t3 ^ s[15]; \ + s[7] ^= t ^ s[15]; \ } while (0) /** @@ -722,18 +728,20 @@ static void schwaemm_256_256_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); ad += SCHWAEMM_256_256_RATE; adlen -= SCHWAEMM_256_256_RATE; } if (adlen == SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x11); + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_256_rho(s, 0x10); + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -769,7 +777,7 @@ int schwaemm_256_256_aead_encrypt while (mlen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); memcpy(c, block, SCHWAEMM_256_256_RATE); @@ -780,13 +788,15 @@ int schwaemm_256_256_aead_encrypt if (mlen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); memcpy(c, block, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -833,7 +843,7 @@ int schwaemm_256_256_aead_decrypt while (clen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); c += SCHWAEMM_256_256_RATE; @@ -843,12 +853,14 @@ int schwaemm_256_256_aead_decrypt if (clen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/api.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/api.h deleted file mode 100644 index c340ebc..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 24 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 24 -#define CRYPTO_ABYTES 24 -#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/encrypt.c deleted file mode 100644 index 43a4aac..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sparkle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_192_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_192_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c index 822af50..4a4c0fb 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-sparkle.c @@ -22,6 +22,8 @@ #include "internal-sparkle.h" +#if !defined(__AVR__) + /* The 8 basic round constants from the specification */ #define RC_0 0xB7E15162 #define RC_1 0xBF715880 @@ -66,7 +68,7 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3; uint32_t y0, y1, y2, y3; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-256 state up into local variables */ @@ -105,18 +107,20 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1; ty = y0 ^ y1; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x3 ^ x1 ^ ty; - x3 = x1; - y0 = y3 ^ y1 ^ tx; + y2 ^= tx; + tx ^= y3; y3 = y1; - x1 = x2 ^ tw ^ ty; - x2 = tw; - y1 = y2 ^ tz ^ tx; - y2 = tz; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; } /* Write the local variables back to the SPARKLE-256 state */ @@ -145,7 +149,7 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5; uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-384 state up into local variables */ @@ -194,22 +198,26 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2; ty = y0 ^ y1 ^ y2; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x4 ^ x1 ^ ty; - x4 = x1; - y0 = y4 ^ y1 ^ tx; + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; y4 = y1; - x1 = x5 ^ x2 ^ ty; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; x5 = x2; - y1 = y5 ^ y2 ^ tx; - y5 = y2; - x2 = x3 ^ tw ^ ty; - x3 = tw; - y2 = y3 ^ tz ^ tx; - y3 = tz; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; } /* Write the local variables back to the SPARKLE-384 state */ @@ -246,7 +254,7 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-512 state up into local variables */ @@ -305,26 +313,32 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2 ^ x3; ty = y0 ^ y1 ^ y2 ^ y3; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x5 ^ x1 ^ ty; - x5 = x1; - y0 = y5 ^ y1 ^ tx; + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; y5 = y1; - x1 = x6 ^ x2 ^ ty; - x6 = x2; - y1 = y6 ^ y2 ^ tx; + y1 = y6 ^ y2; y6 = y2; - x2 = x7 ^ x3 ^ ty; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; x7 = x3; - y2 = y7 ^ y3 ^ tx; - y7 = y3; - x3 = x4 ^ tw ^ ty; - x4 = tw; - y3 = y4 ^ tz ^ tx; - y4 = tz; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; } /* Write the local variables back to the SPARKLE-512 state */ @@ -364,3 +378,5 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) le_store_word32((uint8_t *)&(s[15]), y7); #endif } + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c index b357de6..e2aa25a 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm192192v1/rhys/sparkle.c @@ -123,24 +123,21 @@ aead_hash_algorithm_t const esch_384_hash_algorithm = { * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_128_rho(s, domain) \ +#define schwaemm_256_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[8]; \ - s[5] ^= t1 ^ s[9]; \ - s[6] ^= t2 ^ s[10]; \ - s[7] ^= t3 ^ s[11]; \ + s[7] ^= t ^ s[11]; \ } while (0) /** @@ -155,18 +152,20 @@ static void schwaemm_256_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); ad += SCHWAEMM_256_128_RATE; adlen -= SCHWAEMM_256_128_RATE; } if (adlen == SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x05); + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_128_rho(s, 0x04); + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -202,7 +201,7 @@ int schwaemm_256_128_aead_encrypt while (mlen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_256_128_RATE); @@ -213,13 +212,15 @@ int schwaemm_256_128_aead_encrypt if (mlen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); memcpy(c, block, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -266,7 +267,7 @@ int schwaemm_256_128_aead_decrypt while (clen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); c += SCHWAEMM_256_128_RATE; @@ -276,12 +277,14 @@ int schwaemm_256_128_aead_decrypt if (clen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -315,21 +318,18 @@ int schwaemm_256_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_192_192_rho(s, domain) \ +#define schwaemm_192_192_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ s[2] = s[5] ^ s[8]; \ - s[3] ^= t0 ^ s[9]; \ - s[4] ^= t1 ^ s[10]; \ - s[5] ^= t2 ^ s[11]; \ + s[5] ^= t ^ s[11]; \ } while (0) /** @@ -344,18 +344,20 @@ static void schwaemm_192_192_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); ad += SCHWAEMM_192_192_RATE; adlen -= SCHWAEMM_192_192_RATE; } if (adlen == SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x09); + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_192_192_rho(s, 0x08); + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -391,7 +393,7 @@ int schwaemm_192_192_aead_encrypt while (mlen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_192_192_RATE); @@ -402,13 +404,15 @@ int schwaemm_192_192_aead_encrypt if (mlen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); memcpy(c, block, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -455,7 +459,7 @@ int schwaemm_192_192_aead_decrypt while (clen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); c += SCHWAEMM_192_192_RATE; @@ -465,12 +469,14 @@ int schwaemm_192_192_aead_decrypt if (clen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -504,18 +510,15 @@ int schwaemm_192_192_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. * * \param s SPARKLE-256 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_128_128_rho(s, domain) \ +#define schwaemm_128_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ s[1] = s[3] ^ s[5]; \ - s[2] ^= t0 ^ s[6]; \ - s[3] ^= t1 ^ s[7]; \ + s[3] ^= t ^ s[7]; \ } while (0) /** @@ -530,18 +533,20 @@ static void schwaemm_128_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); ad += SCHWAEMM_128_128_RATE; adlen -= SCHWAEMM_128_128_RATE; } if (adlen == SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x05); + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_128_128_rho(s, 0x04); + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -577,7 +582,7 @@ int schwaemm_128_128_aead_encrypt while (mlen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); memcpy(c, block, SCHWAEMM_128_128_RATE); @@ -588,13 +593,15 @@ int schwaemm_128_128_aead_encrypt if (mlen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); memcpy(c, block, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -641,7 +648,7 @@ int schwaemm_128_128_aead_decrypt while (clen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); c += SCHWAEMM_128_128_RATE; @@ -651,12 +658,14 @@ int schwaemm_128_128_aead_decrypt if (clen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -690,24 +699,21 @@ int schwaemm_128_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. * * \param s SPARKLE-512 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_256_rho(s, domain) \ +#define schwaemm_256_256_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[15] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[12]; \ - s[5] ^= t1 ^ s[13]; \ - s[6] ^= t2 ^ s[14]; \ - s[7] ^= t3 ^ s[15]; \ + s[7] ^= t ^ s[15]; \ } while (0) /** @@ -722,18 +728,20 @@ static void schwaemm_256_256_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); ad += SCHWAEMM_256_256_RATE; adlen -= SCHWAEMM_256_256_RATE; } if (adlen == SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x11); + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_256_rho(s, 0x10); + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -769,7 +777,7 @@ int schwaemm_256_256_aead_encrypt while (mlen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); memcpy(c, block, SCHWAEMM_256_256_RATE); @@ -780,13 +788,15 @@ int schwaemm_256_256_aead_encrypt if (mlen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); memcpy(c, block, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -833,7 +843,7 @@ int schwaemm_256_256_aead_decrypt while (clen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); c += SCHWAEMM_256_256_RATE; @@ -843,12 +853,14 @@ int schwaemm_256_256_aead_decrypt if (clen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/api.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/api.h deleted file mode 100644 index 420cea6..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 32 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/encrypt.c deleted file mode 100644 index 6063cb6..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sparkle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_256_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_256_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c index 822af50..4a4c0fb 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-sparkle.c @@ -22,6 +22,8 @@ #include "internal-sparkle.h" +#if !defined(__AVR__) + /* The 8 basic round constants from the specification */ #define RC_0 0xB7E15162 #define RC_1 0xBF715880 @@ -66,7 +68,7 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3; uint32_t y0, y1, y2, y3; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-256 state up into local variables */ @@ -105,18 +107,20 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1; ty = y0 ^ y1; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x3 ^ x1 ^ ty; - x3 = x1; - y0 = y3 ^ y1 ^ tx; + y2 ^= tx; + tx ^= y3; y3 = y1; - x1 = x2 ^ tw ^ ty; - x2 = tw; - y1 = y2 ^ tz ^ tx; - y2 = tz; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; } /* Write the local variables back to the SPARKLE-256 state */ @@ -145,7 +149,7 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5; uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-384 state up into local variables */ @@ -194,22 +198,26 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2; ty = y0 ^ y1 ^ y2; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x4 ^ x1 ^ ty; - x4 = x1; - y0 = y4 ^ y1 ^ tx; + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; y4 = y1; - x1 = x5 ^ x2 ^ ty; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; x5 = x2; - y1 = y5 ^ y2 ^ tx; - y5 = y2; - x2 = x3 ^ tw ^ ty; - x3 = tw; - y2 = y3 ^ tz ^ tx; - y3 = tz; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; } /* Write the local variables back to the SPARKLE-384 state */ @@ -246,7 +254,7 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-512 state up into local variables */ @@ -305,26 +313,32 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2 ^ x3; ty = y0 ^ y1 ^ y2 ^ y3; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x5 ^ x1 ^ ty; - x5 = x1; - y0 = y5 ^ y1 ^ tx; + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; y5 = y1; - x1 = x6 ^ x2 ^ ty; - x6 = x2; - y1 = y6 ^ y2 ^ tx; + y1 = y6 ^ y2; y6 = y2; - x2 = x7 ^ x3 ^ ty; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; x7 = x3; - y2 = y7 ^ y3 ^ tx; - y7 = y3; - x3 = x4 ^ tw ^ ty; - x4 = tw; - y3 = y4 ^ tz ^ tx; - y4 = tz; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; } /* Write the local variables back to the SPARKLE-512 state */ @@ -364,3 +378,5 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) le_store_word32((uint8_t *)&(s[15]), y7); #endif } + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c index b357de6..e2aa25a 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm256128v1/rhys/sparkle.c @@ -123,24 +123,21 @@ aead_hash_algorithm_t const esch_384_hash_algorithm = { * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_128_rho(s, domain) \ +#define schwaemm_256_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[8]; \ - s[5] ^= t1 ^ s[9]; \ - s[6] ^= t2 ^ s[10]; \ - s[7] ^= t3 ^ s[11]; \ + s[7] ^= t ^ s[11]; \ } while (0) /** @@ -155,18 +152,20 @@ static void schwaemm_256_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); ad += SCHWAEMM_256_128_RATE; adlen -= SCHWAEMM_256_128_RATE; } if (adlen == SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x05); + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_128_rho(s, 0x04); + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -202,7 +201,7 @@ int schwaemm_256_128_aead_encrypt while (mlen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_256_128_RATE); @@ -213,13 +212,15 @@ int schwaemm_256_128_aead_encrypt if (mlen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); memcpy(c, block, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -266,7 +267,7 @@ int schwaemm_256_128_aead_decrypt while (clen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); c += SCHWAEMM_256_128_RATE; @@ -276,12 +277,14 @@ int schwaemm_256_128_aead_decrypt if (clen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -315,21 +318,18 @@ int schwaemm_256_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_192_192_rho(s, domain) \ +#define schwaemm_192_192_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ s[2] = s[5] ^ s[8]; \ - s[3] ^= t0 ^ s[9]; \ - s[4] ^= t1 ^ s[10]; \ - s[5] ^= t2 ^ s[11]; \ + s[5] ^= t ^ s[11]; \ } while (0) /** @@ -344,18 +344,20 @@ static void schwaemm_192_192_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); ad += SCHWAEMM_192_192_RATE; adlen -= SCHWAEMM_192_192_RATE; } if (adlen == SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x09); + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_192_192_rho(s, 0x08); + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -391,7 +393,7 @@ int schwaemm_192_192_aead_encrypt while (mlen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_192_192_RATE); @@ -402,13 +404,15 @@ int schwaemm_192_192_aead_encrypt if (mlen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); memcpy(c, block, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -455,7 +459,7 @@ int schwaemm_192_192_aead_decrypt while (clen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); c += SCHWAEMM_192_192_RATE; @@ -465,12 +469,14 @@ int schwaemm_192_192_aead_decrypt if (clen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -504,18 +510,15 @@ int schwaemm_192_192_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. * * \param s SPARKLE-256 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_128_128_rho(s, domain) \ +#define schwaemm_128_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ s[1] = s[3] ^ s[5]; \ - s[2] ^= t0 ^ s[6]; \ - s[3] ^= t1 ^ s[7]; \ + s[3] ^= t ^ s[7]; \ } while (0) /** @@ -530,18 +533,20 @@ static void schwaemm_128_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); ad += SCHWAEMM_128_128_RATE; adlen -= SCHWAEMM_128_128_RATE; } if (adlen == SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x05); + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_128_128_rho(s, 0x04); + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -577,7 +582,7 @@ int schwaemm_128_128_aead_encrypt while (mlen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); memcpy(c, block, SCHWAEMM_128_128_RATE); @@ -588,13 +593,15 @@ int schwaemm_128_128_aead_encrypt if (mlen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); memcpy(c, block, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -641,7 +648,7 @@ int schwaemm_128_128_aead_decrypt while (clen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); c += SCHWAEMM_128_128_RATE; @@ -651,12 +658,14 @@ int schwaemm_128_128_aead_decrypt if (clen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -690,24 +699,21 @@ int schwaemm_128_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. * * \param s SPARKLE-512 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_256_rho(s, domain) \ +#define schwaemm_256_256_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[15] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[12]; \ - s[5] ^= t1 ^ s[13]; \ - s[6] ^= t2 ^ s[14]; \ - s[7] ^= t3 ^ s[15]; \ + s[7] ^= t ^ s[15]; \ } while (0) /** @@ -722,18 +728,20 @@ static void schwaemm_256_256_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); ad += SCHWAEMM_256_256_RATE; adlen -= SCHWAEMM_256_256_RATE; } if (adlen == SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x11); + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_256_rho(s, 0x10); + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -769,7 +777,7 @@ int schwaemm_256_256_aead_encrypt while (mlen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); memcpy(c, block, SCHWAEMM_256_256_RATE); @@ -780,13 +788,15 @@ int schwaemm_256_256_aead_encrypt if (mlen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); memcpy(c, block, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -833,7 +843,7 @@ int schwaemm_256_256_aead_decrypt while (clen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); c += SCHWAEMM_256_256_RATE; @@ -843,12 +853,14 @@ int schwaemm_256_256_aead_decrypt if (clen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/api.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/api.h deleted file mode 100644 index c11fc10..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 32 -#define CRYPTO_ABYTES 32 -#define CRYPTO_NOOVERLAP 1 diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/encrypt.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/encrypt.c deleted file mode 100644 index c5f15f6..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sparkle.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_256_256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return schwaemm_256_256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c index 822af50..4a4c0fb 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-sparkle.c @@ -22,6 +22,8 @@ #include "internal-sparkle.h" +#if !defined(__AVR__) + /* The 8 basic round constants from the specification */ #define RC_0 0xB7E15162 #define RC_1 0xBF715880 @@ -66,7 +68,7 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3; uint32_t y0, y1, y2, y3; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-256 state up into local variables */ @@ -105,18 +107,20 @@ void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1; ty = y0 ^ y1; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x3 ^ x1 ^ ty; - x3 = x1; - y0 = y3 ^ y1 ^ tx; + y2 ^= tx; + tx ^= y3; y3 = y1; - x1 = x2 ^ tw ^ ty; - x2 = tw; - y1 = y2 ^ tz ^ tx; - y2 = tz; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; } /* Write the local variables back to the SPARKLE-256 state */ @@ -145,7 +149,7 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5; uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-384 state up into local variables */ @@ -194,22 +198,26 @@ void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2; ty = y0 ^ y1 ^ y2; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x4 ^ x1 ^ ty; - x4 = x1; - y0 = y4 ^ y1 ^ tx; + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; y4 = y1; - x1 = x5 ^ x2 ^ ty; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; x5 = x2; - y1 = y5 ^ y2 ^ tx; - y5 = y2; - x2 = x3 ^ tw ^ ty; - x3 = tw; - y2 = y3 ^ tz ^ tx; - y3 = tz; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; } /* Write the local variables back to the SPARKLE-384 state */ @@ -246,7 +254,7 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) { uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty, tz, tw; + uint32_t tx, ty; unsigned step; /* Load the SPARKLE-512 state up into local variables */ @@ -305,26 +313,32 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) /* Linear layer */ tx = x0 ^ x1 ^ x2 ^ x3; ty = y0 ^ y1 ^ y2 ^ y3; - tw = x0; - tz = y0; tx = leftRotate16(tx ^ (tx << 16)); ty = leftRotate16(ty ^ (ty << 16)); - x0 = x5 ^ x1 ^ ty; - x5 = x1; - y0 = y5 ^ y1 ^ tx; + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; y5 = y1; - x1 = x6 ^ x2 ^ ty; - x6 = x2; - y1 = y6 ^ y2 ^ tx; + y1 = y6 ^ y2; y6 = y2; - x2 = x7 ^ x3 ^ ty; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; x7 = x3; - y2 = y7 ^ y3 ^ tx; - y7 = y3; - x3 = x4 ^ tw ^ ty; - x4 = tw; - y3 = y4 ^ tz ^ tx; - y4 = tz; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; } /* Write the local variables back to the SPARKLE-512 state */ @@ -364,3 +378,5 @@ void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) le_store_word32((uint8_t *)&(s[15]), y7); #endif } + +#endif diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c index b357de6..e2aa25a 100644 --- a/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c +++ b/sparkle/Implementations/crypto_aead/schwaemm256256v1/rhys/sparkle.c @@ -123,24 +123,21 @@ aead_hash_algorithm_t const esch_384_hash_algorithm = { * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_128_rho(s, domain) \ +#define schwaemm_256_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[8]; \ - s[5] ^= t1 ^ s[9]; \ - s[6] ^= t2 ^ s[10]; \ - s[7] ^= t3 ^ s[11]; \ + s[7] ^= t ^ s[11]; \ } while (0) /** @@ -155,18 +152,20 @@ static void schwaemm_256_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); ad += SCHWAEMM_256_128_RATE; adlen -= SCHWAEMM_256_128_RATE; } if (adlen == SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s, 0x05); + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_128_rho(s, 0x04); + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -202,7 +201,7 @@ int schwaemm_256_128_aead_encrypt while (mlen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_256_128_RATE); @@ -213,13 +212,15 @@ int schwaemm_256_128_aead_encrypt if (mlen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); memcpy(c, block, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -266,7 +267,7 @@ int schwaemm_256_128_aead_decrypt while (clen > SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x00); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); sparkle_384(s, 7); c += SCHWAEMM_256_128_RATE; @@ -276,12 +277,14 @@ int schwaemm_256_128_aead_decrypt if (clen == SCHWAEMM_256_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s, 0x07); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_128_rho(s, 0x06); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -315,21 +318,18 @@ int schwaemm_256_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. * * \param s SPARKLE-384 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_192_192_rho(s, domain) \ +#define schwaemm_192_192_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - if ((domain) != 0) \ - s[11] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ s[2] = s[5] ^ s[8]; \ - s[3] ^= t0 ^ s[9]; \ - s[4] ^= t1 ^ s[10]; \ - s[5] ^= t2 ^ s[11]; \ + s[5] ^= t ^ s[11]; \ } while (0) /** @@ -344,18 +344,20 @@ static void schwaemm_192_192_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); ad += SCHWAEMM_192_192_RATE; adlen -= SCHWAEMM_192_192_RATE; } if (adlen == SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s, 0x09); + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_192_192_rho(s, 0x08); + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -391,7 +393,7 @@ int schwaemm_192_192_aead_encrypt while (mlen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); memcpy(c, block, SCHWAEMM_192_192_RATE); @@ -402,13 +404,15 @@ int schwaemm_192_192_aead_encrypt if (mlen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); memcpy(c, block, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -455,7 +459,7 @@ int schwaemm_192_192_aead_decrypt while (clen > SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x00); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); sparkle_384(s, 7); c += SCHWAEMM_192_192_RATE; @@ -465,12 +469,14 @@ int schwaemm_192_192_aead_decrypt if (clen == SCHWAEMM_192_192_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s, 0x0B); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_192_192_rho(s, 0x0A); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -504,18 +510,15 @@ int schwaemm_192_192_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. * * \param s SPARKLE-256 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_128_128_rho(s, domain) \ +#define schwaemm_128_128_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ s[1] = s[3] ^ s[5]; \ - s[2] ^= t0 ^ s[6]; \ - s[3] ^= t1 ^ s[7]; \ + s[3] ^= t ^ s[7]; \ } while (0) /** @@ -530,18 +533,20 @@ static void schwaemm_128_128_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); ad += SCHWAEMM_128_128_RATE; adlen -= SCHWAEMM_128_128_RATE; } if (adlen == SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s, 0x05); + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_128_128_rho(s, 0x04); + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -577,7 +582,7 @@ int schwaemm_128_128_aead_encrypt while (mlen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); memcpy(c, block, SCHWAEMM_128_128_RATE); @@ -588,13 +593,15 @@ int schwaemm_128_128_aead_encrypt if (mlen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); memcpy(c, block, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -641,7 +648,7 @@ int schwaemm_128_128_aead_decrypt while (clen > SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x00); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); sparkle_256(s, 7); c += SCHWAEMM_128_128_RATE; @@ -651,12 +658,14 @@ int schwaemm_128_128_aead_decrypt if (clen == SCHWAEMM_128_128_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s, 0x07); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_128_128_rho(s, 0x06); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -690,24 +699,21 @@ int schwaemm_128_128_aead_decrypt * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. * * \param s SPARKLE-512 state. - * \param domain Domain separator for this phase. */ -#define schwaemm_256_256_rho(s, domain) \ +#define schwaemm_256_256_rho(s) \ do { \ - uint32_t t0 = s[0]; \ - uint32_t t1 = s[1]; \ - uint32_t t2 = s[2]; \ - uint32_t t3 = s[3]; \ - if ((domain) != 0) \ - s[15] ^= DOMAIN(domain); \ + uint32_t t = s[0]; \ s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ s[3] = s[7] ^ s[11]; \ - s[4] ^= t0 ^ s[12]; \ - s[5] ^= t1 ^ s[13]; \ - s[6] ^= t2 ^ s[14]; \ - s[7] ^= t3 ^ s[15]; \ + s[7] ^= t ^ s[15]; \ } while (0) /** @@ -722,18 +728,20 @@ static void schwaemm_256_256_authenticate const unsigned char *ad, unsigned long long adlen) { while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); ad += SCHWAEMM_256_256_RATE; adlen -= SCHWAEMM_256_256_RATE; } if (adlen == SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s, 0x11); + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)adlen; - schwaemm_256_256_rho(s, 0x10); + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, ad, temp); ((unsigned char *)s)[temp] ^= 0x80; } @@ -769,7 +777,7 @@ int schwaemm_256_256_aead_encrypt while (mlen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); memcpy(c, block, SCHWAEMM_256_256_RATE); @@ -780,13 +788,15 @@ int schwaemm_256_256_aead_encrypt if (mlen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); memcpy(c, block, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)mlen; lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; memcpy(c, block, temp); @@ -833,7 +843,7 @@ int schwaemm_256_256_aead_decrypt while (clen > SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x00); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); sparkle_512(s, 8); c += SCHWAEMM_256_256_RATE; @@ -843,12 +853,14 @@ int schwaemm_256_256_aead_decrypt if (clen == SCHWAEMM_256_256_RATE) { lw_xor_block_2_src (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s, 0x13); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); } else { unsigned temp = (unsigned)clen; lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - schwaemm_256_256_rho(s, 0x12); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); lw_xor_block((unsigned char *)s, m, temp); ((unsigned char *)s)[temp] ^= 0x80; } diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/api.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys/aead-common.c similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/aead-common.c rename to sparkle/Implementations/crypto_hash/esch256v1/rhys/aead-common.c diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys/aead-common.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/aead-common.h rename to sparkle/Implementations/crypto_hash/esch256v1/rhys/aead-common.h diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys/api.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/hash.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys/hash.c similarity index 100% rename from sparkle/Implementations/crypto_hash/esch256v1/rhys-avr/hash.c rename to sparkle/Implementations/crypto_hash/esch256v1/rhys/hash.c diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..4a4c0fb --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.c @@ -0,0 +1,382 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +#if !defined(__AVR__) + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y2 ^= tx; + tx ^= y3; + y3 = y1; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; + y4 = y1; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; + x5 = x2; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; + y5 = y1; + y1 = y6 ^ y2; + y6 = y2; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; + x7 = x3; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.h similarity index 63% rename from elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.h rename to sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.h index bb9823f..fbdabc1 100644 --- a/elephant/Implementations/crypto_aead/elephant160v1/rhys-avr/internal-spongent.h +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-sparkle.h @@ -20,16 +20,16 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_SPONGENT_H -#define LW_INTERNAL_SPONGENT_H +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H #include "internal-util.h" /** - * \file internal-spongent.h - * \brief Internal implementation of the Spongent-pi permutation. + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. * - * References: https://www.esat.kuleuven.be/cosic/elephant/ + * References: https://www.cryptolux.org/index.php/Sparkle */ #ifdef __cplusplus @@ -37,52 +37,43 @@ extern "C" { #endif /** - * \brief Size of the Spongent-pi[160] state in bytes. + * \brief Size of the state for SPARKLE-256. */ -#define SPONGENT160_STATE_SIZE 20 +#define SPARKLE_256_STATE_SIZE 8 /** - * \brief Size of the Spongent-pi[176] state in bytes. + * \brief Size of the state for SPARKLE-384. */ -#define SPONGENT176_STATE_SIZE 22 +#define SPARKLE_384_STATE_SIZE 12 /** - * \brief Structure of the internal state of the Spongent-pi[160] permutation. + * \brief Size of the state for SPARKLE-512. */ -typedef union -{ - uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ - uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ - -} spongent160_state_t; +#define SPARKLE_512_STATE_SIZE 16 /** - * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * \brief Performs the SPARKLE-256 permutation. * - * Note: The state is technically only 176 bits, but we increase it to - * 192 bits so that we can use 32-bit word operations to manipulate the - * state. The extra bits in the last word are fixed to zero. + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. */ -typedef union -{ - uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ - uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ - -} spongent176_state_t; +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); /** - * \brief Permutes the Spongent-pi[160] state. + * \brief Performs the SPARKLE-384 permutation. * - * \param state The Spongent-pi[160] state to be permuted. + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. */ -void spongent160_permute(spongent160_state_t *state); +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); /** - * \brief Permutes the Spongent-pi[176] state. + * \brief Performs the SPARKLE-512 permutation. * - * \param state The Spongent-pi[176] state to be permuted. + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. */ -void spongent176_permute(spongent176_state_t *state); +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); #ifdef __cplusplus } diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-util.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t192n48v1/rhys-avr/internal-util.h rename to sparkle/Implementations/crypto_hash/esch256v1/rhys/internal-util.h diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.c b/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.c new file mode 100644 index 0000000..e2aa25a --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.c @@ -0,0 +1,1135 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + */ +#define schwaemm_256_128_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ + s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ + s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ + s[3] = s[7] ^ s[11]; \ + s[7] ^= t ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + */ +#define schwaemm_192_192_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ + s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ + s[2] = s[5] ^ s[8]; \ + s[5] ^= t ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + */ +#define schwaemm_128_128_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ + s[1] = s[3] ^ s[5]; \ + s[3] ^= t ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + */ +#define schwaemm_256_256_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ + s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ + s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ + s[3] = s[7] ^ s[11]; \ + s[7] ^= t ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.h b/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch256v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/api.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/api.h deleted file mode 100644 index d507385..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 48 diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle-avr.S b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle-avr.S deleted file mode 100644 index 753ea2f..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle-avr.S +++ /dev/null @@ -1,2887 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global sparkle_256 - .type sparkle_256, @function -sparkle_256: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 129f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 129f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 129f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 129f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 129f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 129f - pop r18 - cpi r18,7 - brne 5094f - rjmp 615f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 129f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 129f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 129f - rjmp 615f -129: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - movw r18,r4 - movw r20,r6 - movw r4,r14 - movw r6,r12 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - movw r8,r18 - movw r10,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - ld r18,Z - ldd r19,Z+1 - ldd r20,Z+2 - ldd r21,Z+3 - movw r14,r22 - movw r12,r26 - eor r14,r18 - eor r15,r19 - eor r12,r20 - eor r13,r21 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - movw r22,r16 - movw r26,r24 - eor r22,r28 - eor r23,r29 - eor r26,r2 - eor r27,r3 - movw r28,r14 - movw r2,r12 - ret -615: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_256, .-sparkle_256 - - .text -.global sparkle_384 - .type sparkle_384, @function -sparkle_384: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 140f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 140f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 140f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 140f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 140f - pop r18 - cpi r18,7 - brne 5094f - rjmp 886f -5094: - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 140f - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 140f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 140f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 140f - rjmp 886f -140: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - ldd r18,Z+28 - ldd r19,Z+29 - ldd r20,Z+30 - ldd r21,Z+31 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+20 - ldd r9,Z+21 - ldd r10,Z+22 - ldd r11,Z+23 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r0,Z+4 - eor r18,r0 - ldd r0,Z+5 - eor r19,r0 - ldd r0,Z+6 - eor r20,r0 - ldd r0,Z+7 - eor r21,r0 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - ldd r18,Z+4 - ldd r19,Z+5 - ldd r20,Z+6 - ldd r21,Z+7 - std Z+28,r18 - std Z+29,r19 - std Z+30,r20 - std Z+31,r21 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - std Z+36,r18 - std Z+37,r19 - std Z+38,r20 - std Z+39,r21 - eor r8,r14 - eor r9,r15 - eor r10,r12 - eor r11,r13 - ldd r18,Z+24 - ldd r19,Z+25 - ldd r20,Z+26 - ldd r21,Z+27 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r28,Z+16 - ldd r29,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+24,r14 - std Z+25,r15 - std Z+26,r12 - std Z+27,r13 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - std Z+32,r18 - std Z+33,r19 - std Z+34,r20 - std Z+35,r21 - eor r28,r16 - eor r29,r17 - eor r2,r24 - eor r3,r25 - ret -886: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_384, .-sparkle_384 - - .text -.global sparkle_512 - .type sparkle_512, @function -sparkle_512: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - push r22 - ld r22,Z - ldd r23,Z+1 - ldd r26,Z+2 - ldd r27,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r28,Z+8 - ldd r29,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,1 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,2 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,3 - eor r8,r18 - rcall 151f - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,4 - eor r8,r18 - rcall 151f - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,5 - eor r8,r18 - rcall 151f - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,6 - eor r8,r18 - rcall 151f - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,7 - eor r8,r18 - rcall 151f - pop r18 - cpi r18,8 - brne 5105f - rjmp 1189f -5105: - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,8 - eor r8,r18 - rcall 151f - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,9 - eor r8,r18 - rcall 151f - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,10 - eor r8,r18 - rcall 151f - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,11 - eor r8,r18 - rcall 151f - rjmp 1189f -151: - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,98 - ldi r19,81 - ldi r20,225 - ldi r21,183 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,128 - ldi r19,88 - ldi r20,113 - ldi r21,191 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - movw r12,r22 - movw r14,r26 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - movw r24,r4 - movw r16,r6 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - ldd r28,Z+24 - ldd r29,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,86 - ldi r19,218 - ldi r20,180 - ldi r21,56 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,56 - ldi r19,119 - ldi r20,78 - ldi r21,50 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r22 - std Z+17,r23 - std Z+18,r26 - std Z+19,r27 - std Z+20,r4 - std Z+21,r5 - std Z+22,r6 - std Z+23,r7 - std Z+24,r28 - std Z+25,r29 - std Z+26,r2 - std Z+27,r3 - std Z+28,r8 - std Z+29,r9 - std Z+30,r10 - std Z+31,r11 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - eor r12,r28 - eor r13,r29 - eor r14,r2 - eor r15,r3 - eor r24,r4 - eor r25,r5 - eor r16,r6 - eor r17,r7 - eor r24,r8 - eor r25,r9 - eor r16,r10 - eor r17,r11 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - ldd r28,Z+40 - ldd r29,Z+41 - ldd r2,Z+42 - ldd r3,Z+43 - ldd r8,Z+44 - ldd r9,Z+45 - ldd r10,Z+46 - ldd r11,Z+47 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,235 - ldi r19,133 - ldi r20,17 - ldi r21,187 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,87 - ldi r19,123 - ldi r20,124 - ldi r21,79 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - std Z+32,r22 - std Z+33,r23 - std Z+34,r26 - std Z+35,r27 - std Z+36,r4 - std Z+37,r5 - std Z+38,r6 - std Z+39,r7 - std Z+40,r28 - std Z+41,r29 - std Z+42,r2 - std Z+43,r3 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r22,Z+48 - ldd r23,Z+49 - ldd r26,Z+50 - ldd r27,Z+51 - ldd r4,Z+52 - ldd r5,Z+53 - ldd r6,Z+54 - ldd r7,Z+55 - ldd r28,Z+56 - ldd r29,Z+57 - ldd r2,Z+58 - ldd r3,Z+59 - ldd r8,Z+60 - ldd r9,Z+61 - ldd r10,Z+62 - ldd r11,Z+63 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r22,r18 - adc r23,r19 - adc r26,r20 - adc r27,r21 - eor r4,r27 - eor r5,r22 - eor r6,r23 - eor r7,r26 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r4 - movw r20,r6 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r22,r20 - adc r23,r21 - adc r26,r18 - adc r27,r19 - movw r18,r22 - movw r20,r26 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r4,r20 - eor r5,r21 - eor r6,r18 - eor r7,r19 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r4 - adc r23,r5 - adc r26,r6 - adc r27,r7 - movw r18,r22 - movw r20,r26 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r18,200 - ldi r19,161 - ldi r20,191 - ldi r21,207 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - add r22,r7 - adc r23,r4 - adc r26,r5 - adc r27,r6 - eor r4,r26 - eor r5,r27 - eor r6,r22 - eor r7,r23 - eor r22,r18 - eor r23,r19 - eor r26,r20 - eor r27,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - add r28,r18 - adc r29,r19 - adc r2,r20 - adc r3,r21 - eor r8,r3 - eor r9,r28 - eor r10,r29 - eor r11,r2 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - movw r18,r8 - movw r20,r10 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - add r28,r20 - adc r29,r21 - adc r2,r18 - adc r3,r19 - movw r18,r28 - movw r20,r2 - bst r18,0 - lsr r21 - ror r20 - ror r19 - ror r18 - bld r21,7 - eor r8,r20 - eor r9,r21 - eor r10,r18 - eor r11,r19 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r8 - adc r29,r9 - adc r2,r10 - adc r3,r11 - movw r18,r28 - movw r20,r2 - lsl r18 - rol r19 - rol r20 - rol r21 - adc r18,r1 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ldi r18,61 - ldi r19,41 - ldi r20,179 - ldi r21,194 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - add r28,r11 - adc r29,r8 - adc r2,r9 - adc r3,r10 - eor r8,r2 - eor r9,r3 - eor r10,r28 - eor r11,r29 - eor r28,r18 - eor r29,r19 - eor r2,r20 - eor r3,r21 - eor r14,r12 - eor r15,r13 - eor r16,r24 - eor r17,r25 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r4,Z+36 - ldd r5,Z+37 - ldd r6,Z+38 - ldd r7,Z+39 - eor r4,r14 - eor r5,r15 - eor r6,r12 - eor r7,r13 - ldd r18,Z+44 - ldd r19,Z+45 - ldd r20,Z+46 - ldd r21,Z+47 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - eor r14,r8 - eor r15,r9 - eor r12,r10 - eor r13,r11 - ldd r8,Z+28 - ldd r9,Z+29 - ldd r10,Z+30 - ldd r11,Z+31 - std Z+60,r8 - std Z+61,r9 - std Z+62,r10 - std Z+63,r11 - ldd r8,Z+4 - ldd r9,Z+5 - ldd r10,Z+6 - ldd r11,Z+7 - eor r4,r8 - eor r5,r9 - eor r6,r10 - eor r7,r11 - std Z+28,r4 - std Z+29,r5 - std Z+30,r6 - std Z+31,r7 - std Z+36,r8 - std Z+37,r9 - std Z+38,r10 - std Z+39,r11 - ldd r8,Z+12 - ldd r9,Z+13 - ldd r10,Z+14 - ldd r11,Z+15 - eor r18,r8 - eor r19,r9 - eor r20,r10 - eor r21,r11 - std Z+44,r8 - std Z+45,r9 - std Z+46,r10 - std Z+47,r11 - ldd r8,Z+52 - ldd r9,Z+53 - ldd r10,Z+54 - ldd r11,Z+55 - ldd r4,Z+20 - ldd r5,Z+21 - ldd r6,Z+22 - ldd r7,Z+23 - eor r8,r4 - eor r9,r5 - eor r10,r6 - eor r11,r7 - std Z+52,r4 - std Z+53,r5 - std Z+54,r6 - std Z+55,r7 - ldd r0,Z+60 - eor r14,r0 - ldd r0,Z+61 - eor r15,r0 - ldd r0,Z+62 - eor r12,r0 - ldd r0,Z+63 - eor r13,r0 - std Z+20,r14 - std Z+21,r15 - std Z+22,r12 - std Z+23,r13 - movw r4,r18 - movw r6,r20 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - std Z+48,r22 - std Z+49,r23 - std Z+50,r26 - std Z+51,r27 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r26,Z+34 - ldd r27,Z+35 - eor r22,r16 - eor r23,r17 - eor r26,r24 - eor r27,r25 - ldd r18,Z+40 - ldd r19,Z+41 - ldd r20,Z+42 - ldd r21,Z+43 - eor r18,r16 - eor r19,r17 - eor r20,r24 - eor r21,r25 - eor r16,r28 - eor r17,r29 - eor r24,r2 - eor r25,r3 - ldd r14,Z+24 - ldd r15,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+56,r14 - std Z+57,r15 - std Z+58,r12 - std Z+59,r13 - ld r14,Z - ldd r15,Z+1 - ldd r12,Z+2 - ldd r13,Z+3 - eor r22,r14 - eor r23,r15 - eor r26,r12 - eor r27,r13 - std Z+24,r22 - std Z+25,r23 - std Z+26,r26 - std Z+27,r27 - std Z+32,r14 - std Z+33,r15 - std Z+34,r12 - std Z+35,r13 - ldd r14,Z+8 - ldd r15,Z+9 - ldd r12,Z+10 - ldd r13,Z+11 - eor r18,r14 - eor r19,r15 - eor r20,r12 - eor r21,r13 - movw r22,r18 - movw r26,r20 - std Z+40,r14 - std Z+41,r15 - std Z+42,r12 - std Z+43,r13 - ldd r28,Z+48 - ldd r29,Z+49 - ldd r2,Z+50 - ldd r3,Z+51 - ldd r14,Z+16 - ldd r15,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - eor r28,r14 - eor r29,r15 - eor r2,r12 - eor r3,r13 - std Z+48,r14 - std Z+49,r15 - std Z+50,r12 - std Z+51,r13 - ldd r0,Z+56 - eor r16,r0 - ldd r0,Z+57 - eor r17,r0 - ldd r0,Z+58 - eor r24,r0 - ldd r0,Z+59 - eor r25,r0 - std Z+16,r16 - std Z+17,r17 - std Z+18,r24 - std Z+19,r25 - ret -1189: - st Z,r22 - std Z+1,r23 - std Z+2,r26 - std Z+3,r27 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r28 - std Z+9,r29 - std Z+10,r2 - std Z+11,r3 - std Z+12,r8 - std Z+13,r9 - std Z+14,r10 - std Z+15,r11 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sparkle_512, .-sparkle_512 - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.c deleted file mode 100644 index 4a4c0fb..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.c +++ /dev/null @@ -1,382 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sparkle.h" - -#if !defined(__AVR__) - -/* The 8 basic round constants from the specification */ -#define RC_0 0xB7E15162 -#define RC_1 0xBF715880 -#define RC_2 0x38B4DA56 -#define RC_3 0x324E7738 -#define RC_4 0xBB1185EB -#define RC_5 0x4F7C7B57 -#define RC_6 0xCFBFA1C8 -#define RC_7 0xC2B3293D - -/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ -static uint32_t const sparkle_rc[12] = { - RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, - RC_0, RC_1, RC_2, RC_3 -}; - -/** - * \brief Alzette block cipher that implements the ARXbox layer of the - * SPARKLE permutation. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param k 32-bit round key. - */ -#define alzette(x, y, k) \ - do { \ - (x) += leftRotate1((y)); \ - (y) ^= leftRotate8((x)); \ - (x) ^= (k); \ - (x) += leftRotate15((y)); \ - (y) ^= leftRotate15((x)); \ - (x) ^= (k); \ - (x) += (y); \ - (y) ^= leftRotate1((x)); \ - (x) ^= (k); \ - (x) += leftRotate8((y)); \ - (y) ^= leftRotate16((x)); \ - (x) ^= (k); \ - } while (0) - -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3; - uint32_t y0, y1, y2, y3; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-256 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - - /* Linear layer */ - tx = x0 ^ x1; - ty = y0 ^ y1; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y2 ^= tx; - tx ^= y3; - y3 = y1; - y1 = y2 ^ y0; - y2 = y0; - y0 = tx ^ y3; - x2 ^= ty; - ty ^= x3; - x3 = x1; - x1 = x2 ^ x0; - x2 = x0; - x0 = ty ^ x3; - } - - /* Write the local variables back to the SPARKLE-256 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); -#endif -} - -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5; - uint32_t y0, y1, y2, y3, y4, y5; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-384 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2; - ty = y0 ^ y1 ^ y2; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y3 ^= tx; - y4 ^= tx; - tx ^= y5; - y5 = y2; - y2 = y3 ^ y0; - y3 = y0; - y0 = y4 ^ y1; - y4 = y1; - y1 = tx ^ y5; - x3 ^= ty; - x4 ^= ty; - ty ^= x5; - x5 = x2; - x2 = x3 ^ x0; - x3 = x0; - x0 = x4 ^ x1; - x4 = x1; - x1 = ty ^ x5; - } - - /* Write the local variables back to the SPARKLE-384 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); -#endif -} - -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y0, y1, y2, y3, y4, y5, y6, y7; - uint32_t tx, ty; - unsigned step; - - /* Load the SPARKLE-512 state up into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x0 = s[0]; - y0 = s[1]; - x1 = s[2]; - y1 = s[3]; - x2 = s[4]; - y2 = s[5]; - x3 = s[6]; - y3 = s[7]; - x4 = s[8]; - y4 = s[9]; - x5 = s[10]; - y5 = s[11]; - x6 = s[12]; - y6 = s[13]; - x7 = s[14]; - y7 = s[15]; -#else - x0 = le_load_word32((const uint8_t *)&(s[0])); - y0 = le_load_word32((const uint8_t *)&(s[1])); - x1 = le_load_word32((const uint8_t *)&(s[2])); - y1 = le_load_word32((const uint8_t *)&(s[3])); - x2 = le_load_word32((const uint8_t *)&(s[4])); - y2 = le_load_word32((const uint8_t *)&(s[5])); - x3 = le_load_word32((const uint8_t *)&(s[6])); - y3 = le_load_word32((const uint8_t *)&(s[7])); - x4 = le_load_word32((const uint8_t *)&(s[8])); - y4 = le_load_word32((const uint8_t *)&(s[9])); - x5 = le_load_word32((const uint8_t *)&(s[10])); - y5 = le_load_word32((const uint8_t *)&(s[11])); - x6 = le_load_word32((const uint8_t *)&(s[12])); - y6 = le_load_word32((const uint8_t *)&(s[13])); - x7 = le_load_word32((const uint8_t *)&(s[14])); - y7 = le_load_word32((const uint8_t *)&(s[15])); -#endif - - /* Perform all requested steps */ - for (step = 0; step < steps; ++step) { - /* Add round constants */ - y0 ^= sparkle_rc[step]; - y1 ^= step; - - /* ARXbox layer */ - alzette(x0, y0, RC_0); - alzette(x1, y1, RC_1); - alzette(x2, y2, RC_2); - alzette(x3, y3, RC_3); - alzette(x4, y4, RC_4); - alzette(x5, y5, RC_5); - alzette(x6, y6, RC_6); - alzette(x7, y7, RC_7); - - /* Linear layer */ - tx = x0 ^ x1 ^ x2 ^ x3; - ty = y0 ^ y1 ^ y2 ^ y3; - tx = leftRotate16(tx ^ (tx << 16)); - ty = leftRotate16(ty ^ (ty << 16)); - y4 ^= tx; - y5 ^= tx; - y6 ^= tx; - tx ^= y7; - y7 = y3; - y3 = y4 ^ y0; - y4 = y0; - y0 = y5 ^ y1; - y5 = y1; - y1 = y6 ^ y2; - y6 = y2; - y2 = tx ^ y7; - x4 ^= ty; - x5 ^= ty; - x6 ^= ty; - ty ^= x7; - x7 = x3; - x3 = x4 ^ x0; - x4 = x0; - x0 = x5 ^ x1; - x5 = x1; - x1 = x6 ^ x2; - x6 = x2; - x2 = ty ^ x7; - } - - /* Write the local variables back to the SPARKLE-512 state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s[0] = x0; - s[1] = y0; - s[2] = x1; - s[3] = y1; - s[4] = x2; - s[5] = y2; - s[6] = x3; - s[7] = y3; - s[8] = x4; - s[9] = y4; - s[10] = x5; - s[11] = y5; - s[12] = x6; - s[13] = y6; - s[14] = x7; - s[15] = y7; -#else - le_store_word32((uint8_t *)&(s[0]), x0); - le_store_word32((uint8_t *)&(s[1]), y0); - le_store_word32((uint8_t *)&(s[2]), x1); - le_store_word32((uint8_t *)&(s[3]), y1); - le_store_word32((uint8_t *)&(s[4]), x2); - le_store_word32((uint8_t *)&(s[5]), y2); - le_store_word32((uint8_t *)&(s[6]), x3); - le_store_word32((uint8_t *)&(s[7]), y3); - le_store_word32((uint8_t *)&(s[8]), x4); - le_store_word32((uint8_t *)&(s[9]), y4); - le_store_word32((uint8_t *)&(s[10]), x5); - le_store_word32((uint8_t *)&(s[11]), y5); - le_store_word32((uint8_t *)&(s[12]), x6); - le_store_word32((uint8_t *)&(s[13]), y6); - le_store_word32((uint8_t *)&(s[14]), x7); - le_store_word32((uint8_t *)&(s[15]), y7); -#endif -} - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.h deleted file mode 100644 index fbdabc1..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-sparkle.h +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPARKLE_H -#define LW_INTERNAL_SPARKLE_H - -#include "internal-util.h" - -/** - * \file internal-sparkle.h - * \brief Internal implementation of the SPARKLE permutation. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for SPARKLE-256. - */ -#define SPARKLE_256_STATE_SIZE 8 - -/** - * \brief Size of the state for SPARKLE-384. - */ -#define SPARKLE_384_STATE_SIZE 12 - -/** - * \brief Size of the state for SPARKLE-512. - */ -#define SPARKLE_512_STATE_SIZE 16 - -/** - * \brief Performs the SPARKLE-256 permutation. - * - * \param s The words of the SPARKLE-256 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 10. - */ -void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-384 permutation. - * - * \param s The words of the SPARKLE-384 state in little-endian byte order. - * \param steps The number of steps to perform, 7 or 11. - */ -void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); - -/** - * \brief Performs the SPARKLE-512 permutation. - * - * \param s The words of the SPARKLE-512 state in little-endian byte order. - * \param steps The number of steps to perform, 8 or 12. - */ -void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.c deleted file mode 100644 index e2aa25a..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.c +++ /dev/null @@ -1,1135 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sparkle.h" -#include "internal-sparkle.h" -#include - -aead_cipher_t const schwaemm_256_128_cipher = { - "Schwaemm256-128", - SCHWAEMM_256_128_KEY_SIZE, - SCHWAEMM_256_128_NONCE_SIZE, - SCHWAEMM_256_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_128_aead_encrypt, - schwaemm_256_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_192_192_cipher = { - "Schwaemm192-192", - SCHWAEMM_192_192_KEY_SIZE, - SCHWAEMM_192_192_NONCE_SIZE, - SCHWAEMM_192_192_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_192_192_aead_encrypt, - schwaemm_192_192_aead_decrypt -}; - -aead_cipher_t const schwaemm_128_128_cipher = { - "Schwaemm128-128", - SCHWAEMM_128_128_KEY_SIZE, - SCHWAEMM_128_128_NONCE_SIZE, - SCHWAEMM_128_128_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_128_128_aead_encrypt, - schwaemm_128_128_aead_decrypt -}; - -aead_cipher_t const schwaemm_256_256_cipher = { - "Schwaemm256-256", - SCHWAEMM_256_256_KEY_SIZE, - SCHWAEMM_256_256_NONCE_SIZE, - SCHWAEMM_256_256_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - schwaemm_256_256_aead_encrypt, - schwaemm_256_256_aead_decrypt -}; - -aead_hash_algorithm_t const esch_256_hash_algorithm = { - "Esch256", - sizeof(esch_256_hash_state_t), - ESCH_256_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_256_hash, - (aead_hash_init_t)esch_256_hash_init, - (aead_hash_update_t)esch_256_hash_update, - (aead_hash_finalize_t)esch_256_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -aead_hash_algorithm_t const esch_384_hash_algorithm = { - "Esch384", - sizeof(esch_384_hash_state_t), - ESCH_384_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - esch_384_hash, - (aead_hash_init_t)esch_384_hash_init, - (aead_hash_update_t)esch_384_hash_update, - (aead_hash_finalize_t)esch_384_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -/** - * \def DOMAIN(value) - * \brief Build a domain separation value as a 32-bit word. - * - * \param value The base value. - * \return The domain separation value as a 32-bit word. - */ -#if defined(LW_UTIL_LITTLE_ENDIAN) -#define DOMAIN(value) (((uint32_t)(value)) << 24) -#else -#define DOMAIN(value) (value) -#endif - -/** - * \brief Rate at which bytes are processed by Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_RIGHT(s) \ - (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_256_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[8]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[9]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[10]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-128. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_128_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_128_RATE) { - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_256_128_RATE; - adlen -= SCHWAEMM_256_128_RATE; - } - if (adlen == SCHWAEMM_256_128_RATE) { - s[11] ^= DOMAIN(0x05); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x04); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_256_128_RATE); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - mlen -= SCHWAEMM_256_128_RATE; - } - if (mlen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - memcpy(c, block, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return 0; -} - -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); - memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_256_128_RATE; - m += SCHWAEMM_256_128_RATE; - clen -= SCHWAEMM_256_128_RATE; - } - if (clen == SCHWAEMM_256_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); - s[11] ^= DOMAIN(0x07); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x06); - schwaemm_256_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RATE 24 - -/** - * \brief Pointer to the left of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_RIGHT(s) \ - (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - */ -#define schwaemm_192_192_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[3] ^ s[6]; \ - s[3] ^= t ^ s[9]; \ - t = s[1]; \ - s[1] = s[4] ^ s[7]; \ - s[4] ^= t ^ s[10]; \ - t = s[2]; \ - s[2] = s[5] ^ s[8]; \ - s[5] ^= t ^ s[11]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm192-192. - * - * \param s SPARKLE-384 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_192_192_authenticate - (uint32_t s[SPARKLE_384_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_192_192_RATE) { - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - ad += SCHWAEMM_192_192_RATE; - adlen -= SCHWAEMM_192_192_RATE; - } - if (adlen == SCHWAEMM_192_192_RATE) { - s[11] ^= DOMAIN(0x09); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[11] ^= DOMAIN(0x08); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); -} - -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint8_t block[SCHWAEMM_192_192_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - memcpy(c, block, SCHWAEMM_192_192_RATE); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - mlen -= SCHWAEMM_192_192_RATE; - } - if (mlen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - memcpy(c, block, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_384(s, 11); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return 0; -} - -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_192_192_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); - memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); - sparkle_384(s, 11); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_192_192_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_192_192_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - sparkle_384(s, 7); - c += SCHWAEMM_192_192_RATE; - m += SCHWAEMM_192_192_RATE; - clen -= SCHWAEMM_192_192_RATE; - } - if (clen == SCHWAEMM_192_192_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); - s[11] ^= DOMAIN(0x0B); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[11] ^= DOMAIN(0x0A); - schwaemm_192_192_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_384(s, 11); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RATE 16 - -/** - * \brief Pointer to the left of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_RIGHT(s) \ - (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - */ -#define schwaemm_128_128_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[2] ^ s[4]; \ - s[2] ^= t ^ s[6]; \ - t = s[1]; \ - s[1] = s[3] ^ s[5]; \ - s[3] ^= t ^ s[7]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm128-128. - * - * \param s SPARKLE-256 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_128_128_authenticate - (uint32_t s[SPARKLE_256_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_128_128_RATE) { - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - ad += SCHWAEMM_128_128_RATE; - adlen -= SCHWAEMM_128_128_RATE; - } - if (adlen == SCHWAEMM_128_128_RATE) { - s[7] ^= DOMAIN(0x05); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[7] ^= DOMAIN(0x04); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); -} - -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - uint8_t block[SCHWAEMM_128_128_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - memcpy(c, block, SCHWAEMM_128_128_RATE); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - mlen -= SCHWAEMM_128_128_RATE; - } - if (mlen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - memcpy(c, block, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_256(s, 10); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return 0; -} - -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_256_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_128_128_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); - memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); - sparkle_256(s, 10); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_128_128_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_128_128_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - sparkle_256(s, 7); - c += SCHWAEMM_128_128_RATE; - m += SCHWAEMM_128_128_RATE; - clen -= SCHWAEMM_128_128_RATE; - } - if (clen == SCHWAEMM_128_128_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); - s[7] ^= DOMAIN(0x07); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[7] ^= DOMAIN(0x06); - schwaemm_128_128_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_256(s, 10); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RATE 32 - -/** - * \brief Pointer to the left of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) - -/** - * \brief Pointer to the right of the state for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_RIGHT(s) \ - (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) - -/** - * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - */ -#define schwaemm_256_256_rho(s) \ - do { \ - uint32_t t = s[0]; \ - s[0] = s[4] ^ s[8]; \ - s[4] ^= t ^ s[12]; \ - t = s[1]; \ - s[1] = s[5] ^ s[9]; \ - s[5] ^= t ^ s[13]; \ - t = s[2]; \ - s[2] = s[6] ^ s[10]; \ - s[6] ^= t ^ s[14]; \ - t = s[3]; \ - s[3] = s[7] ^ s[11]; \ - s[7] ^= t ^ s[15]; \ - } while (0) - -/** - * \brief Authenticates the associated data for Schwaemm256-256. - * - * \param s SPARKLE-512 state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data; must be >= 1. - */ -static void schwaemm_256_256_authenticate - (uint32_t s[SPARKLE_512_STATE_SIZE], - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen > SCHWAEMM_256_256_RATE) { - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - ad += SCHWAEMM_256_256_RATE; - adlen -= SCHWAEMM_256_256_RATE; - } - if (adlen == SCHWAEMM_256_256_RATE) { - s[15] ^= DOMAIN(0x11); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)adlen; - s[15] ^= DOMAIN(0x10); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, ad, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); -} - -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint8_t block[SCHWAEMM_256_256_RATE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) { - while (mlen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - memcpy(c, block, SCHWAEMM_256_256_RATE); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - mlen -= SCHWAEMM_256_256_RATE; - } - if (mlen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - memcpy(c, block, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_src(block, (unsigned char *)s, m, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - memcpy(c, block, temp); - } - sparkle_512(s, 12); - c += mlen; - } - - /* Generate the authentication tag */ - lw_xor_block_2_src - (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return 0; -} - -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SCHWAEMM_256_256_TAG_SIZE) - return -1; - *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; - - /* Initialize the state with the nonce and the key */ - memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); - memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); - sparkle_512(s, 12); - - /* Process the associated data */ - if (adlen > 0) - schwaemm_256_256_authenticate(s, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SCHWAEMM_256_256_TAG_SIZE; - if (clen > 0) { - while (clen > SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - sparkle_512(s, 8); - c += SCHWAEMM_256_256_RATE; - m += SCHWAEMM_256_256_RATE; - clen -= SCHWAEMM_256_256_RATE; - } - if (clen == SCHWAEMM_256_256_RATE) { - lw_xor_block_2_src - (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); - s[15] ^= DOMAIN(0x13); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); - } else { - unsigned temp = (unsigned)clen; - lw_xor_block_2_src(m, (unsigned char *)s, c, temp); - s[15] ^= DOMAIN(0x12); - schwaemm_256_256_rho(s); - lw_xor_block((unsigned char *)s, m, temp); - ((unsigned char *)s)[temp] ^= 0x80; - } - sparkle_512(s, 12); - c += clen; - } - - /* Check the authentication tag */ - lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); - return aead_check_tag - (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); -} - -/** - * \brief Rate at which bytes are processed by Esch256. - */ -#define ESCH_256_RATE 16 - -/** - * \brief Perform the M3 step for Esch256 to mix the input with the state. - * - * \param s SPARKLE-384 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_256_m3(s, block, domain) \ - do { \ - uint32_t tx = (block)[0] ^ (block)[2]; \ - uint32_t ty = (block)[1] ^ (block)[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= (block)[0] ^ ty; \ - s[1] ^= (block)[1] ^ tx; \ - s[2] ^= (block)[2] ^ ty; \ - s[3] ^= (block)[3] ^ tx; \ - if ((domain) != 0) \ - s[5] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - } while (0) - -/** @cond esch_256 */ - -/** - * \brief Word-based state for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_384_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_256_hash_state_wt; - -/** @endcond */ - -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_384_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x00); - sparkle_384(s, 7); - in += ESCH_256_RATE; - inlen -= ESCH_256_RATE; - } - if (inlen == ESCH_256_RATE) { - memcpy(block, in, ESCH_256_RATE); - esch_256_m3(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(s, block, 0x01); - } - sparkle_384(s, 11); - memcpy(out, s, ESCH_256_RATE); - sparkle_384(s, 7); - memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); - return 0; -} - -void esch_256_hash_init(esch_256_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_256_hash_state_t)); -} - -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x00); - sparkle_384(st->s.state, 7); - st->s.count = 0; - } - temp = ESCH_256_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out) -{ - esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_256_RATE) { - esch_256_m3(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_256_RATE - temp - 1); - esch_256_m3(st->s.state, st->s.block, 0x01); - } - sparkle_384(st->s.state, 11); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_256_RATE); - sparkle_384(st->s.state, 7); - memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); -} - -/** - * \brief Rate at which bytes are processed by Esch384. - */ -#define ESCH_384_RATE 16 - -/** - * \brief Perform the M4 step for Esch384 to mix the input with the state. - * - * \param s SPARKLE-512 state. - * \param block Block of input data that has been padded to the rate. - * \param domain Domain separator for this phase. - */ -#define esch_384_m4(s, block, domain) \ - do { \ - uint32_t tx = block[0] ^ block[2]; \ - uint32_t ty = block[1] ^ block[3]; \ - tx = leftRotate16(tx ^ (tx << 16)); \ - ty = leftRotate16(ty ^ (ty << 16)); \ - s[0] ^= block[0] ^ ty; \ - s[1] ^= block[1] ^ tx; \ - s[2] ^= block[2] ^ ty; \ - s[3] ^= block[3] ^ tx; \ - if ((domain) != 0) \ - s[7] ^= DOMAIN(domain); \ - s[4] ^= ty; \ - s[5] ^= tx; \ - s[6] ^= ty; \ - s[7] ^= tx; \ - } while (0) - -/** @cond esch_384 */ - -/** - * \brief Word-based state for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - uint32_t state[SPARKLE_512_STATE_SIZE]; - uint32_t block[4]; - unsigned char count; - } s; - unsigned long long align; - -} esch_384_hash_state_wt; - -/** @endcond */ - -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - uint32_t s[SPARKLE_512_STATE_SIZE]; - uint32_t block[ESCH_256_RATE / 4]; - memset(s, 0, sizeof(s)); - while (inlen > ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x00); - sparkle_512(s, 8); - in += ESCH_384_RATE; - inlen -= ESCH_384_RATE; - } - if (inlen == ESCH_384_RATE) { - memcpy(block, in, ESCH_384_RATE); - esch_384_m4(s, block, 0x02); - } else { - unsigned temp = (unsigned)inlen; - memcpy(block, in, temp); - ((unsigned char *)block)[temp] = 0x80; - memset(((unsigned char *)block) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(s, block, 0x01); - } - sparkle_512(s, 12); - memcpy(out, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); - sparkle_512(s, 8); - memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); - return 0; -} - -void esch_384_hash_init(esch_384_hash_state_t *state) -{ - memset(state, 0, sizeof(esch_384_hash_state_t)); -} - -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - unsigned temp; - while (inlen > 0) { - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x00); - sparkle_512(st->s.state, 8); - st->s.count = 0; - } - temp = ESCH_384_RATE - st->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); - st->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out) -{ - esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; - - /* Pad and process the last block */ - if (st->s.count == ESCH_384_RATE) { - esch_384_m4(st->s.state, st->s.block, 0x02); - } else { - unsigned temp = st->s.count; - ((unsigned char *)(st->s.block))[temp] = 0x80; - memset(((unsigned char *)(st->s.block)) + temp + 1, 0, - ESCH_384_RATE - temp - 1); - esch_384_m4(st->s.state, st->s.block, 0x01); - } - sparkle_512(st->s.state, 12); - - /* Generate the final hash value */ - memcpy(out, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); - sparkle_512(st->s.state, 8); - memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); -} diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.h deleted file mode 100644 index dd0999e..0000000 --- a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/sparkle.h +++ /dev/null @@ -1,515 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPARKLE_H -#define LWCRYPTO_SPARKLE_H - -#include "aead-common.h" - -/** - * \file sparkle.h - * \brief Encryption and hash algorithms based on the SPARKLE permutation. - * - * SPARKLE is a family of encryption and hash algorithms that are based - * around the SPARKLE permutation. There are three versions of the - * permutation with 256-bit, 384-bit, and 512-bit state sizes. - * The algorithms in the family are: - * - * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. - * This is the primary encryption algorithm in the family. - * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. - * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. - * \li Esch256 hash algorithm with a 256-bit digest output. This is the - * primary hash algorithm in the family. - * \li Esch384 hash algorithm with a 384-bit digest output. - * - * References: https://www.cryptolux.org/index.php/Sparkle - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm256-128. - */ -#define SCHWAEMM_256_128_NONCE_SIZE 32 - -/** - * \brief Size of the key for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_KEY_SIZE 24 - -/** - * \brief Size of the authentication tag for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_TAG_SIZE 24 - -/** - * \brief Size of the nonce for Schwaemm192-192. - */ -#define SCHWAEMM_192_192_NONCE_SIZE 24 - -/** - * \brief Size of the key for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Schwaemm128-128. - */ -#define SCHWAEMM_128_128_NONCE_SIZE 16 - -/** - * \brief Size of the key for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_TAG_SIZE 32 - -/** - * \brief Size of the nonce for Schwaemm256-256. - */ -#define SCHWAEMM_256_256_NONCE_SIZE 32 - -/** - * \brief Size of the hash output for Esch256. - */ -#define ESCH_256_HASH_SIZE 32 - -/** - * \brief Size of the hash output for Esch384. - */ -#define ESCH_384_HASH_SIZE 48 - -/** - * \brief Meta-information block for the Schwaemm256-128 cipher. - */ -extern aead_cipher_t const schwaemm_256_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm192-192 cipher. - */ -extern aead_cipher_t const schwaemm_192_192_cipher; - -/** - * \brief Meta-information block for the Schwaemm128-128 cipher. - */ -extern aead_cipher_t const schwaemm_128_128_cipher; - -/** - * \brief Meta-information block for the Schwaemm256-256 cipher. - */ -extern aead_cipher_t const schwaemm_256_256_cipher; - -/** - * \brief Meta-information block for the Esch256 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_256_hash_algorithm; - -/** - * \brief Meta-information block for the Esch384 hash algorithm. - */ -extern aead_hash_algorithm_t const esch_384_hash_algorithm; - -/** - * \brief State information for the Esch256 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_256_hash_state_t; - -/** - * \brief State information for the Esch384 incremental hash mode. - */ -typedef union -{ - struct { - unsigned char state[64]; /**< Current hash state */ - unsigned char block[16]; /**< Partial input data block */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} esch_384_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_128_aead_decrypt() - */ -int schwaemm_256_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 32 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_128_aead_encrypt() - */ -int schwaemm_256_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm192-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 24 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_192_192_aead_decrypt() - */ -int schwaemm_192_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm192-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 24 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 24 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_192_192_aead_encrypt() - */ -int schwaemm_192_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm128-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_128_128_aead_decrypt() - */ -int schwaemm_128_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm128-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_128_128_aead_encrypt() - */ -int schwaemm_128_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Schwaemm256-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa schwaemm_256_256_aead_decrypt() - */ -int schwaemm_256_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Schwaemm256-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa schwaemm_256_256_aead_encrypt() - */ -int schwaemm_256_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Esch256 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch256 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() - */ -void esch_256_hash_init(esch_256_hash_state_t *state); - -/** - * \brief Updates an Esch256 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_256_hash_init(), esch_256_hash_finalize() - */ -void esch_256_hash_update - (esch_256_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch256 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa esch_256_hash_init(), esch_256_hash_update() - */ -void esch_256_hash_finalize - (esch_256_hash_state_t *state, unsigned char *out); - -/** - * \brief Hashes a block of input data with Esch384 to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * ESCH_384_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int esch_384_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for an Esch384 hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() - */ -void esch_384_hash_init(esch_384_hash_state_t *state); - -/** - * \brief Updates an Esch384 state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa esch_384_hash_init(), esch_384_hash_finalize() - */ -void esch_384_hash_update - (esch_384_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from an Esch384 hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 48-byte hash value. - * - * \sa esch_384_hash_init(), esch_384_hash_update() - */ -void esch_384_hash_finalize - (esch_384_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/aead-common.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys/aead-common.c similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/aead-common.c rename to sparkle/Implementations/crypto_hash/esch384v1/rhys/aead-common.c diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/aead-common.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys/aead-common.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/aead-common.h rename to sparkle/Implementations/crypto_hash/esch384v1/rhys/aead-common.h diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys/api.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys/api.h new file mode 100644 index 0000000..d507385 --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 48 diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/hash.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys/hash.c similarity index 100% rename from sparkle/Implementations/crypto_hash/esch384v1/rhys-avr/hash.c rename to sparkle/Implementations/crypto_hash/esch384v1/rhys/hash.c diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle-avr.S b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle-avr.S new file mode 100644 index 0000000..753ea2f --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle-avr.S @@ -0,0 +1,2887 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global sparkle_256 + .type sparkle_256, @function +sparkle_256: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 129f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 129f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 129f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 129f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 129f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 129f + pop r18 + cpi r18,7 + brne 5094f + rjmp 615f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 129f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 129f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 129f + rjmp 615f +129: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + movw r18,r4 + movw r20,r6 + movw r4,r14 + movw r6,r12 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + movw r8,r18 + movw r10,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + ld r18,Z + ldd r19,Z+1 + ldd r20,Z+2 + ldd r21,Z+3 + movw r14,r22 + movw r12,r26 + eor r14,r18 + eor r15,r19 + eor r12,r20 + eor r13,r21 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + movw r22,r16 + movw r26,r24 + eor r22,r28 + eor r23,r29 + eor r26,r2 + eor r27,r3 + movw r28,r14 + movw r2,r12 + ret +615: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_256, .-sparkle_256 + + .text +.global sparkle_384 + .type sparkle_384, @function +sparkle_384: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 140f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 140f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 140f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 140f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 140f + pop r18 + cpi r18,7 + brne 5094f + rjmp 886f +5094: + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 140f + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 140f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 140f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 140f + rjmp 886f +140: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + ldd r18,Z+28 + ldd r19,Z+29 + ldd r20,Z+30 + ldd r21,Z+31 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+20 + ldd r9,Z+21 + ldd r10,Z+22 + ldd r11,Z+23 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r0,Z+4 + eor r18,r0 + ldd r0,Z+5 + eor r19,r0 + ldd r0,Z+6 + eor r20,r0 + ldd r0,Z+7 + eor r21,r0 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + ldd r18,Z+4 + ldd r19,Z+5 + ldd r20,Z+6 + ldd r21,Z+7 + std Z+28,r18 + std Z+29,r19 + std Z+30,r20 + std Z+31,r21 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + std Z+36,r18 + std Z+37,r19 + std Z+38,r20 + std Z+39,r21 + eor r8,r14 + eor r9,r15 + eor r10,r12 + eor r11,r13 + ldd r18,Z+24 + ldd r19,Z+25 + ldd r20,Z+26 + ldd r21,Z+27 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r28,Z+16 + ldd r29,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+24,r14 + std Z+25,r15 + std Z+26,r12 + std Z+27,r13 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + std Z+32,r18 + std Z+33,r19 + std Z+34,r20 + std Z+35,r21 + eor r28,r16 + eor r29,r17 + eor r2,r24 + eor r3,r25 + ret +886: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_384, .-sparkle_384 + + .text +.global sparkle_512 + .type sparkle_512, @function +sparkle_512: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + push r22 + ld r22,Z + ldd r23,Z+1 + ldd r26,Z+2 + ldd r27,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r28,Z+8 + ldd r29,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,1 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,2 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,3 + eor r8,r18 + rcall 151f + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,4 + eor r8,r18 + rcall 151f + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,5 + eor r8,r18 + rcall 151f + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,6 + eor r8,r18 + rcall 151f + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,7 + eor r8,r18 + rcall 151f + pop r18 + cpi r18,8 + brne 5105f + rjmp 1189f +5105: + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,8 + eor r8,r18 + rcall 151f + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,9 + eor r8,r18 + rcall 151f + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,10 + eor r8,r18 + rcall 151f + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,11 + eor r8,r18 + rcall 151f + rjmp 1189f +151: + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,98 + ldi r19,81 + ldi r20,225 + ldi r21,183 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,128 + ldi r19,88 + ldi r20,113 + ldi r21,191 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + movw r12,r22 + movw r14,r26 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + movw r24,r4 + movw r16,r6 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + ldd r28,Z+24 + ldd r29,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,86 + ldi r19,218 + ldi r20,180 + ldi r21,56 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,56 + ldi r19,119 + ldi r20,78 + ldi r21,50 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r22 + std Z+17,r23 + std Z+18,r26 + std Z+19,r27 + std Z+20,r4 + std Z+21,r5 + std Z+22,r6 + std Z+23,r7 + std Z+24,r28 + std Z+25,r29 + std Z+26,r2 + std Z+27,r3 + std Z+28,r8 + std Z+29,r9 + std Z+30,r10 + std Z+31,r11 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + eor r12,r28 + eor r13,r29 + eor r14,r2 + eor r15,r3 + eor r24,r4 + eor r25,r5 + eor r16,r6 + eor r17,r7 + eor r24,r8 + eor r25,r9 + eor r16,r10 + eor r17,r11 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + ldd r28,Z+40 + ldd r29,Z+41 + ldd r2,Z+42 + ldd r3,Z+43 + ldd r8,Z+44 + ldd r9,Z+45 + ldd r10,Z+46 + ldd r11,Z+47 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,235 + ldi r19,133 + ldi r20,17 + ldi r21,187 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,87 + ldi r19,123 + ldi r20,124 + ldi r21,79 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + std Z+32,r22 + std Z+33,r23 + std Z+34,r26 + std Z+35,r27 + std Z+36,r4 + std Z+37,r5 + std Z+38,r6 + std Z+39,r7 + std Z+40,r28 + std Z+41,r29 + std Z+42,r2 + std Z+43,r3 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r22,Z+48 + ldd r23,Z+49 + ldd r26,Z+50 + ldd r27,Z+51 + ldd r4,Z+52 + ldd r5,Z+53 + ldd r6,Z+54 + ldd r7,Z+55 + ldd r28,Z+56 + ldd r29,Z+57 + ldd r2,Z+58 + ldd r3,Z+59 + ldd r8,Z+60 + ldd r9,Z+61 + ldd r10,Z+62 + ldd r11,Z+63 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r22,r18 + adc r23,r19 + adc r26,r20 + adc r27,r21 + eor r4,r27 + eor r5,r22 + eor r6,r23 + eor r7,r26 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r4 + movw r20,r6 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r22,r20 + adc r23,r21 + adc r26,r18 + adc r27,r19 + movw r18,r22 + movw r20,r26 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r4,r20 + eor r5,r21 + eor r6,r18 + eor r7,r19 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r4 + adc r23,r5 + adc r26,r6 + adc r27,r7 + movw r18,r22 + movw r20,r26 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r18,200 + ldi r19,161 + ldi r20,191 + ldi r21,207 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + add r22,r7 + adc r23,r4 + adc r26,r5 + adc r27,r6 + eor r4,r26 + eor r5,r27 + eor r6,r22 + eor r7,r23 + eor r22,r18 + eor r23,r19 + eor r26,r20 + eor r27,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + add r28,r18 + adc r29,r19 + adc r2,r20 + adc r3,r21 + eor r8,r3 + eor r9,r28 + eor r10,r29 + eor r11,r2 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + movw r18,r8 + movw r20,r10 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + add r28,r20 + adc r29,r21 + adc r2,r18 + adc r3,r19 + movw r18,r28 + movw r20,r2 + bst r18,0 + lsr r21 + ror r20 + ror r19 + ror r18 + bld r21,7 + eor r8,r20 + eor r9,r21 + eor r10,r18 + eor r11,r19 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r8 + adc r29,r9 + adc r2,r10 + adc r3,r11 + movw r18,r28 + movw r20,r2 + lsl r18 + rol r19 + rol r20 + rol r21 + adc r18,r1 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ldi r18,61 + ldi r19,41 + ldi r20,179 + ldi r21,194 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + add r28,r11 + adc r29,r8 + adc r2,r9 + adc r3,r10 + eor r8,r2 + eor r9,r3 + eor r10,r28 + eor r11,r29 + eor r28,r18 + eor r29,r19 + eor r2,r20 + eor r3,r21 + eor r14,r12 + eor r15,r13 + eor r16,r24 + eor r17,r25 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r4,Z+36 + ldd r5,Z+37 + ldd r6,Z+38 + ldd r7,Z+39 + eor r4,r14 + eor r5,r15 + eor r6,r12 + eor r7,r13 + ldd r18,Z+44 + ldd r19,Z+45 + ldd r20,Z+46 + ldd r21,Z+47 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + eor r14,r8 + eor r15,r9 + eor r12,r10 + eor r13,r11 + ldd r8,Z+28 + ldd r9,Z+29 + ldd r10,Z+30 + ldd r11,Z+31 + std Z+60,r8 + std Z+61,r9 + std Z+62,r10 + std Z+63,r11 + ldd r8,Z+4 + ldd r9,Z+5 + ldd r10,Z+6 + ldd r11,Z+7 + eor r4,r8 + eor r5,r9 + eor r6,r10 + eor r7,r11 + std Z+28,r4 + std Z+29,r5 + std Z+30,r6 + std Z+31,r7 + std Z+36,r8 + std Z+37,r9 + std Z+38,r10 + std Z+39,r11 + ldd r8,Z+12 + ldd r9,Z+13 + ldd r10,Z+14 + ldd r11,Z+15 + eor r18,r8 + eor r19,r9 + eor r20,r10 + eor r21,r11 + std Z+44,r8 + std Z+45,r9 + std Z+46,r10 + std Z+47,r11 + ldd r8,Z+52 + ldd r9,Z+53 + ldd r10,Z+54 + ldd r11,Z+55 + ldd r4,Z+20 + ldd r5,Z+21 + ldd r6,Z+22 + ldd r7,Z+23 + eor r8,r4 + eor r9,r5 + eor r10,r6 + eor r11,r7 + std Z+52,r4 + std Z+53,r5 + std Z+54,r6 + std Z+55,r7 + ldd r0,Z+60 + eor r14,r0 + ldd r0,Z+61 + eor r15,r0 + ldd r0,Z+62 + eor r12,r0 + ldd r0,Z+63 + eor r13,r0 + std Z+20,r14 + std Z+21,r15 + std Z+22,r12 + std Z+23,r13 + movw r4,r18 + movw r6,r20 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + std Z+48,r22 + std Z+49,r23 + std Z+50,r26 + std Z+51,r27 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r26,Z+34 + ldd r27,Z+35 + eor r22,r16 + eor r23,r17 + eor r26,r24 + eor r27,r25 + ldd r18,Z+40 + ldd r19,Z+41 + ldd r20,Z+42 + ldd r21,Z+43 + eor r18,r16 + eor r19,r17 + eor r20,r24 + eor r21,r25 + eor r16,r28 + eor r17,r29 + eor r24,r2 + eor r25,r3 + ldd r14,Z+24 + ldd r15,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+56,r14 + std Z+57,r15 + std Z+58,r12 + std Z+59,r13 + ld r14,Z + ldd r15,Z+1 + ldd r12,Z+2 + ldd r13,Z+3 + eor r22,r14 + eor r23,r15 + eor r26,r12 + eor r27,r13 + std Z+24,r22 + std Z+25,r23 + std Z+26,r26 + std Z+27,r27 + std Z+32,r14 + std Z+33,r15 + std Z+34,r12 + std Z+35,r13 + ldd r14,Z+8 + ldd r15,Z+9 + ldd r12,Z+10 + ldd r13,Z+11 + eor r18,r14 + eor r19,r15 + eor r20,r12 + eor r21,r13 + movw r22,r18 + movw r26,r20 + std Z+40,r14 + std Z+41,r15 + std Z+42,r12 + std Z+43,r13 + ldd r28,Z+48 + ldd r29,Z+49 + ldd r2,Z+50 + ldd r3,Z+51 + ldd r14,Z+16 + ldd r15,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + eor r28,r14 + eor r29,r15 + eor r2,r12 + eor r3,r13 + std Z+48,r14 + std Z+49,r15 + std Z+50,r12 + std Z+51,r13 + ldd r0,Z+56 + eor r16,r0 + ldd r0,Z+57 + eor r17,r0 + ldd r0,Z+58 + eor r24,r0 + ldd r0,Z+59 + eor r25,r0 + std Z+16,r16 + std Z+17,r17 + std Z+18,r24 + std Z+19,r25 + ret +1189: + st Z,r22 + std Z+1,r23 + std Z+2,r26 + std Z+3,r27 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r28 + std Z+9,r29 + std Z+10,r2 + std Z+11,r3 + std Z+12,r8 + std Z+13,r9 + std Z+14,r10 + std Z+15,r11 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sparkle_512, .-sparkle_512 + +#endif diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.c new file mode 100644 index 0000000..4a4c0fb --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.c @@ -0,0 +1,382 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-sparkle.h" + +#if !defined(__AVR__) + +/* The 8 basic round constants from the specification */ +#define RC_0 0xB7E15162 +#define RC_1 0xBF715880 +#define RC_2 0x38B4DA56 +#define RC_3 0x324E7738 +#define RC_4 0xBB1185EB +#define RC_5 0x4F7C7B57 +#define RC_6 0xCFBFA1C8 +#define RC_7 0xC2B3293D + +/* Round constants for all SPARKLE steps; maximum of 12 for SPARKLE-512 */ +static uint32_t const sparkle_rc[12] = { + RC_0, RC_1, RC_2, RC_3, RC_4, RC_5, RC_6, RC_7, + RC_0, RC_1, RC_2, RC_3 +}; + +/** + * \brief Alzette block cipher that implements the ARXbox layer of the + * SPARKLE permutation. + * + * \param x Left half of the 64-bit block. + * \param y Right half of the 64-bit block. + * \param k 32-bit round key. + */ +#define alzette(x, y, k) \ + do { \ + (x) += leftRotate1((y)); \ + (y) ^= leftRotate8((x)); \ + (x) ^= (k); \ + (x) += leftRotate15((y)); \ + (y) ^= leftRotate15((x)); \ + (x) ^= (k); \ + (x) += (y); \ + (y) ^= leftRotate1((x)); \ + (x) ^= (k); \ + (x) += leftRotate8((y)); \ + (y) ^= leftRotate16((x)); \ + (x) ^= (k); \ + } while (0) + +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3; + uint32_t y0, y1, y2, y3; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-256 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + + /* Linear layer */ + tx = x0 ^ x1; + ty = y0 ^ y1; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y2 ^= tx; + tx ^= y3; + y3 = y1; + y1 = y2 ^ y0; + y2 = y0; + y0 = tx ^ y3; + x2 ^= ty; + ty ^= x3; + x3 = x1; + x1 = x2 ^ x0; + x2 = x0; + x0 = ty ^ x3; + } + + /* Write the local variables back to the SPARKLE-256 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); +#endif +} + +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5; + uint32_t y0, y1, y2, y3, y4, y5; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-384 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2; + ty = y0 ^ y1 ^ y2; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y3 ^= tx; + y4 ^= tx; + tx ^= y5; + y5 = y2; + y2 = y3 ^ y0; + y3 = y0; + y0 = y4 ^ y1; + y4 = y1; + y1 = tx ^ y5; + x3 ^= ty; + x4 ^= ty; + ty ^= x5; + x5 = x2; + x2 = x3 ^ x0; + x3 = x0; + x0 = x4 ^ x1; + x4 = x1; + x1 = ty ^ x5; + } + + /* Write the local variables back to the SPARKLE-384 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); +#endif +} + +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t y0, y1, y2, y3, y4, y5, y6, y7; + uint32_t tx, ty; + unsigned step; + + /* Load the SPARKLE-512 state up into local variables */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x0 = s[0]; + y0 = s[1]; + x1 = s[2]; + y1 = s[3]; + x2 = s[4]; + y2 = s[5]; + x3 = s[6]; + y3 = s[7]; + x4 = s[8]; + y4 = s[9]; + x5 = s[10]; + y5 = s[11]; + x6 = s[12]; + y6 = s[13]; + x7 = s[14]; + y7 = s[15]; +#else + x0 = le_load_word32((const uint8_t *)&(s[0])); + y0 = le_load_word32((const uint8_t *)&(s[1])); + x1 = le_load_word32((const uint8_t *)&(s[2])); + y1 = le_load_word32((const uint8_t *)&(s[3])); + x2 = le_load_word32((const uint8_t *)&(s[4])); + y2 = le_load_word32((const uint8_t *)&(s[5])); + x3 = le_load_word32((const uint8_t *)&(s[6])); + y3 = le_load_word32((const uint8_t *)&(s[7])); + x4 = le_load_word32((const uint8_t *)&(s[8])); + y4 = le_load_word32((const uint8_t *)&(s[9])); + x5 = le_load_word32((const uint8_t *)&(s[10])); + y5 = le_load_word32((const uint8_t *)&(s[11])); + x6 = le_load_word32((const uint8_t *)&(s[12])); + y6 = le_load_word32((const uint8_t *)&(s[13])); + x7 = le_load_word32((const uint8_t *)&(s[14])); + y7 = le_load_word32((const uint8_t *)&(s[15])); +#endif + + /* Perform all requested steps */ + for (step = 0; step < steps; ++step) { + /* Add round constants */ + y0 ^= sparkle_rc[step]; + y1 ^= step; + + /* ARXbox layer */ + alzette(x0, y0, RC_0); + alzette(x1, y1, RC_1); + alzette(x2, y2, RC_2); + alzette(x3, y3, RC_3); + alzette(x4, y4, RC_4); + alzette(x5, y5, RC_5); + alzette(x6, y6, RC_6); + alzette(x7, y7, RC_7); + + /* Linear layer */ + tx = x0 ^ x1 ^ x2 ^ x3; + ty = y0 ^ y1 ^ y2 ^ y3; + tx = leftRotate16(tx ^ (tx << 16)); + ty = leftRotate16(ty ^ (ty << 16)); + y4 ^= tx; + y5 ^= tx; + y6 ^= tx; + tx ^= y7; + y7 = y3; + y3 = y4 ^ y0; + y4 = y0; + y0 = y5 ^ y1; + y5 = y1; + y1 = y6 ^ y2; + y6 = y2; + y2 = tx ^ y7; + x4 ^= ty; + x5 ^= ty; + x6 ^= ty; + ty ^= x7; + x7 = x3; + x3 = x4 ^ x0; + x4 = x0; + x0 = x5 ^ x1; + x5 = x1; + x1 = x6 ^ x2; + x6 = x2; + x2 = ty ^ x7; + } + + /* Write the local variables back to the SPARKLE-512 state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + s[0] = x0; + s[1] = y0; + s[2] = x1; + s[3] = y1; + s[4] = x2; + s[5] = y2; + s[6] = x3; + s[7] = y3; + s[8] = x4; + s[9] = y4; + s[10] = x5; + s[11] = y5; + s[12] = x6; + s[13] = y6; + s[14] = x7; + s[15] = y7; +#else + le_store_word32((uint8_t *)&(s[0]), x0); + le_store_word32((uint8_t *)&(s[1]), y0); + le_store_word32((uint8_t *)&(s[2]), x1); + le_store_word32((uint8_t *)&(s[3]), y1); + le_store_word32((uint8_t *)&(s[4]), x2); + le_store_word32((uint8_t *)&(s[5]), y2); + le_store_word32((uint8_t *)&(s[6]), x3); + le_store_word32((uint8_t *)&(s[7]), y3); + le_store_word32((uint8_t *)&(s[8]), x4); + le_store_word32((uint8_t *)&(s[9]), y4); + le_store_word32((uint8_t *)&(s[10]), x5); + le_store_word32((uint8_t *)&(s[11]), y5); + le_store_word32((uint8_t *)&(s[12]), x6); + le_store_word32((uint8_t *)&(s[13]), y6); + le_store_word32((uint8_t *)&(s[14]), x7); + le_store_word32((uint8_t *)&(s[15]), y7); +#endif +} + +#endif diff --git a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.h similarity index 63% rename from elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.h rename to sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.h index bb9823f..fbdabc1 100644 --- a/elephant/Implementations/crypto_aead/elephant176v1/rhys-avr/internal-spongent.h +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-sparkle.h @@ -20,16 +20,16 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_SPONGENT_H -#define LW_INTERNAL_SPONGENT_H +#ifndef LW_INTERNAL_SPARKLE_H +#define LW_INTERNAL_SPARKLE_H #include "internal-util.h" /** - * \file internal-spongent.h - * \brief Internal implementation of the Spongent-pi permutation. + * \file internal-sparkle.h + * \brief Internal implementation of the SPARKLE permutation. * - * References: https://www.esat.kuleuven.be/cosic/elephant/ + * References: https://www.cryptolux.org/index.php/Sparkle */ #ifdef __cplusplus @@ -37,52 +37,43 @@ extern "C" { #endif /** - * \brief Size of the Spongent-pi[160] state in bytes. + * \brief Size of the state for SPARKLE-256. */ -#define SPONGENT160_STATE_SIZE 20 +#define SPARKLE_256_STATE_SIZE 8 /** - * \brief Size of the Spongent-pi[176] state in bytes. + * \brief Size of the state for SPARKLE-384. */ -#define SPONGENT176_STATE_SIZE 22 +#define SPARKLE_384_STATE_SIZE 12 /** - * \brief Structure of the internal state of the Spongent-pi[160] permutation. + * \brief Size of the state for SPARKLE-512. */ -typedef union -{ - uint32_t W[5]; /**< Spongent-pi[160] state as 32-bit words */ - uint8_t B[20]; /**< Spongent-pi[160] state as bytes */ - -} spongent160_state_t; +#define SPARKLE_512_STATE_SIZE 16 /** - * \brief Structure of the internal state of the Spongent-pi[176] permutation. + * \brief Performs the SPARKLE-256 permutation. * - * Note: The state is technically only 176 bits, but we increase it to - * 192 bits so that we can use 32-bit word operations to manipulate the - * state. The extra bits in the last word are fixed to zero. + * \param s The words of the SPARKLE-256 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 10. */ -typedef union -{ - uint32_t W[6]; /**< Spongent-pi[176] state as 32-bit words */ - uint8_t B[24]; /**< Spongent-pi[176] state as bytes */ - -} spongent176_state_t; +void sparkle_256(uint32_t s[SPARKLE_256_STATE_SIZE], unsigned steps); /** - * \brief Permutes the Spongent-pi[160] state. + * \brief Performs the SPARKLE-384 permutation. * - * \param state The Spongent-pi[160] state to be permuted. + * \param s The words of the SPARKLE-384 state in little-endian byte order. + * \param steps The number of steps to perform, 7 or 11. */ -void spongent160_permute(spongent160_state_t *state); +void sparkle_384(uint32_t s[SPARKLE_384_STATE_SIZE], unsigned steps); /** - * \brief Permutes the Spongent-pi[176] state. + * \brief Performs the SPARKLE-512 permutation. * - * \param state The Spongent-pi[176] state to be permuted. + * \param s The words of the SPARKLE-512 state in little-endian byte order. + * \param steps The number of steps to perform, 8 or 12. */ -void spongent176_permute(spongent176_state_t *state); +void sparkle_512(uint32_t s[SPARKLE_512_STATE_SIZE], unsigned steps); #ifdef __cplusplus } diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-util.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-util.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t256n112v1/rhys-avr/internal-util.h rename to sparkle/Implementations/crypto_hash/esch384v1/rhys/internal-util.h diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.c b/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.c new file mode 100644 index 0000000..e2aa25a --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.c @@ -0,0 +1,1135 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "sparkle.h" +#include "internal-sparkle.h" +#include + +aead_cipher_t const schwaemm_256_128_cipher = { + "Schwaemm256-128", + SCHWAEMM_256_128_KEY_SIZE, + SCHWAEMM_256_128_NONCE_SIZE, + SCHWAEMM_256_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_128_aead_encrypt, + schwaemm_256_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_192_192_cipher = { + "Schwaemm192-192", + SCHWAEMM_192_192_KEY_SIZE, + SCHWAEMM_192_192_NONCE_SIZE, + SCHWAEMM_192_192_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_192_192_aead_encrypt, + schwaemm_192_192_aead_decrypt +}; + +aead_cipher_t const schwaemm_128_128_cipher = { + "Schwaemm128-128", + SCHWAEMM_128_128_KEY_SIZE, + SCHWAEMM_128_128_NONCE_SIZE, + SCHWAEMM_128_128_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_128_128_aead_encrypt, + schwaemm_128_128_aead_decrypt +}; + +aead_cipher_t const schwaemm_256_256_cipher = { + "Schwaemm256-256", + SCHWAEMM_256_256_KEY_SIZE, + SCHWAEMM_256_256_NONCE_SIZE, + SCHWAEMM_256_256_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + schwaemm_256_256_aead_encrypt, + schwaemm_256_256_aead_decrypt +}; + +aead_hash_algorithm_t const esch_256_hash_algorithm = { + "Esch256", + sizeof(esch_256_hash_state_t), + ESCH_256_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_256_hash, + (aead_hash_init_t)esch_256_hash_init, + (aead_hash_update_t)esch_256_hash_update, + (aead_hash_finalize_t)esch_256_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +aead_hash_algorithm_t const esch_384_hash_algorithm = { + "Esch384", + sizeof(esch_384_hash_state_t), + ESCH_384_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + esch_384_hash, + (aead_hash_init_t)esch_384_hash_init, + (aead_hash_update_t)esch_384_hash_update, + (aead_hash_finalize_t)esch_384_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +/** + * \def DOMAIN(value) + * \brief Build a domain separation value as a 32-bit word. + * + * \param value The base value. + * \return The domain separation value as a 32-bit word. + */ +#if defined(LW_UTIL_LITTLE_ENDIAN) +#define DOMAIN(value) (((uint32_t)(value)) << 24) +#else +#define DOMAIN(value) (value) +#endif + +/** + * \brief Rate at which bytes are processed by Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_RIGHT(s) \ + (SCHWAEMM_256_128_LEFT(s) + SCHWAEMM_256_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + */ +#define schwaemm_256_128_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[8]; \ + t = s[1]; \ + s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[9]; \ + t = s[2]; \ + s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[10]; \ + t = s[3]; \ + s[3] = s[7] ^ s[11]; \ + s[7] ^= t ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-128. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_128_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_128_RATE) { + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_256_128_RATE; + adlen -= SCHWAEMM_256_128_RATE; + } + if (adlen == SCHWAEMM_256_128_RATE) { + s[11] ^= DOMAIN(0x05); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[11] ^= DOMAIN(0x04); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_256_128_RATE); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + mlen -= SCHWAEMM_256_128_RATE; + } + if (mlen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_128_RATE); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + memcpy(c, block, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return 0; +} + +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_128_LEFT(s), npub, SCHWAEMM_256_128_NONCE_SIZE); + memcpy(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_256_128_RATE; + m += SCHWAEMM_256_128_RATE; + clen -= SCHWAEMM_256_128_RATE; + } + if (clen == SCHWAEMM_256_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_128_RATE); + s[11] ^= DOMAIN(0x07); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[11] ^= DOMAIN(0x06); + schwaemm_256_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_128_RIGHT(s), k, SCHWAEMM_256_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_128_RIGHT(s), c, SCHWAEMM_256_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RATE 24 + +/** + * \brief Pointer to the left of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_RIGHT(s) \ + (SCHWAEMM_192_192_LEFT(s) + SCHWAEMM_192_192_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + */ +#define schwaemm_192_192_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[3] ^ s[6]; \ + s[3] ^= t ^ s[9]; \ + t = s[1]; \ + s[1] = s[4] ^ s[7]; \ + s[4] ^= t ^ s[10]; \ + t = s[2]; \ + s[2] = s[5] ^ s[8]; \ + s[5] ^= t ^ s[11]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm192-192. + * + * \param s SPARKLE-384 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_192_192_authenticate + (uint32_t s[SPARKLE_384_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_192_192_RATE) { + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + ad += SCHWAEMM_192_192_RATE; + adlen -= SCHWAEMM_192_192_RATE; + } + if (adlen == SCHWAEMM_192_192_RATE) { + s[11] ^= DOMAIN(0x09); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[11] ^= DOMAIN(0x08); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); +} + +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint8_t block[SCHWAEMM_192_192_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + memcpy(c, block, SCHWAEMM_192_192_RATE); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + mlen -= SCHWAEMM_192_192_RATE; + } + if (mlen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_192_192_RATE); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + memcpy(c, block, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_384(s, 11); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return 0; +} + +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_192_192_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_192_192_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_192_192_LEFT(s), npub, SCHWAEMM_192_192_NONCE_SIZE); + memcpy(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_KEY_SIZE); + sparkle_384(s, 11); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_192_192_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_192_192_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + sparkle_384(s, 7); + c += SCHWAEMM_192_192_RATE; + m += SCHWAEMM_192_192_RATE; + clen -= SCHWAEMM_192_192_RATE; + } + if (clen == SCHWAEMM_192_192_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_192_192_RATE); + s[11] ^= DOMAIN(0x0B); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_192_192_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[11] ^= DOMAIN(0x0A); + schwaemm_192_192_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_384(s, 11); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_192_192_RIGHT(s), k, SCHWAEMM_192_192_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_192_192_RIGHT(s), c, SCHWAEMM_192_192_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RATE 16 + +/** + * \brief Pointer to the left of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_RIGHT(s) \ + (SCHWAEMM_128_128_LEFT(s) + SCHWAEMM_128_128_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + */ +#define schwaemm_128_128_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[2] ^ s[4]; \ + s[2] ^= t ^ s[6]; \ + t = s[1]; \ + s[1] = s[3] ^ s[5]; \ + s[3] ^= t ^ s[7]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm128-128. + * + * \param s SPARKLE-256 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_128_128_authenticate + (uint32_t s[SPARKLE_256_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_128_128_RATE) { + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + ad += SCHWAEMM_128_128_RATE; + adlen -= SCHWAEMM_128_128_RATE; + } + if (adlen == SCHWAEMM_128_128_RATE) { + s[7] ^= DOMAIN(0x05); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[7] ^= DOMAIN(0x04); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); +} + +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + uint8_t block[SCHWAEMM_128_128_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + memcpy(c, block, SCHWAEMM_128_128_RATE); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + mlen -= SCHWAEMM_128_128_RATE; + } + if (mlen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_128_128_RATE); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + memcpy(c, block, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_256(s, 10); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return 0; +} + +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_256_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_128_128_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_128_128_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_128_128_LEFT(s), npub, SCHWAEMM_128_128_NONCE_SIZE); + memcpy(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_KEY_SIZE); + sparkle_256(s, 10); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_128_128_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_128_128_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + sparkle_256(s, 7); + c += SCHWAEMM_128_128_RATE; + m += SCHWAEMM_128_128_RATE; + clen -= SCHWAEMM_128_128_RATE; + } + if (clen == SCHWAEMM_128_128_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_128_128_RATE); + s[7] ^= DOMAIN(0x07); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_128_128_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[7] ^= DOMAIN(0x06); + schwaemm_128_128_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_256(s, 10); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_128_128_RIGHT(s), k, SCHWAEMM_128_128_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_128_128_RIGHT(s), c, SCHWAEMM_128_128_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RATE 32 + +/** + * \brief Pointer to the left of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_LEFT(s) ((unsigned char *)&(s[0])) + +/** + * \brief Pointer to the right of the state for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_RIGHT(s) \ + (SCHWAEMM_256_256_LEFT(s) + SCHWAEMM_256_256_RATE) + +/** + * \brief Perform the rho1 and rate whitening steps for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + */ +#define schwaemm_256_256_rho(s) \ + do { \ + uint32_t t = s[0]; \ + s[0] = s[4] ^ s[8]; \ + s[4] ^= t ^ s[12]; \ + t = s[1]; \ + s[1] = s[5] ^ s[9]; \ + s[5] ^= t ^ s[13]; \ + t = s[2]; \ + s[2] = s[6] ^ s[10]; \ + s[6] ^= t ^ s[14]; \ + t = s[3]; \ + s[3] = s[7] ^ s[11]; \ + s[7] ^= t ^ s[15]; \ + } while (0) + +/** + * \brief Authenticates the associated data for Schwaemm256-256. + * + * \param s SPARKLE-512 state. + * \param ad Points to the associated data. + * \param adlen Length of the associated data; must be >= 1. + */ +static void schwaemm_256_256_authenticate + (uint32_t s[SPARKLE_512_STATE_SIZE], + const unsigned char *ad, unsigned long long adlen) +{ + while (adlen > SCHWAEMM_256_256_RATE) { + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + ad += SCHWAEMM_256_256_RATE; + adlen -= SCHWAEMM_256_256_RATE; + } + if (adlen == SCHWAEMM_256_256_RATE) { + s[15] ^= DOMAIN(0x11); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)adlen; + s[15] ^= DOMAIN(0x10); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, ad, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); +} + +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint8_t block[SCHWAEMM_256_256_RATE]; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + if (mlen > 0) { + while (mlen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + memcpy(c, block, SCHWAEMM_256_256_RATE); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + mlen -= SCHWAEMM_256_256_RATE; + } + if (mlen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (block, (unsigned char *)s, m, SCHWAEMM_256_256_RATE); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + memcpy(c, block, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)mlen; + lw_xor_block_2_src(block, (unsigned char *)s, m, temp); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + memcpy(c, block, temp); + } + sparkle_512(s, 12); + c += mlen; + } + + /* Generate the authentication tag */ + lw_xor_block_2_src + (c, SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return 0; +} + +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SCHWAEMM_256_256_TAG_SIZE) + return -1; + *mlen = clen - SCHWAEMM_256_256_TAG_SIZE; + + /* Initialize the state with the nonce and the key */ + memcpy(SCHWAEMM_256_256_LEFT(s), npub, SCHWAEMM_256_256_NONCE_SIZE); + memcpy(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_KEY_SIZE); + sparkle_512(s, 12); + + /* Process the associated data */ + if (adlen > 0) + schwaemm_256_256_authenticate(s, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SCHWAEMM_256_256_TAG_SIZE; + if (clen > 0) { + while (clen > SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + sparkle_512(s, 8); + c += SCHWAEMM_256_256_RATE; + m += SCHWAEMM_256_256_RATE; + clen -= SCHWAEMM_256_256_RATE; + } + if (clen == SCHWAEMM_256_256_RATE) { + lw_xor_block_2_src + (m, (unsigned char *)s, c, SCHWAEMM_256_256_RATE); + s[15] ^= DOMAIN(0x13); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, SCHWAEMM_256_256_RATE); + } else { + unsigned temp = (unsigned)clen; + lw_xor_block_2_src(m, (unsigned char *)s, c, temp); + s[15] ^= DOMAIN(0x12); + schwaemm_256_256_rho(s); + lw_xor_block((unsigned char *)s, m, temp); + ((unsigned char *)s)[temp] ^= 0x80; + } + sparkle_512(s, 12); + c += clen; + } + + /* Check the authentication tag */ + lw_xor_block(SCHWAEMM_256_256_RIGHT(s), k, SCHWAEMM_256_256_TAG_SIZE); + return aead_check_tag + (mtemp, *mlen, SCHWAEMM_256_256_RIGHT(s), c, SCHWAEMM_256_256_TAG_SIZE); +} + +/** + * \brief Rate at which bytes are processed by Esch256. + */ +#define ESCH_256_RATE 16 + +/** + * \brief Perform the M3 step for Esch256 to mix the input with the state. + * + * \param s SPARKLE-384 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_256_m3(s, block, domain) \ + do { \ + uint32_t tx = (block)[0] ^ (block)[2]; \ + uint32_t ty = (block)[1] ^ (block)[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= (block)[0] ^ ty; \ + s[1] ^= (block)[1] ^ tx; \ + s[2] ^= (block)[2] ^ ty; \ + s[3] ^= (block)[3] ^ tx; \ + if ((domain) != 0) \ + s[5] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + } while (0) + +/** @cond esch_256 */ + +/** + * \brief Word-based state for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_384_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_256_hash_state_wt; + +/** @endcond */ + +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_384_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x00); + sparkle_384(s, 7); + in += ESCH_256_RATE; + inlen -= ESCH_256_RATE; + } + if (inlen == ESCH_256_RATE) { + memcpy(block, in, ESCH_256_RATE); + esch_256_m3(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(s, block, 0x01); + } + sparkle_384(s, 11); + memcpy(out, s, ESCH_256_RATE); + sparkle_384(s, 7); + memcpy(out + ESCH_256_RATE, s, ESCH_256_RATE); + return 0; +} + +void esch_256_hash_init(esch_256_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_256_hash_state_t)); +} + +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x00); + sparkle_384(st->s.state, 7); + st->s.count = 0; + } + temp = ESCH_256_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out) +{ + esch_256_hash_state_wt *st = (esch_256_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_256_RATE) { + esch_256_m3(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_256_RATE - temp - 1); + esch_256_m3(st->s.state, st->s.block, 0x01); + } + sparkle_384(st->s.state, 11); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_256_RATE); + sparkle_384(st->s.state, 7); + memcpy(out + ESCH_256_RATE, st->s.state, ESCH_256_RATE); +} + +/** + * \brief Rate at which bytes are processed by Esch384. + */ +#define ESCH_384_RATE 16 + +/** + * \brief Perform the M4 step for Esch384 to mix the input with the state. + * + * \param s SPARKLE-512 state. + * \param block Block of input data that has been padded to the rate. + * \param domain Domain separator for this phase. + */ +#define esch_384_m4(s, block, domain) \ + do { \ + uint32_t tx = block[0] ^ block[2]; \ + uint32_t ty = block[1] ^ block[3]; \ + tx = leftRotate16(tx ^ (tx << 16)); \ + ty = leftRotate16(ty ^ (ty << 16)); \ + s[0] ^= block[0] ^ ty; \ + s[1] ^= block[1] ^ tx; \ + s[2] ^= block[2] ^ ty; \ + s[3] ^= block[3] ^ tx; \ + if ((domain) != 0) \ + s[7] ^= DOMAIN(domain); \ + s[4] ^= ty; \ + s[5] ^= tx; \ + s[6] ^= ty; \ + s[7] ^= tx; \ + } while (0) + +/** @cond esch_384 */ + +/** + * \brief Word-based state for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + uint32_t state[SPARKLE_512_STATE_SIZE]; + uint32_t block[4]; + unsigned char count; + } s; + unsigned long long align; + +} esch_384_hash_state_wt; + +/** @endcond */ + +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + uint32_t s[SPARKLE_512_STATE_SIZE]; + uint32_t block[ESCH_256_RATE / 4]; + memset(s, 0, sizeof(s)); + while (inlen > ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x00); + sparkle_512(s, 8); + in += ESCH_384_RATE; + inlen -= ESCH_384_RATE; + } + if (inlen == ESCH_384_RATE) { + memcpy(block, in, ESCH_384_RATE); + esch_384_m4(s, block, 0x02); + } else { + unsigned temp = (unsigned)inlen; + memcpy(block, in, temp); + ((unsigned char *)block)[temp] = 0x80; + memset(((unsigned char *)block) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(s, block, 0x01); + } + sparkle_512(s, 12); + memcpy(out, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE, s, ESCH_384_RATE); + sparkle_512(s, 8); + memcpy(out + ESCH_384_RATE * 2, s, ESCH_384_RATE); + return 0; +} + +void esch_384_hash_init(esch_384_hash_state_t *state) +{ + memset(state, 0, sizeof(esch_384_hash_state_t)); +} + +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + unsigned temp; + while (inlen > 0) { + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x00); + sparkle_512(st->s.state, 8); + st->s.count = 0; + } + temp = ESCH_384_RATE - st->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + memcpy(((unsigned char *)(st->s.block)) + st->s.count, in, temp); + st->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out) +{ + esch_384_hash_state_wt *st = (esch_384_hash_state_wt *)state; + + /* Pad and process the last block */ + if (st->s.count == ESCH_384_RATE) { + esch_384_m4(st->s.state, st->s.block, 0x02); + } else { + unsigned temp = st->s.count; + ((unsigned char *)(st->s.block))[temp] = 0x80; + memset(((unsigned char *)(st->s.block)) + temp + 1, 0, + ESCH_384_RATE - temp - 1); + esch_384_m4(st->s.state, st->s.block, 0x01); + } + sparkle_512(st->s.state, 12); + + /* Generate the final hash value */ + memcpy(out, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE, st->s.state, ESCH_384_RATE); + sparkle_512(st->s.state, 8); + memcpy(out + ESCH_384_RATE * 2, st->s.state, ESCH_384_RATE); +} diff --git a/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.h b/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.h new file mode 100644 index 0000000..dd0999e --- /dev/null +++ b/sparkle/Implementations/crypto_hash/esch384v1/rhys/sparkle.h @@ -0,0 +1,515 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LWCRYPTO_SPARKLE_H +#define LWCRYPTO_SPARKLE_H + +#include "aead-common.h" + +/** + * \file sparkle.h + * \brief Encryption and hash algorithms based on the SPARKLE permutation. + * + * SPARKLE is a family of encryption and hash algorithms that are based + * around the SPARKLE permutation. There are three versions of the + * permutation with 256-bit, 384-bit, and 512-bit state sizes. + * The algorithms in the family are: + * + * \li Schwaemm256-128 with a 128-bit key, a 256-bit nonce, and a 128-bit tag. + * This is the primary encryption algorithm in the family. + * \li Schwaemm192-192 with a 192-bit key, a 192-bit nonce, and a 192-bit tag. + * \li Schwaemm128-128 with a 128-bit key, a 128-bit nonce, and a 128-bit tag. + * \li Schwaemm256-256 with a 256-bit key, a 256-bit nonce, and a 256-bit tag. + * \li Esch256 hash algorithm with a 256-bit digest output. This is the + * primary hash algorithm in the family. + * \li Esch384 hash algorithm with a 384-bit digest output. + * + * References: https://www.cryptolux.org/index.php/Sparkle + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Size of the key for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm256-128. + */ +#define SCHWAEMM_256_128_NONCE_SIZE 32 + +/** + * \brief Size of the key for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_KEY_SIZE 24 + +/** + * \brief Size of the authentication tag for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_TAG_SIZE 24 + +/** + * \brief Size of the nonce for Schwaemm192-192. + */ +#define SCHWAEMM_192_192_NONCE_SIZE 24 + +/** + * \brief Size of the key for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_KEY_SIZE 16 + +/** + * \brief Size of the authentication tag for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_TAG_SIZE 16 + +/** + * \brief Size of the nonce for Schwaemm128-128. + */ +#define SCHWAEMM_128_128_NONCE_SIZE 16 + +/** + * \brief Size of the key for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_KEY_SIZE 32 + +/** + * \brief Size of the authentication tag for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_TAG_SIZE 32 + +/** + * \brief Size of the nonce for Schwaemm256-256. + */ +#define SCHWAEMM_256_256_NONCE_SIZE 32 + +/** + * \brief Size of the hash output for Esch256. + */ +#define ESCH_256_HASH_SIZE 32 + +/** + * \brief Size of the hash output for Esch384. + */ +#define ESCH_384_HASH_SIZE 48 + +/** + * \brief Meta-information block for the Schwaemm256-128 cipher. + */ +extern aead_cipher_t const schwaemm_256_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm192-192 cipher. + */ +extern aead_cipher_t const schwaemm_192_192_cipher; + +/** + * \brief Meta-information block for the Schwaemm128-128 cipher. + */ +extern aead_cipher_t const schwaemm_128_128_cipher; + +/** + * \brief Meta-information block for the Schwaemm256-256 cipher. + */ +extern aead_cipher_t const schwaemm_256_256_cipher; + +/** + * \brief Meta-information block for the Esch256 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_256_hash_algorithm; + +/** + * \brief Meta-information block for the Esch384 hash algorithm. + */ +extern aead_hash_algorithm_t const esch_384_hash_algorithm; + +/** + * \brief State information for the Esch256 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_256_hash_state_t; + +/** + * \brief State information for the Esch384 incremental hash mode. + */ +typedef union +{ + struct { + unsigned char state[64]; /**< Current hash state */ + unsigned char block[16]; /**< Partial input data block */ + unsigned char count; /**< Number of bytes in the current block */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ + +} esch_384_hash_state_t; + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_128_aead_decrypt() + */ +int schwaemm_256_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 32 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_128_aead_encrypt() + */ +int schwaemm_256_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm192-192. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 24 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_192_192_aead_decrypt() + */ +int schwaemm_192_192_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm192-192. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 24 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 24 bytes in length. + * \param k Points to the 24 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_192_192_aead_encrypt() + */ +int schwaemm_192_192_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm128-128. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_128_128_aead_decrypt() + */ +int schwaemm_128_128_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm128-128. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_128_128_aead_encrypt() + */ +int schwaemm_128_128_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Encrypts and authenticates a packet with Schwaemm256-256. + * + * \param c Buffer to receive the output. + * \param clen On exit, set to the length of the output which includes + * the ciphertext and the 16 byte authentication tag. + * \param m Buffer that contains the plaintext message to encrypt. + * \param mlen Length of the plaintext message in bytes. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param nsec Secret nonce - not used by this algorithm. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * + * \return 0 on success, or a negative value if there was an error in + * the parameters. + * + * \sa schwaemm_256_256_aead_decrypt() + */ +int schwaemm_256_256_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Decrypts and authenticates a packet with Schwaemm256-256. + * + * \param m Buffer to receive the plaintext message on output. + * \param mlen Receives the length of the plaintext message on output. + * \param nsec Secret nonce - not used by this algorithm. + * \param c Buffer that contains the ciphertext and authentication + * tag to decrypt. + * \param clen Length of the input data in bytes, which includes the + * ciphertext and the 16 byte authentication tag. + * \param ad Buffer that contains associated data to authenticate + * along with the packet but which does not need to be encrypted. + * \param adlen Length of the associated data in bytes. + * \param npub Points to the public nonce for the packet which must + * be 16 bytes in length. + * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * + * \return 0 on success, -1 if the authentication tag was incorrect, + * or some other negative number if there was an error in the parameters. + * + * \sa schwaemm_256_256_aead_encrypt() + */ +int schwaemm_256_256_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k); + +/** + * \brief Hashes a block of input data with Esch256 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_256_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_256_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch256 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_256_hash_update(), esch_256_hash_finalize(), esch_256_hash() + */ +void esch_256_hash_init(esch_256_hash_state_t *state); + +/** + * \brief Updates an Esch256 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_256_hash_init(), esch_256_hash_finalize() + */ +void esch_256_hash_update + (esch_256_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch256 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 32-byte hash value. + * + * \sa esch_256_hash_init(), esch_256_hash_update() + */ +void esch_256_hash_finalize + (esch_256_hash_state_t *state, unsigned char *out); + +/** + * \brief Hashes a block of input data with Esch384 to generate a hash value. + * + * \param out Buffer to receive the hash output which must be at least + * ESCH_384_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. + * + * \return Returns zero on success or -1 if there was an error in the + * parameters. + */ +int esch_384_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); + +/** + * \brief Initializes the state for an Esch384 hashing operation. + * + * \param state Hash state to be initialized. + * + * \sa esch_384_hash_update(), esch_384_hash_finalize(), esch_384_hash() + */ +void esch_384_hash_init(esch_384_hash_state_t *state); + +/** + * \brief Updates an Esch384 state with more input data. + * + * \param state Hash state to be updated. + * \param in Points to the input data to be incorporated into the state. + * \param inlen Length of the input data to be incorporated into the state. + * + * \sa esch_384_hash_init(), esch_384_hash_finalize() + */ +void esch_384_hash_update + (esch_384_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); + +/** + * \brief Returns the final hash value from an Esch384 hashing operation. + * + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the 48-byte hash value. + * + * \sa esch_384_hash_init(), esch_384_hash_update() + */ +void esch_384_hash_finalize + (esch_384_hash_state_t *state, unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.c b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.h b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/api.h b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/encrypt.c b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/encrypt.c deleted file mode 100644 index facb770..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spix.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spix_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spix_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-256-spix-avr.S b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-256-spix-avr.S deleted file mode 100644 index f8cadd9..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-256-spix-avr.S +++ /dev/null @@ -1,1129 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 72 -table_0: - .byte 15 - .byte 71 - .byte 8 - .byte 100 - .byte 4 - .byte 178 - .byte 134 - .byte 107 - .byte 67 - .byte 181 - .byte 226 - .byte 111 - .byte 241 - .byte 55 - .byte 137 - .byte 44 - .byte 68 - .byte 150 - .byte 230 - .byte 221 - .byte 115 - .byte 238 - .byte 202 - .byte 153 - .byte 229 - .byte 76 - .byte 23 - .byte 234 - .byte 11 - .byte 245 - .byte 142 - .byte 15 - .byte 71 - .byte 7 - .byte 100 - .byte 4 - .byte 178 - .byte 130 - .byte 107 - .byte 67 - .byte 181 - .byte 161 - .byte 111 - .byte 241 - .byte 55 - .byte 120 - .byte 44 - .byte 68 - .byte 150 - .byte 162 - .byte 221 - .byte 115 - .byte 238 - .byte 185 - .byte 153 - .byte 229 - .byte 76 - .byte 242 - .byte 234 - .byte 11 - .byte 245 - .byte 133 - .byte 15 - .byte 71 - .byte 7 - .byte 35 - .byte 4 - .byte 178 - .byte 130 - .byte 217 - .byte 67 - .byte 181 - - .text -.global sliscp_light256_permute_spix - .type sliscp_light256_permute_spix, @function -sliscp_light256_permute_spix: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 32 - ld r21,Z - ldd r20,Z+1 - ldd r19,Z+2 - ldd r18,Z+3 - ldd r3,Z+4 - ldd r2,Z+5 - ldd r27,Z+6 - ldd r26,Z+7 - ldd r7,Z+16 - ldd r6,Z+17 - ldd r5,Z+18 - ldd r4,Z+19 - ldd r11,Z+20 - ldd r10,Z+21 - ldd r9,Z+22 - ldd r8,Z+23 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r26 - std Y+6,r27 - std Y+7,r2 - std Y+8,r3 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - ldd r21,Z+8 - ldd r20,Z+9 - ldd r19,Z+10 - ldd r18,Z+11 - ldd r3,Z+24 - ldd r2,Z+25 - ldd r27,Z+26 - ldd r26,Z+27 - ldd r7,Z+12 - ldd r6,Z+13 - ldd r5,Z+14 - ldd r4,Z+15 - ldd r11,Z+28 - ldd r10,Z+29 - ldd r9,Z+30 - ldd r8,Z+31 - push r31 - push r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r23,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r23 -#endif - mov r30,r1 -52: -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - inc r30 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - com r27 - com r2 - com r3 - ldi r24,255 - lsr r23 - rol r24 - eor r26,r24 - movw r12,r26 - movw r14,r2 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r26 - and r13,r27 - and r14,r2 - and r15,r3 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r23 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - com r27 - com r2 - com r3 - ldi r24,255 - lsr r23 - rol r24 - eor r26,r24 - movw r12,r26 - movw r14,r2 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r26 - and r13,r27 - and r14,r2 - and r15,r3 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r23 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - com r27 - com r2 - com r3 - ldi r24,255 - lsr r23 - rol r24 - eor r26,r24 - movw r12,r26 - movw r14,r2 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r26 - and r13,r27 - and r14,r2 - and r15,r3 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r23 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r26,r12 - eor r27,r13 - eor r2,r14 - eor r3,r15 - com r27 - com r2 - com r3 - ldi r24,255 - lsr r23 - rol r24 - eor r26,r24 - movw r12,r26 - movw r14,r2 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r26 - and r13,r27 - and r14,r2 - and r15,r3 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r23 - rol r24 - eor r18,r24 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - inc r30 - movw r12,r4 - movw r14,r6 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r4 - and r13,r5 - and r14,r6 - and r15,r7 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - com r9 - com r10 - com r11 - ldi r24,255 - lsr r23 - rol r24 - eor r8,r24 - movw r12,r8 - movw r14,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r8 - and r13,r9 - and r14,r10 - and r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r5 - com r6 - com r7 - ldi r24,255 - lsr r23 - rol r24 - eor r4,r24 - movw r12,r4 - movw r14,r6 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r4 - and r13,r5 - and r14,r6 - and r15,r7 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - com r9 - com r10 - com r11 - ldi r24,255 - lsr r23 - rol r24 - eor r8,r24 - movw r12,r8 - movw r14,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r8 - and r13,r9 - and r14,r10 - and r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r5 - com r6 - com r7 - ldi r24,255 - lsr r23 - rol r24 - eor r4,r24 - movw r12,r4 - movw r14,r6 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r4 - and r13,r5 - and r14,r6 - and r15,r7 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - com r9 - com r10 - com r11 - ldi r24,255 - lsr r23 - rol r24 - eor r8,r24 - movw r12,r8 - movw r14,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r8 - and r13,r9 - and r14,r10 - and r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r5 - com r6 - com r7 - ldi r24,255 - lsr r23 - rol r24 - eor r4,r24 - movw r12,r4 - movw r14,r6 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r4 - and r13,r5 - and r14,r6 - and r15,r7 - eor r8,r12 - eor r9,r13 - eor r10,r14 - eor r11,r15 - com r9 - com r10 - com r11 - ldi r24,255 - lsr r23 - rol r24 - eor r8,r24 - movw r12,r8 - movw r14,r10 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r8 - and r13,r9 - and r14,r10 - and r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r5 - com r6 - com r7 - ldi r24,255 - lsr r23 - rol r24 - eor r4,r24 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - com r12 - com r13 - com r14 - com r15 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Y+9 - ldd r19,Y+10 - ldd r20,Y+11 - ldd r21,Y+12 - com r18 - com r19 - com r20 - com r21 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - std Y+9,r4 - std Y+10,r5 - std Y+11,r6 - std Y+12,r7 - movw r4,r12 - movw r6,r14 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - com r13 - com r14 - com r15 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r12,r23 - inc r30 - eor r12,r26 - eor r13,r27 - eor r14,r2 - eor r15,r3 - std Y+5,r26 - std Y+6,r27 - std Y+7,r2 - std Y+8,r3 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r2,Y+15 - ldd r3,Y+16 - com r27 - com r2 - com r3 -#if defined(RAMPZ) - elpm r23,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r23,Z -#elif defined(__AVR_TINY__) - ld r23,Z -#else - lpm - mov r23,r0 -#endif - eor r26,r23 - inc r30 - eor r26,r8 - eor r27,r9 - eor r2,r10 - eor r3,r11 - std Y+13,r8 - std Y+14,r9 - std Y+15,r10 - std Y+16,r11 - movw r8,r12 - movw r10,r14 - dec r22 - breq 5866f - rjmp 52b -5866: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - std Z+8,r21 - std Z+9,r20 - std Z+10,r19 - std Z+11,r18 - std Z+24,r3 - std Z+25,r2 - std Z+26,r27 - std Z+27,r26 - std Z+12,r7 - std Z+13,r6 - std Z+14,r5 - std Z+15,r4 - std Z+28,r11 - std Z+29,r10 - std Z+30,r9 - std Z+31,r8 - ldd r18,Y+1 - ldd r19,Y+2 - ldd r20,Y+3 - ldd r21,Y+4 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r2,Y+7 - ldd r3,Y+8 - ldd r4,Y+9 - ldd r5,Y+10 - ldd r6,Y+11 - ldd r7,Y+12 - ldd r8,Y+13 - ldd r9,Y+14 - ldd r10,Y+15 - ldd r11,Y+16 - st Z,r21 - std Z+1,r20 - std Z+2,r19 - std Z+3,r18 - std Z+4,r3 - std Z+5,r2 - std Z+6,r27 - std Z+7,r26 - std Z+16,r7 - std Z+17,r6 - std Z+18,r5 - std Z+19,r4 - std Z+20,r11 - std Z+21,r10 - std Z+22,r9 - std Z+23,r8 - adiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sliscp_light256_permute_spix, .-sliscp_light256_permute_spix - - .text -.global sliscp_light256_swap_spix - .type sliscp_light256_swap_spix, @function -sliscp_light256_swap_spix: - movw r30,r24 -.L__stack_usage = 2 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r26,Z+26 - ldd r27,Z+27 - std Z+24,r18 - std Z+25,r19 - std Z+26,r20 - std Z+27,r21 - std Z+12,r22 - std Z+13,r23 - std Z+14,r26 - std Z+15,r27 - ret - .size sliscp_light256_swap_spix, .-sliscp_light256_swap_spix - -#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.c b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.c deleted file mode 100644 index dd3a688..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sliscp-light.h" - -#if !defined(__AVR__) - -/** - * \brief Performs one round of the Simeck-64 block cipher. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - */ -#define simeck64_round(x, y) \ - do { \ - (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ - 0xFFFFFFFEU ^ (_rc & 1); \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck64_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck64_round(x, y); /* Round 1 */ \ - simeck64_round(y, x); /* Round 2 */ \ - simeck64_round(x, y); /* Round 3 */ \ - simeck64_round(y, x); /* Round 4 */ \ - simeck64_round(x, y); /* Round 5 */ \ - simeck64_round(y, x); /* Round 6 */ \ - simeck64_round(x, y); /* Round 7 */ \ - simeck64_round(y, x); /* Round 8 */ \ - } while (0) - -/* Helper macros for 48-bit left rotations */ -#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) - -/** - * \brief Performs one round of the Simeck-48 block cipher. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - */ -#define simeck48_round(x, y) \ - do { \ - (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ - 0x00FFFFFEU ^ (_rc & 1); \ - (y) &= 0x00FFFFFFU; \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck48_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck48_round(x, y); /* Round 1 */ \ - simeck48_round(y, x); /* Round 2 */ \ - simeck48_round(x, y); /* Round 3 */ \ - simeck48_round(y, x); /* Round 4 */ \ - simeck48_round(x, y); /* Round 5 */ \ - simeck48_round(y, x); /* Round 6 */ \ - } while (0) - -/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ -static unsigned char const sliscp_light256_RC[18 * 4] = { - 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, - 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, - 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, - 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, - 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, - 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, - 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, - 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, - 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 -}; - -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ - x4 = be_load_word32(block + 16); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 12); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 8, x2); - be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ - be_store_word32(block + 16, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 12, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spix(unsigned char block[32]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 12); - t2 = le_load_word32(block + 24); - le_store_word32(block + 24, t1); - le_store_word32(block + 12, t2); -} - -void sliscp_light256_permute_spoc(unsigned char block[32]) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x3 = be_load_word32(block + 20); - x4 = be_load_word32(block + 8); - x5 = be_load_word32(block + 12); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ - be_store_word32(block + 20, x3); - be_store_word32(block + 8, x4); - be_store_word32(block + 12, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spoc(unsigned char block[32]) -{ - uint64_t t1, t2; - t1 = le_load_word64(block + 8); - t2 = le_load_word64(block + 16); - le_store_word64(block + 16, t1); - le_store_word64(block + 8, t2); -} - -/* Load a big-endian 24-bit word from a byte buffer */ -#define be_load_word24(ptr) \ - ((((uint32_t)((ptr)[0])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[2]))) - -/* Store a big-endian 24-bit word into a byte buffer */ -#define be_store_word24(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 16); \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)_x; \ - } while (0) - -void sliscp_light192_permute(unsigned char block[24]) -{ - /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ - static unsigned char const RC[18 * 4] = { - 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, - 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, - 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, - 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, - 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, - 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, - 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, - 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, - 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables. Each 24-bit block is - * placed into a separate 32-bit word which improves efficiency below */ - x0 = be_load_word24(block); - x1 = be_load_word24(block + 3); - x2 = be_load_word24(block + 6); - x3 = be_load_word24(block + 9); - x4 = be_load_word24(block + 12); - x5 = be_load_word24(block + 15); - x6 = be_load_word24(block + 18); - x7 = be_load_word24(block + 21); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-48 to two of the 48-bit sub-blocks */ - simeck48_box(x2, x3, rc[0]); - simeck48_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0x00FFFFFFU; - x1 ^= 0x00FFFF00U ^ rc[2]; - x4 ^= 0x00FFFFFFU; - x5 ^= 0x00FFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word24(block, x0); - be_store_word24(block + 3, x1); - be_store_word24(block + 6, x2); - be_store_word24(block + 9, x3); - be_store_word24(block + 12, x4); - be_store_word24(block + 15, x5); - be_store_word24(block + 18, x6); - be_store_word24(block + 21, x7); -} - -void sliscp_light320_permute(unsigned char block[40]) -{ - /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ - static unsigned char const RC[16 * 6] = { - 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, - 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, - 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, - 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, - 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, - 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, - 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, - 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, - 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, - 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, - 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, - 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 12); - x4 = be_load_word32(block + 4); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - x8 = be_load_word32(block + 32); - x9 = be_load_word32(block + 36); - - /* Perform all permutation rounds */ - for (round = 0; round < 16; ++round, rc += 6) { - /* Apply Simeck-64 to three of the 64-bit sub-blocks */ - simeck64_box(x0, x1, rc[0]); - simeck64_box(x4, x5, rc[1]); - simeck64_box(x8, x9, rc[2]); - x6 ^= x8; - x7 ^= x9; - x2 ^= x4; - x3 ^= x5; - x8 ^= x0; - x9 ^= x1; - - /* Add step constants */ - x2 ^= 0xFFFFFFFFU; - x3 ^= 0xFFFFFF00U ^ rc[3]; - x6 ^= 0xFFFFFFFFU; - x7 ^= 0xFFFFFF00U ^ rc[4]; - x8 ^= 0xFFFFFFFFU; - x9 ^= 0xFFFFFF00U ^ rc[5]; - - /* Rotate the sub-blocks */ - t0 = x8; - t1 = x9; - x8 = x2; - x9 = x3; - x2 = x4; - x3 = x5; - x4 = x0; - x5 = x1; - x0 = x6; - x1 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ - be_store_word32(block + 8, x2); - be_store_word32(block + 12, x3); - be_store_word32(block + 4, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); - be_store_word32(block + 32, x8); - be_store_word32(block + 36, x9); -} - -void sliscp_light320_swap(unsigned char block[40]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 4); - t2 = le_load_word32(block + 16); - le_store_word32(block + 16, t1); - le_store_word32(block + 4, t2); -} - -#endif /* !__AVR__ */ diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.h b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.h deleted file mode 100644 index 8a5e8d5..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-sliscp-light.h +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SLISCP_LIGHT_H -#define LW_INTERNAL_SLISCP_LIGHT_H - -/** - * \file internal-sliscp-light.h - * \brief sLiSCP-light permutation - * - * There are three variants of sLiSCP-light in use in the NIST submissions: - * - * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. - * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. - * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, - * https://uwaterloo.ca/communications-security-lab/lwc/spix, - * https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for sLiSCP-light-256. - */ -#define SLISCP_LIGHT256_STATE_SIZE 32 - -/** - * \brief Size of the state for sLiSCP-light-192. - */ -#define SLISCP_LIGHT192_STATE_SIZE 24 - -/** - * \brief Size of the state for sLiSCP-light-320. - */ -#define SLISCP_LIGHT320_STATE_SIZE 40 - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SPIX cipher. SPIX places the rate bytes at - * positions 8, 9, 10, 11, 24, 25, 26, and 27. - * - * This function assumes that bytes 24-27 have been pre-swapped with - * bytes 12-15 so that the rate portion of the state is contiguous. - * - * The sliscp_light256_swap_spix() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spix() - */ -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spix() - */ -void sliscp_light256_swap_spix(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SpoC-128 cipher. SpoC-128 interleaves the - * rate bytes and the mask bytes. This version assumes that the - * rate and mask are in contiguous bytes of the state. - * - * SpoC-128 absorbs bytes using the mask bytes of the state at offsets - * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. - * It squeezes bytes using the rate bytes of the state at offsets - * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. - * - * This function assumes that bytes 8-15 have been pre-swapped with 16-23 - * so that the rate and mask portions of the state are contiguous. - * - * The sliscp_light256_swap_spoc() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spoc() - */ -void sliscp_light256_permute_spoc(unsigned char block[32]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spoc() - */ -void sliscp_light256_swap_spoc(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 192-bit block. - * - * \param block Points to the block to be permuted. - */ -void sliscp_light192_permute(unsigned char block[24]); - -/** - * \brief Performs the sLiSCP-light permutation on a 320-bit block. - * - * \param block Points to the block to be permuted. - * - * The ACE specification refers to this permutation as "ACE" but that - * can be confused with the name of the AEAD mode so we call this - * permutation "sLiSCP-light-320" instead. - * - * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. - * Efficiency can suffer because of the discontinuity in rate byte positions. - * - * To counteract this, we assume that the input to the permutation has been - * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so - * that the rate is contiguous at the start of the state. - * - * The sliscp_light320_swap() function can be used to switch between the - * canonical order and the pre-swapped order. - * - * \sa sliscp_light320_swap() - */ -void sliscp_light320_permute(unsigned char block[40]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light320_permute() - */ -void sliscp_light320_swap(unsigned char block[40]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-util.h b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.c b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.c deleted file mode 100644 index 7fc8f6a..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.c +++ /dev/null @@ -1,211 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spix.h" -#include "internal-sliscp-light.h" -#include "internal-util.h" -#include - -/** - * \brief Size of the state for the internal sLiSCP-light permutation. - */ -#define SPIX_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE - -/** - * \brief Rate for absorbing data into the sLiSCP-light state and for - * squeezing data out again. - */ -#define SPIX_RATE 8 - -aead_cipher_t const spix_cipher = { - "SPIX", - SPIX_KEY_SIZE, - SPIX_NONCE_SIZE, - SPIX_TAG_SIZE, - AEAD_FLAG_NONE, - spix_aead_encrypt, - spix_aead_decrypt -}; - -/* Indices of where a rate byte is located in the state. We don't - * need this array any more because sliscp_light256_permute_spix() - * operates on byte-swapped states where the rate bytes are contiguous - * in the bytes 8 to 15 */ -/* -static unsigned char const spix_rate_posn[8] = { - 8, 9, 10, 11, 24, 25, 26, 27 -}; -*/ - -/** - * \brief Initializes the SPIX state. - * - * \param state sLiSCP-light-256 permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void spix_init - (unsigned char state[SPIX_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by interleaving the key and nonce */ - memcpy(state, npub, 8); - memcpy(state + 8, k, 8); - memcpy(state + 16, npub + 8, 8); - memcpy(state + 24, k + 8, 8); - sliscp_light256_swap_spix(state); - - /* Run the permutation to scramble the initial state */ - sliscp_light256_permute_spix(state, 18); - - /* Absorb the key in two further permutation operations */ - lw_xor_block(state + 8, k, 8); - sliscp_light256_permute_spix(state, 18); - lw_xor_block(state + 8, k + 8, 8); - sliscp_light256_permute_spix(state, 18); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= SPIX_RATE) { - lw_xor_block(state + 8, ad, SPIX_RATE); - state[SPIX_STATE_SIZE - 1] ^= 0x01; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - ad += SPIX_RATE; - adlen -= SPIX_RATE; - } - temp = (unsigned)adlen; - lw_xor_block(state + 8, ad, temp); - state[temp + 8] ^= 0x80; /* padding */ - state[SPIX_STATE_SIZE - 1] ^= 0x01; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - } -} - -/** - * \brief Finalizes the SPIX encryption or decryption operation. - * - * \param state sLiSCP-light-256 permutation state. - * \param k Points to the 128-bit key. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void spix_finalize - (unsigned char state[SPIX_STATE_SIZE], const unsigned char *k, - unsigned char *tag) -{ - /* Absorb the key into the state again */ - lw_xor_block(state + 8, k, 8); - sliscp_light256_permute_spix(state, 18); - lw_xor_block(state + 8, k + 8, 8); - sliscp_light256_permute_spix(state, 18); - - /* Copy out the authentication tag */ - sliscp_light256_swap_spix(state); - memcpy(tag, state + 8, 8); - memcpy(tag + 8, state + 24, 8); -} - -int spix_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPIX_STATE_SIZE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPIX_TAG_SIZE; - - /* Initialize the SPIX state and absorb the associated data */ - spix_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= SPIX_RATE) { - lw_xor_block_2_dest(c, state + 8, m, SPIX_RATE); - state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - c += SPIX_RATE; - m += SPIX_RATE; - mlen -= SPIX_RATE; - } - temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state + 8, m, temp); - state[temp + 8] ^= 0x80; /* padding */ - state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - c += mlen; - - /* Generate the authentication tag */ - spix_finalize(state, k, c); - return 0; -} - -int spix_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPIX_STATE_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPIX_TAG_SIZE) - return -1; - *mlen = clen - SPIX_TAG_SIZE; - - /* Initialize the SPIX state and absorb the associated data */ - spix_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPIX_TAG_SIZE; - while (clen >= SPIX_RATE) { - lw_xor_block_swap(m, state + 8, c, SPIX_RATE); - state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - c += SPIX_RATE; - m += SPIX_RATE; - clen -= SPIX_RATE; - } - temp = (unsigned)clen; - lw_xor_block_swap(m, state + 8, c, temp); - state[temp + 8] ^= 0x80; /* padding */ - state[SPIX_STATE_SIZE - 1] ^= 0x02; /* domain separation */ - sliscp_light256_permute_spix(state, 9); - c += clen; - - /* Finalize the SPIX state and compare against the authentication tag */ - spix_finalize(state, k, state); - return aead_check_tag(mtemp, *mlen, state, c, SPIX_TAG_SIZE); -} diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.h b/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.h deleted file mode 100644 index 844c514..0000000 --- a/spix/Implementations/crypto_aead/spix128v1/rhys-avr/spix.h +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPIX_H -#define LWCRYPTO_SPIX_H - -#include "aead-common.h" - -/** - * \file spix.h - * \brief SPIX authenticated encryption algorithm. - * - * SPIX is an authenticated encryption algorithm with a 128-bit key, - * a 128-bit nonce, and a 128-bit tag. It uses the MonkeyDuplex - * construction on top of the 256-bit sLiSCP-light permutation. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/spix - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for SPIX. - */ -#define SPIX_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SPIX. - */ -#define SPIX_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SPIX. - */ -#define SPIX_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SPIX cipher. - */ -extern aead_cipher_t const spix_cipher; - -/** - * \brief Encrypts and authenticates a packet with SPIX. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spix_aead_decrypt() - */ -int spix_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SPIX. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spix_aead_encrypt() - */ -int spix_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-256-spix-avr.S b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-256-spix-avr.S new file mode 100644 index 0000000..f8cadd9 --- /dev/null +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-256-spix-avr.S @@ -0,0 +1,1129 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 72 +table_0: + .byte 15 + .byte 71 + .byte 8 + .byte 100 + .byte 4 + .byte 178 + .byte 134 + .byte 107 + .byte 67 + .byte 181 + .byte 226 + .byte 111 + .byte 241 + .byte 55 + .byte 137 + .byte 44 + .byte 68 + .byte 150 + .byte 230 + .byte 221 + .byte 115 + .byte 238 + .byte 202 + .byte 153 + .byte 229 + .byte 76 + .byte 23 + .byte 234 + .byte 11 + .byte 245 + .byte 142 + .byte 15 + .byte 71 + .byte 7 + .byte 100 + .byte 4 + .byte 178 + .byte 130 + .byte 107 + .byte 67 + .byte 181 + .byte 161 + .byte 111 + .byte 241 + .byte 55 + .byte 120 + .byte 44 + .byte 68 + .byte 150 + .byte 162 + .byte 221 + .byte 115 + .byte 238 + .byte 185 + .byte 153 + .byte 229 + .byte 76 + .byte 242 + .byte 234 + .byte 11 + .byte 245 + .byte 133 + .byte 15 + .byte 71 + .byte 7 + .byte 35 + .byte 4 + .byte 178 + .byte 130 + .byte 217 + .byte 67 + .byte 181 + + .text +.global sliscp_light256_permute_spix + .type sliscp_light256_permute_spix, @function +sliscp_light256_permute_spix: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 32 + ld r21,Z + ldd r20,Z+1 + ldd r19,Z+2 + ldd r18,Z+3 + ldd r3,Z+4 + ldd r2,Z+5 + ldd r27,Z+6 + ldd r26,Z+7 + ldd r7,Z+16 + ldd r6,Z+17 + ldd r5,Z+18 + ldd r4,Z+19 + ldd r11,Z+20 + ldd r10,Z+21 + ldd r9,Z+22 + ldd r8,Z+23 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r26 + std Y+6,r27 + std Y+7,r2 + std Y+8,r3 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + ldd r21,Z+8 + ldd r20,Z+9 + ldd r19,Z+10 + ldd r18,Z+11 + ldd r3,Z+24 + ldd r2,Z+25 + ldd r27,Z+26 + ldd r26,Z+27 + ldd r7,Z+12 + ldd r6,Z+13 + ldd r5,Z+14 + ldd r4,Z+15 + ldd r11,Z+28 + ldd r10,Z+29 + ldd r9,Z+30 + ldd r8,Z+31 + push r31 + push r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r23,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r23 +#endif + mov r30,r1 +52: +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + inc r30 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + com r27 + com r2 + com r3 + ldi r24,255 + lsr r23 + rol r24 + eor r26,r24 + movw r12,r26 + movw r14,r2 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r26 + and r13,r27 + and r14,r2 + and r15,r3 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r23 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + com r27 + com r2 + com r3 + ldi r24,255 + lsr r23 + rol r24 + eor r26,r24 + movw r12,r26 + movw r14,r2 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r26 + and r13,r27 + and r14,r2 + and r15,r3 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r23 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + com r27 + com r2 + com r3 + ldi r24,255 + lsr r23 + rol r24 + eor r26,r24 + movw r12,r26 + movw r14,r2 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r26 + and r13,r27 + and r14,r2 + and r15,r3 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r23 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r26,r12 + eor r27,r13 + eor r2,r14 + eor r3,r15 + com r27 + com r2 + com r3 + ldi r24,255 + lsr r23 + rol r24 + eor r26,r24 + movw r12,r26 + movw r14,r2 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r26 + and r13,r27 + and r14,r2 + and r15,r3 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r23 + rol r24 + eor r18,r24 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + inc r30 + movw r12,r4 + movw r14,r6 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r4 + and r13,r5 + and r14,r6 + and r15,r7 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + com r9 + com r10 + com r11 + ldi r24,255 + lsr r23 + rol r24 + eor r8,r24 + movw r12,r8 + movw r14,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r8 + and r13,r9 + and r14,r10 + and r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r5 + com r6 + com r7 + ldi r24,255 + lsr r23 + rol r24 + eor r4,r24 + movw r12,r4 + movw r14,r6 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r4 + and r13,r5 + and r14,r6 + and r15,r7 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + com r9 + com r10 + com r11 + ldi r24,255 + lsr r23 + rol r24 + eor r8,r24 + movw r12,r8 + movw r14,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r8 + and r13,r9 + and r14,r10 + and r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r5 + com r6 + com r7 + ldi r24,255 + lsr r23 + rol r24 + eor r4,r24 + movw r12,r4 + movw r14,r6 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r4 + and r13,r5 + and r14,r6 + and r15,r7 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + com r9 + com r10 + com r11 + ldi r24,255 + lsr r23 + rol r24 + eor r8,r24 + movw r12,r8 + movw r14,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r8 + and r13,r9 + and r14,r10 + and r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r5 + com r6 + com r7 + ldi r24,255 + lsr r23 + rol r24 + eor r4,r24 + movw r12,r4 + movw r14,r6 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r4 + and r13,r5 + and r14,r6 + and r15,r7 + eor r8,r12 + eor r9,r13 + eor r10,r14 + eor r11,r15 + com r9 + com r10 + com r11 + ldi r24,255 + lsr r23 + rol r24 + eor r8,r24 + movw r12,r8 + movw r14,r10 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r8 + and r13,r9 + and r14,r10 + and r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r5 + com r6 + com r7 + ldi r24,255 + lsr r23 + rol r24 + eor r4,r24 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + com r12 + com r13 + com r14 + com r15 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Y+9 + ldd r19,Y+10 + ldd r20,Y+11 + ldd r21,Y+12 + com r18 + com r19 + com r20 + com r21 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + std Y+9,r4 + std Y+10,r5 + std Y+11,r6 + std Y+12,r7 + movw r4,r12 + movw r6,r14 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + com r13 + com r14 + com r15 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r12,r23 + inc r30 + eor r12,r26 + eor r13,r27 + eor r14,r2 + eor r15,r3 + std Y+5,r26 + std Y+6,r27 + std Y+7,r2 + std Y+8,r3 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r2,Y+15 + ldd r3,Y+16 + com r27 + com r2 + com r3 +#if defined(RAMPZ) + elpm r23,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r23,Z +#elif defined(__AVR_TINY__) + ld r23,Z +#else + lpm + mov r23,r0 +#endif + eor r26,r23 + inc r30 + eor r26,r8 + eor r27,r9 + eor r2,r10 + eor r3,r11 + std Y+13,r8 + std Y+14,r9 + std Y+15,r10 + std Y+16,r11 + movw r8,r12 + movw r10,r14 + dec r22 + breq 5866f + rjmp 52b +5866: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + std Z+8,r21 + std Z+9,r20 + std Z+10,r19 + std Z+11,r18 + std Z+24,r3 + std Z+25,r2 + std Z+26,r27 + std Z+27,r26 + std Z+12,r7 + std Z+13,r6 + std Z+14,r5 + std Z+15,r4 + std Z+28,r11 + std Z+29,r10 + std Z+30,r9 + std Z+31,r8 + ldd r18,Y+1 + ldd r19,Y+2 + ldd r20,Y+3 + ldd r21,Y+4 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r2,Y+7 + ldd r3,Y+8 + ldd r4,Y+9 + ldd r5,Y+10 + ldd r6,Y+11 + ldd r7,Y+12 + ldd r8,Y+13 + ldd r9,Y+14 + ldd r10,Y+15 + ldd r11,Y+16 + st Z,r21 + std Z+1,r20 + std Z+2,r19 + std Z+3,r18 + std Z+4,r3 + std Z+5,r2 + std Z+6,r27 + std Z+7,r26 + std Z+16,r7 + std Z+17,r6 + std Z+18,r5 + std Z+19,r4 + std Z+20,r11 + std Z+21,r10 + std Z+22,r9 + std Z+23,r8 + adiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sliscp_light256_permute_spix, .-sliscp_light256_permute_spix + + .text +.global sliscp_light256_swap_spix + .type sliscp_light256_swap_spix, @function +sliscp_light256_swap_spix: + movw r30,r24 +.L__stack_usage = 2 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r26,Z+26 + ldd r27,Z+27 + std Z+24,r18 + std Z+25,r19 + std Z+26,r20 + std Z+27,r21 + std Z+12,r22 + std Z+13,r23 + std Z+14,r26 + std Z+15,r27 + ret + .size sliscp_light256_swap_spix, .-sliscp_light256_swap_spix + +#endif diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c index 69b4519..dd3a688 100644 --- a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.c @@ -22,6 +22,8 @@ #include "internal-sliscp-light.h" +#if !defined(__AVR__) + /** * \brief Performs one round of the Simeck-64 block cipher. * @@ -173,11 +175,12 @@ void sliscp_light256_swap_spix(unsigned char block[32]) le_store_word32(block + 12, t2); } -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +void sliscp_light256_permute_spoc(unsigned char block[32]) { const unsigned char *rc = sliscp_light256_RC; uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t t0, t1; + unsigned round; /* Load the block into local state variables */ x0 = be_load_word32(block); @@ -190,7 +193,7 @@ void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) x7 = be_load_word32(block + 28); /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { + for (round = 0; round < 18; ++round, rc += 4) { /* Apply Simeck-64 to two of the 64-bit sub-blocks */ simeck64_box(x2, x3, rc[0]); simeck64_box(x6, x7, rc[1]); @@ -406,3 +409,5 @@ void sliscp_light320_swap(unsigned char block[40]) le_store_word32(block + 16, t1); le_store_word32(block + 4, t2); } + +#endif /* !__AVR__ */ diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h index fa6b9ba..8a5e8d5 100644 --- a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-sliscp-light.h @@ -92,7 +92,6 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * \brief Performs the sLiSCP-light permutation on a 256-bit block. * * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. * * The bytes of the block are assumed to be rearranged to match the * requirements of the SpoC-128 cipher. SpoC-128 interleaves the @@ -112,7 +111,7 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * * \sa sliscp_light256_swap_spoc() */ -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); +void sliscp_light256_permute_spoc(unsigned char block[32]); /** * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. diff --git a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h +++ b/spix/Implementations/crypto_aead/spix128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/api.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/encrypt.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/encrypt.c deleted file mode 100644 index 6856b6f..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spoc.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spoc_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spoc_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-192-avr.S b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-192-avr.S deleted file mode 100644 index 5860b14..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-192-avr.S +++ /dev/null @@ -1,794 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 72 -table_0: - .byte 7 - .byte 39 - .byte 8 - .byte 41 - .byte 4 - .byte 52 - .byte 12 - .byte 29 - .byte 6 - .byte 46 - .byte 10 - .byte 51 - .byte 37 - .byte 25 - .byte 47 - .byte 42 - .byte 23 - .byte 53 - .byte 56 - .byte 31 - .byte 28 - .byte 15 - .byte 36 - .byte 16 - .byte 18 - .byte 8 - .byte 54 - .byte 24 - .byte 59 - .byte 12 - .byte 13 - .byte 20 - .byte 38 - .byte 10 - .byte 43 - .byte 30 - .byte 21 - .byte 47 - .byte 62 - .byte 49 - .byte 63 - .byte 56 - .byte 1 - .byte 9 - .byte 32 - .byte 36 - .byte 33 - .byte 45 - .byte 48 - .byte 54 - .byte 17 - .byte 27 - .byte 40 - .byte 13 - .byte 57 - .byte 22 - .byte 60 - .byte 43 - .byte 5 - .byte 61 - .byte 34 - .byte 62 - .byte 39 - .byte 3 - .byte 19 - .byte 1 - .byte 52 - .byte 2 - .byte 26 - .byte 33 - .byte 46 - .byte 35 - - .text -.global sliscp_light192_permute - .type sliscp_light192_permute, @function -sliscp_light192_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r20,Z - ldd r19,Z+1 - ldd r18,Z+2 - ldd r21,Z+3 - ldd r23,Z+4 - ldd r22,Z+5 - ldd r28,Z+6 - ldd r27,Z+7 - ldd r26,Z+8 - ldd r29,Z+9 - ldd r3,Z+10 - ldd r2,Z+11 - ldd r6,Z+12 - ldd r5,Z+13 - ldd r4,Z+14 - ldd r7,Z+15 - ldd r9,Z+16 - ldd r8,Z+17 - ldd r12,Z+18 - ldd r11,Z+19 - ldd r10,Z+20 - ldd r13,Z+21 - ldd r15,Z+22 - ldd r14,Z+23 - push r31 - push r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r24,0 -28: - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - inc r24 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - inc r24 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - com r18 - com r19 - com r20 - com r23 - com r21 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - eor r22,r25 - inc r24 - com r4 - com r5 - com r6 - com r9 - com r7 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - eor r8,r25 - inc r24 - movw r16,r18 - mov r1,r20 - eor r16,r26 - eor r17,r27 - eor r1,r28 - movw r18,r26 - mov r20,r28 - movw r26,r4 - mov r28,r6 - eor r26,r10 - eor r27,r11 - eor r28,r12 - movw r4,r10 - mov r6,r12 - movw r10,r16 - mov r12,r1 - movw r16,r22 - mov r1,r21 - eor r16,r2 - eor r17,r3 - eor r1,r29 - movw r22,r2 - mov r21,r29 - movw r2,r8 - mov r29,r7 - eor r2,r14 - eor r3,r15 - eor r29,r13 - movw r8,r14 - mov r7,r13 - movw r14,r16 - mov r13,r1 - ldi r17,72 - cpse r24,r17 - rjmp 28b -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r20 - std Z+1,r19 - std Z+2,r18 - std Z+3,r21 - std Z+4,r23 - std Z+5,r22 - std Z+6,r28 - std Z+7,r27 - std Z+8,r26 - std Z+9,r29 - std Z+10,r3 - std Z+11,r2 - std Z+12,r6 - std Z+13,r5 - std Z+14,r4 - std Z+15,r7 - std Z+16,r9 - std Z+17,r8 - std Z+18,r12 - std Z+19,r11 - std Z+20,r10 - std Z+21,r13 - std Z+22,r15 - std Z+23,r14 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - eor r1,r1 - ret - .size sliscp_light192_permute, .-sliscp_light192_permute - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-256-spoc-avr.S b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-256-spoc-avr.S deleted file mode 100644 index 84925b4..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-256-spoc-avr.S +++ /dev/null @@ -1,1142 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 72 -table_0: - .byte 15 - .byte 71 - .byte 8 - .byte 100 - .byte 4 - .byte 178 - .byte 134 - .byte 107 - .byte 67 - .byte 181 - .byte 226 - .byte 111 - .byte 241 - .byte 55 - .byte 137 - .byte 44 - .byte 68 - .byte 150 - .byte 230 - .byte 221 - .byte 115 - .byte 238 - .byte 202 - .byte 153 - .byte 229 - .byte 76 - .byte 23 - .byte 234 - .byte 11 - .byte 245 - .byte 142 - .byte 15 - .byte 71 - .byte 7 - .byte 100 - .byte 4 - .byte 178 - .byte 130 - .byte 107 - .byte 67 - .byte 181 - .byte 161 - .byte 111 - .byte 241 - .byte 55 - .byte 120 - .byte 44 - .byte 68 - .byte 150 - .byte 162 - .byte 221 - .byte 115 - .byte 238 - .byte 185 - .byte 153 - .byte 229 - .byte 76 - .byte 242 - .byte 234 - .byte 11 - .byte 245 - .byte 133 - .byte 15 - .byte 71 - .byte 7 - .byte 35 - .byte 4 - .byte 178 - .byte 130 - .byte 217 - .byte 67 - .byte 181 - - .text -.global sliscp_light256_permute_spoc - .type sliscp_light256_permute_spoc, @function -sliscp_light256_permute_spoc: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 31 - ld r21,Z - ldd r20,Z+1 - ldd r19,Z+2 - ldd r18,Z+3 - ldd r27,Z+4 - ldd r26,Z+5 - ldd r23,Z+6 - ldd r22,Z+7 - ldd r5,Z+8 - ldd r4,Z+9 - ldd r3,Z+10 - ldd r2,Z+11 - ldd r9,Z+12 - ldd r8,Z+13 - ldd r7,Z+14 - ldd r6,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r26 - std Y+8,r27 - std Y+9,r2 - std Y+10,r3 - std Y+11,r4 - std Y+12,r5 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r21,Z+16 - ldd r20,Z+17 - ldd r19,Z+18 - ldd r18,Z+19 - ldd r27,Z+20 - ldd r26,Z+21 - ldd r23,Z+22 - ldd r22,Z+23 - ldd r5,Z+24 - ldd r4,Z+25 - ldd r3,Z+26 - ldd r2,Z+27 - ldd r9,Z+28 - ldd r8,Z+29 - ldd r7,Z+30 - ldd r6,Z+31 - push r31 - push r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r1 -52: -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - inc r30 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - inc r30 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - com r12 - com r13 - com r14 - com r15 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Y+9 - ldd r19,Y+10 - ldd r20,Y+11 - ldd r21,Y+12 - com r18 - com r19 - com r20 - com r21 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - std Y+9,r2 - std Y+10,r3 - std Y+11,r4 - std Y+12,r5 - movw r2,r12 - movw r4,r14 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - com r13 - com r14 - com r15 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - eor r12,r10 - inc r30 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - std Y+5,r22 - std Y+6,r23 - std Y+7,r26 - std Y+8,r27 - ldd r22,Y+13 - ldd r23,Y+14 - ldd r26,Y+15 - ldd r27,Y+16 - com r23 - com r26 - com r27 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - eor r22,r10 - inc r30 - eor r22,r6 - eor r23,r7 - eor r26,r8 - eor r27,r9 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - movw r6,r12 - movw r8,r14 - ldi r25,72 - cpse r30,r25 - rjmp 52b -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - std Z+16,r21 - std Z+17,r20 - std Z+18,r19 - std Z+19,r18 - std Z+20,r27 - std Z+21,r26 - std Z+22,r23 - std Z+23,r22 - std Z+24,r5 - std Z+25,r4 - std Z+26,r3 - std Z+27,r2 - std Z+28,r9 - std Z+29,r8 - std Z+30,r7 - std Z+31,r6 - ldd r18,Y+1 - ldd r19,Y+2 - ldd r20,Y+3 - ldd r21,Y+4 - ldd r22,Y+5 - ldd r23,Y+6 - ldd r26,Y+7 - ldd r27,Y+8 - ldd r2,Y+9 - ldd r3,Y+10 - ldd r4,Y+11 - ldd r5,Y+12 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - st Z,r21 - std Z+1,r20 - std Z+2,r19 - std Z+3,r18 - std Z+4,r27 - std Z+5,r26 - std Z+6,r23 - std Z+7,r22 - std Z+8,r5 - std Z+9,r4 - std Z+10,r3 - std Z+11,r2 - std Z+12,r9 - std Z+13,r8 - std Z+14,r7 - std Z+15,r6 - adiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r15 - pop r14 - pop r13 - pop r12 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sliscp_light256_permute_spoc, .-sliscp_light256_permute_spoc - - .text -.global sliscp_light256_swap_spoc - .type sliscp_light256_swap_spoc, @function -sliscp_light256_swap_spoc: - movw r30,r24 -.L__stack_usage = 2 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+8,r22 - std Z+9,r23 - std Z+10,r26 - std Z+11,r27 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r26,Z+22 - ldd r27,Z+23 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - std Z+12,r22 - std Z+13,r23 - std Z+14,r26 - std Z+15,r27 - ret - .size sliscp_light256_swap_spoc, .-sliscp_light256_swap_spoc - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.c deleted file mode 100644 index dd3a688..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sliscp-light.h" - -#if !defined(__AVR__) - -/** - * \brief Performs one round of the Simeck-64 block cipher. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - */ -#define simeck64_round(x, y) \ - do { \ - (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ - 0xFFFFFFFEU ^ (_rc & 1); \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck64_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck64_round(x, y); /* Round 1 */ \ - simeck64_round(y, x); /* Round 2 */ \ - simeck64_round(x, y); /* Round 3 */ \ - simeck64_round(y, x); /* Round 4 */ \ - simeck64_round(x, y); /* Round 5 */ \ - simeck64_round(y, x); /* Round 6 */ \ - simeck64_round(x, y); /* Round 7 */ \ - simeck64_round(y, x); /* Round 8 */ \ - } while (0) - -/* Helper macros for 48-bit left rotations */ -#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) - -/** - * \brief Performs one round of the Simeck-48 block cipher. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - */ -#define simeck48_round(x, y) \ - do { \ - (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ - 0x00FFFFFEU ^ (_rc & 1); \ - (y) &= 0x00FFFFFFU; \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck48_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck48_round(x, y); /* Round 1 */ \ - simeck48_round(y, x); /* Round 2 */ \ - simeck48_round(x, y); /* Round 3 */ \ - simeck48_round(y, x); /* Round 4 */ \ - simeck48_round(x, y); /* Round 5 */ \ - simeck48_round(y, x); /* Round 6 */ \ - } while (0) - -/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ -static unsigned char const sliscp_light256_RC[18 * 4] = { - 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, - 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, - 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, - 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, - 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, - 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, - 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, - 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, - 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 -}; - -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ - x4 = be_load_word32(block + 16); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 12); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 8, x2); - be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ - be_store_word32(block + 16, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 12, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spix(unsigned char block[32]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 12); - t2 = le_load_word32(block + 24); - le_store_word32(block + 24, t1); - le_store_word32(block + 12, t2); -} - -void sliscp_light256_permute_spoc(unsigned char block[32]) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x3 = be_load_word32(block + 20); - x4 = be_load_word32(block + 8); - x5 = be_load_word32(block + 12); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ - be_store_word32(block + 20, x3); - be_store_word32(block + 8, x4); - be_store_word32(block + 12, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spoc(unsigned char block[32]) -{ - uint64_t t1, t2; - t1 = le_load_word64(block + 8); - t2 = le_load_word64(block + 16); - le_store_word64(block + 16, t1); - le_store_word64(block + 8, t2); -} - -/* Load a big-endian 24-bit word from a byte buffer */ -#define be_load_word24(ptr) \ - ((((uint32_t)((ptr)[0])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[2]))) - -/* Store a big-endian 24-bit word into a byte buffer */ -#define be_store_word24(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 16); \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)_x; \ - } while (0) - -void sliscp_light192_permute(unsigned char block[24]) -{ - /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ - static unsigned char const RC[18 * 4] = { - 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, - 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, - 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, - 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, - 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, - 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, - 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, - 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, - 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables. Each 24-bit block is - * placed into a separate 32-bit word which improves efficiency below */ - x0 = be_load_word24(block); - x1 = be_load_word24(block + 3); - x2 = be_load_word24(block + 6); - x3 = be_load_word24(block + 9); - x4 = be_load_word24(block + 12); - x5 = be_load_word24(block + 15); - x6 = be_load_word24(block + 18); - x7 = be_load_word24(block + 21); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-48 to two of the 48-bit sub-blocks */ - simeck48_box(x2, x3, rc[0]); - simeck48_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0x00FFFFFFU; - x1 ^= 0x00FFFF00U ^ rc[2]; - x4 ^= 0x00FFFFFFU; - x5 ^= 0x00FFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word24(block, x0); - be_store_word24(block + 3, x1); - be_store_word24(block + 6, x2); - be_store_word24(block + 9, x3); - be_store_word24(block + 12, x4); - be_store_word24(block + 15, x5); - be_store_word24(block + 18, x6); - be_store_word24(block + 21, x7); -} - -void sliscp_light320_permute(unsigned char block[40]) -{ - /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ - static unsigned char const RC[16 * 6] = { - 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, - 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, - 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, - 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, - 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, - 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, - 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, - 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, - 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, - 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, - 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, - 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 12); - x4 = be_load_word32(block + 4); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - x8 = be_load_word32(block + 32); - x9 = be_load_word32(block + 36); - - /* Perform all permutation rounds */ - for (round = 0; round < 16; ++round, rc += 6) { - /* Apply Simeck-64 to three of the 64-bit sub-blocks */ - simeck64_box(x0, x1, rc[0]); - simeck64_box(x4, x5, rc[1]); - simeck64_box(x8, x9, rc[2]); - x6 ^= x8; - x7 ^= x9; - x2 ^= x4; - x3 ^= x5; - x8 ^= x0; - x9 ^= x1; - - /* Add step constants */ - x2 ^= 0xFFFFFFFFU; - x3 ^= 0xFFFFFF00U ^ rc[3]; - x6 ^= 0xFFFFFFFFU; - x7 ^= 0xFFFFFF00U ^ rc[4]; - x8 ^= 0xFFFFFFFFU; - x9 ^= 0xFFFFFF00U ^ rc[5]; - - /* Rotate the sub-blocks */ - t0 = x8; - t1 = x9; - x8 = x2; - x9 = x3; - x2 = x4; - x3 = x5; - x4 = x0; - x5 = x1; - x0 = x6; - x1 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ - be_store_word32(block + 8, x2); - be_store_word32(block + 12, x3); - be_store_word32(block + 4, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); - be_store_word32(block + 32, x8); - be_store_word32(block + 36, x9); -} - -void sliscp_light320_swap(unsigned char block[40]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 4); - t2 = le_load_word32(block + 16); - le_store_word32(block + 16, t1); - le_store_word32(block + 4, t2); -} - -#endif /* !__AVR__ */ diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.h deleted file mode 100644 index 8a5e8d5..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-sliscp-light.h +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SLISCP_LIGHT_H -#define LW_INTERNAL_SLISCP_LIGHT_H - -/** - * \file internal-sliscp-light.h - * \brief sLiSCP-light permutation - * - * There are three variants of sLiSCP-light in use in the NIST submissions: - * - * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. - * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. - * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, - * https://uwaterloo.ca/communications-security-lab/lwc/spix, - * https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for sLiSCP-light-256. - */ -#define SLISCP_LIGHT256_STATE_SIZE 32 - -/** - * \brief Size of the state for sLiSCP-light-192. - */ -#define SLISCP_LIGHT192_STATE_SIZE 24 - -/** - * \brief Size of the state for sLiSCP-light-320. - */ -#define SLISCP_LIGHT320_STATE_SIZE 40 - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SPIX cipher. SPIX places the rate bytes at - * positions 8, 9, 10, 11, 24, 25, 26, and 27. - * - * This function assumes that bytes 24-27 have been pre-swapped with - * bytes 12-15 so that the rate portion of the state is contiguous. - * - * The sliscp_light256_swap_spix() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spix() - */ -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spix() - */ -void sliscp_light256_swap_spix(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SpoC-128 cipher. SpoC-128 interleaves the - * rate bytes and the mask bytes. This version assumes that the - * rate and mask are in contiguous bytes of the state. - * - * SpoC-128 absorbs bytes using the mask bytes of the state at offsets - * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. - * It squeezes bytes using the rate bytes of the state at offsets - * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. - * - * This function assumes that bytes 8-15 have been pre-swapped with 16-23 - * so that the rate and mask portions of the state are contiguous. - * - * The sliscp_light256_swap_spoc() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spoc() - */ -void sliscp_light256_permute_spoc(unsigned char block[32]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spoc() - */ -void sliscp_light256_swap_spoc(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 192-bit block. - * - * \param block Points to the block to be permuted. - */ -void sliscp_light192_permute(unsigned char block[24]); - -/** - * \brief Performs the sLiSCP-light permutation on a 320-bit block. - * - * \param block Points to the block to be permuted. - * - * The ACE specification refers to this permutation as "ACE" but that - * can be confused with the name of the AEAD mode so we call this - * permutation "sLiSCP-light-320" instead. - * - * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. - * Efficiency can suffer because of the discontinuity in rate byte positions. - * - * To counteract this, we assume that the input to the permutation has been - * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so - * that the rate is contiguous at the start of the state. - * - * The sliscp_light320_swap() function can be used to switch between the - * canonical order and the pre-swapped order. - * - * \sa sliscp_light320_swap() - */ -void sliscp_light320_permute(unsigned char block[40]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light320_permute() - */ -void sliscp_light320_swap(unsigned char block[40]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-util.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.c deleted file mode 100644 index 92ee233..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.c +++ /dev/null @@ -1,406 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spoc.h" -#include "internal-sliscp-light.h" -#include "internal-util.h" -#include - -/** - * \brief Size of the state for the internal sLiSCP-light-256 permutation. - */ -#define SPOC_128_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE - -/** - * \brief Rate for absorbing data into the sLiSCP-light-256 state and for - * squeezing data out again. - */ -#define SPOC_128_RATE 16 - -/** - * \brief Size of the state for the internal sLiSCP-light-192 permutation. - */ -#define SPOC_64_STATE_SIZE SLISCP_LIGHT192_STATE_SIZE - -/** - * \brief Rate for absorbing data into the sLiSCP-light-192 state and for - * squeezing data out again. - */ -#define SPOC_64_RATE 8 - -aead_cipher_t const spoc_128_cipher = { - "SpoC-128", - SPOC_KEY_SIZE, - SPOC_NONCE_SIZE, - SPOC_128_TAG_SIZE, - AEAD_FLAG_NONE, - spoc_128_aead_encrypt, - spoc_128_aead_decrypt -}; - -aead_cipher_t const spoc_64_cipher = { - "SpoC-64", - SPOC_KEY_SIZE, - SPOC_NONCE_SIZE, - SPOC_64_TAG_SIZE, - AEAD_FLAG_NONE, - spoc_64_aead_encrypt, - spoc_64_aead_decrypt -}; - -/* Indices of where a rate byte is located to help with padding */ -/* -static unsigned char const spoc_128_rate_posn[16] = { - 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, 23 -}; -static unsigned char const spoc_128_mask_posn[16] = { - 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31 -}; -*/ -static unsigned char const spoc_64_rate_posn[8] = { - 0, 1, 2, 3, 12, 13, 14, 15 -}; -static unsigned char const spoc_64_mask_posn[8] = { - 6, 7, 8, 9, 18, 19, 20, 21 -}; - -/** - * \brief Initializes the SpoC-128 state. - * - * \param state sLiSCP-light-256 permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void spoc_128_init - (unsigned char state[SPOC_128_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by combining the key and nonce */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, ad, SPOC_128_RATE); - state[0] ^= 0x20; /* domain separation */ - ad += SPOC_128_RATE; - adlen -= SPOC_128_RATE; - } - temp = (unsigned)adlen; - if (temp > 0) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, ad, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x30; /* domain separation */ - } - } -} - -/** - * \brief Initializes the SpoC-64 state. - * - * \param state sLiSCP-light-192 permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void spoc_64_init - (unsigned char state[SPOC_64_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by interleaving the key and nonce */ - memcpy(state, npub, 4); - state[4] = k[6]; - state[5] = k[7]; - memcpy(state + 6, k, 6); - memcpy(state + 12, npub + 4, 4); - state[16] = k[14]; - state[17] = k[15]; - memcpy(state + 18, k + 8, 6); - sliscp_light192_permute(state); - lw_xor_block(state + 6, npub + 8, 4); - lw_xor_block(state + 18, npub + 12, 4); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block(state + 6, ad, 4); - lw_xor_block(state + 18, ad + 4, 4); - state[0] ^= 0x20; /* domain separation */ - ad += SPOC_64_RATE; - adlen -= SPOC_64_RATE; - } - temp = (unsigned)adlen; - if (temp > 0) { - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - state[0] ^= 0x30; /* domain separation */ - while (temp > 0) { - --temp; - state[spoc_64_mask_posn[temp]] ^= ad[temp]; - } - } - } -} - -/** - * \brief Finalizes the SpoC-128 encryption or decryption operation. - * - * \param state sLiSCP-light-256 permutation state. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void spoc_128_finalize - (unsigned char state[SPOC_128_STATE_SIZE], unsigned char *tag) -{ - /* Pad and permute the state one more time */ - state[0] ^= 0x80; - sliscp_light256_permute_spoc(state); - - /* Copy out the authentication tag */ - memcpy(tag, state + 16, 16); -} - -/** - * \brief Finalizes the SpoC-64 encryption or decryption operation. - * - * \param state sLiSCP-light-192 permutation state. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void spoc_64_finalize - (unsigned char state[SPOC_64_STATE_SIZE], unsigned char *tag) -{ - /* Pad and permute the state one more time */ - state[0] ^= 0x80; - sliscp_light192_permute(state); - - /* Copy out the authentication tag */ - memcpy(tag, state + 6, 4); - memcpy(tag + 4, state + 18, 4); -} - -int spoc_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_128_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOC_128_TAG_SIZE; - - /* Initialize the SpoC-128 state and absorb the associated data */ - spoc_128_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen != 0) { - while (mlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, m, SPOC_128_RATE); - lw_xor_block_2_src(c, m, state, SPOC_128_RATE); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_128_RATE; - m += SPOC_128_RATE; - mlen -= SPOC_128_RATE; - } - if (mlen != 0) { - unsigned temp = (unsigned)mlen; - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, m, temp); - lw_xor_block_2_src(c, m, state, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x50; /* domain separation */ - c += mlen; - } - } - - /* Finalize and generate the authentication tag */ - spoc_128_finalize(state, c); - return 0; -} - -int spoc_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_128_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOC_128_TAG_SIZE) - return -1; - *mlen = clen - SPOC_128_TAG_SIZE; - - /* Initialize the Spoc-128 state and absorb the associated data */ - spoc_128_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOC_128_TAG_SIZE; - if (clen != 0) { - while (clen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block_2_src(m, c, state, SPOC_128_RATE); - lw_xor_block(state + 16, m, SPOC_128_RATE); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_128_RATE; - m += SPOC_128_RATE; - clen -= SPOC_128_RATE; - } - if (clen != 0) { - unsigned temp = (unsigned)clen; - sliscp_light256_permute_spoc(state); - lw_xor_block_2_src(m, c, state, temp); - lw_xor_block(state + 16, m, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x50; /* domain separation */ - c += clen; - } - } - - /* Finalize and check the authentication tag */ - spoc_128_finalize(state, state); - return aead_check_tag(mtemp, *mlen, state, c, SPOC_128_TAG_SIZE); -} - -int spoc_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_64_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOC_64_TAG_SIZE; - - /* Initialize the SpoC-64 state and absorb the associated data */ - spoc_64_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen != 0) { - while (mlen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block(state + 6, m, 4); - lw_xor_block(state + 18, m + 4, 4); - lw_xor_block_2_src(c, m, state, 4); - lw_xor_block_2_src(c + 4, m + 4, state + 12, 4); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_64_RATE; - m += SPOC_64_RATE; - mlen -= SPOC_64_RATE; - } - if (mlen != 0) { - unsigned temp = (unsigned)mlen; - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - while (temp > 0) { - --temp; - unsigned char mbyte = m[temp]; - state[spoc_64_mask_posn[temp]] ^= mbyte; - c[temp] = mbyte ^ state[spoc_64_rate_posn[temp]]; - } - state[0] ^= 0x50; /* domain separation */ - c += mlen; - } - } - - /* Finalize and generate the authentication tag */ - spoc_64_finalize(state, c); - return 0; -} - -int spoc_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_64_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOC_64_TAG_SIZE) - return -1; - *mlen = clen - SPOC_64_TAG_SIZE; - - /* Initialize the Spoc-64 state and absorb the associated data */ - spoc_64_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOC_64_TAG_SIZE; - if (clen != 0) { - while (clen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block_2_src(m, c, state, 4); - lw_xor_block_2_src(m + 4, c + 4, state + 12, 4); - lw_xor_block(state + 6, m, 4); - lw_xor_block(state + 18, m + 4, 4); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_64_RATE; - m += SPOC_64_RATE; - clen -= SPOC_64_RATE; - } - if (clen != 0) { - unsigned temp = (unsigned)clen; - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - while (temp > 0) { - --temp; - unsigned char mbyte = c[temp] ^ state[spoc_64_rate_posn[temp]]; - state[spoc_64_mask_posn[temp]] ^= mbyte; - m[temp] = mbyte; - } - state[0] ^= 0x50; /* domain separation */ - c += clen; - } - } - - /* Finalize and check the authentication tag */ - spoc_64_finalize(state, state); - return aead_check_tag(mtemp, *mlen, state, c, SPOC_64_TAG_SIZE); -} diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.h deleted file mode 100644 index 712c2d0..0000000 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys-avr/spoc.h +++ /dev/null @@ -1,204 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOC_H -#define LWCRYPTO_SPOC_H - -#include "aead-common.h" - -/** - * \file spoc.h - * \brief SpoC authenticated encryption algorithm. - * - * SpoC is a family of authenticated encryption algorithms with two - * members, SpoC-128 and Spoc-64. The algorithms use a Beetle-like - * sponge construction built on top of the sLiSCP-light permutation. - * - * \li Spoc-128 has a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * It is built around the 256-bit version of the sLiSCP-light permutation. - * This is the primary member of the family. - * \li Spoc-64 has a 128-bit key, a 128-bit nonce, and a 64-bit tag. - * It is built around the 192-bit version of the sLiSCP-light permutation. - * - * Spoc-128 has good performance on small packets (16 bytes or less) - * on 32-bit embedded platforms. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SpoC variants. - */ -#define SPOC_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SpoC-128. - */ -#define SPOC_128_TAG_SIZE 16 - -/** - * \brief Size of the authentication tag for SpoC-64. - */ -#define SPOC_64_TAG_SIZE 8 - -/** - * \brief Size of the nonce for all SpoC variants. - */ -#define SPOC_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SpoC-128 cipher. - */ -extern aead_cipher_t const spoc_128_cipher; - -/** - * \brief Meta-information block for the SpoC-64 cipher. - */ -extern aead_cipher_t const spoc_64_cipher; - -/** - * \brief Encrypts and authenticates a packet with SpoC-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spoc_128_aead_decrypt() - */ -int spoc_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SpoC-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spoc_128_aead_encrypt() - */ -int spoc_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SpoC-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spoc_64_aead_decrypt() - */ -int spoc_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SpoC-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spoc_64_aead_encrypt() - */ -int spoc_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-192-avr.S b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-192-avr.S new file mode 100644 index 0000000..5860b14 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-192-avr.S @@ -0,0 +1,794 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 72 +table_0: + .byte 7 + .byte 39 + .byte 8 + .byte 41 + .byte 4 + .byte 52 + .byte 12 + .byte 29 + .byte 6 + .byte 46 + .byte 10 + .byte 51 + .byte 37 + .byte 25 + .byte 47 + .byte 42 + .byte 23 + .byte 53 + .byte 56 + .byte 31 + .byte 28 + .byte 15 + .byte 36 + .byte 16 + .byte 18 + .byte 8 + .byte 54 + .byte 24 + .byte 59 + .byte 12 + .byte 13 + .byte 20 + .byte 38 + .byte 10 + .byte 43 + .byte 30 + .byte 21 + .byte 47 + .byte 62 + .byte 49 + .byte 63 + .byte 56 + .byte 1 + .byte 9 + .byte 32 + .byte 36 + .byte 33 + .byte 45 + .byte 48 + .byte 54 + .byte 17 + .byte 27 + .byte 40 + .byte 13 + .byte 57 + .byte 22 + .byte 60 + .byte 43 + .byte 5 + .byte 61 + .byte 34 + .byte 62 + .byte 39 + .byte 3 + .byte 19 + .byte 1 + .byte 52 + .byte 2 + .byte 26 + .byte 33 + .byte 46 + .byte 35 + + .text +.global sliscp_light192_permute + .type sliscp_light192_permute, @function +sliscp_light192_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r20,Z + ldd r19,Z+1 + ldd r18,Z+2 + ldd r21,Z+3 + ldd r23,Z+4 + ldd r22,Z+5 + ldd r28,Z+6 + ldd r27,Z+7 + ldd r26,Z+8 + ldd r29,Z+9 + ldd r3,Z+10 + ldd r2,Z+11 + ldd r6,Z+12 + ldd r5,Z+13 + ldd r4,Z+14 + ldd r7,Z+15 + ldd r9,Z+16 + ldd r8,Z+17 + ldd r12,Z+18 + ldd r11,Z+19 + ldd r10,Z+20 + ldd r13,Z+21 + ldd r15,Z+22 + ldd r14,Z+23 + push r31 + push r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r24,0 +28: + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + inc r24 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + inc r24 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + com r18 + com r19 + com r20 + com r23 + com r21 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + eor r22,r25 + inc r24 + com r4 + com r5 + com r6 + com r9 + com r7 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + eor r8,r25 + inc r24 + movw r16,r18 + mov r1,r20 + eor r16,r26 + eor r17,r27 + eor r1,r28 + movw r18,r26 + mov r20,r28 + movw r26,r4 + mov r28,r6 + eor r26,r10 + eor r27,r11 + eor r28,r12 + movw r4,r10 + mov r6,r12 + movw r10,r16 + mov r12,r1 + movw r16,r22 + mov r1,r21 + eor r16,r2 + eor r17,r3 + eor r1,r29 + movw r22,r2 + mov r21,r29 + movw r2,r8 + mov r29,r7 + eor r2,r14 + eor r3,r15 + eor r29,r13 + movw r8,r14 + mov r7,r13 + movw r14,r16 + mov r13,r1 + ldi r17,72 + cpse r24,r17 + rjmp 28b +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r20 + std Z+1,r19 + std Z+2,r18 + std Z+3,r21 + std Z+4,r23 + std Z+5,r22 + std Z+6,r28 + std Z+7,r27 + std Z+8,r26 + std Z+9,r29 + std Z+10,r3 + std Z+11,r2 + std Z+12,r6 + std Z+13,r5 + std Z+14,r4 + std Z+15,r7 + std Z+16,r9 + std Z+17,r8 + std Z+18,r12 + std Z+19,r11 + std Z+20,r10 + std Z+21,r13 + std Z+22,r15 + std Z+23,r14 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + eor r1,r1 + ret + .size sliscp_light192_permute, .-sliscp_light192_permute + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-256-spoc-avr.S b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-256-spoc-avr.S new file mode 100644 index 0000000..84925b4 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-256-spoc-avr.S @@ -0,0 +1,1142 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 72 +table_0: + .byte 15 + .byte 71 + .byte 8 + .byte 100 + .byte 4 + .byte 178 + .byte 134 + .byte 107 + .byte 67 + .byte 181 + .byte 226 + .byte 111 + .byte 241 + .byte 55 + .byte 137 + .byte 44 + .byte 68 + .byte 150 + .byte 230 + .byte 221 + .byte 115 + .byte 238 + .byte 202 + .byte 153 + .byte 229 + .byte 76 + .byte 23 + .byte 234 + .byte 11 + .byte 245 + .byte 142 + .byte 15 + .byte 71 + .byte 7 + .byte 100 + .byte 4 + .byte 178 + .byte 130 + .byte 107 + .byte 67 + .byte 181 + .byte 161 + .byte 111 + .byte 241 + .byte 55 + .byte 120 + .byte 44 + .byte 68 + .byte 150 + .byte 162 + .byte 221 + .byte 115 + .byte 238 + .byte 185 + .byte 153 + .byte 229 + .byte 76 + .byte 242 + .byte 234 + .byte 11 + .byte 245 + .byte 133 + .byte 15 + .byte 71 + .byte 7 + .byte 35 + .byte 4 + .byte 178 + .byte 130 + .byte 217 + .byte 67 + .byte 181 + + .text +.global sliscp_light256_permute_spoc + .type sliscp_light256_permute_spoc, @function +sliscp_light256_permute_spoc: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 31 + ld r21,Z + ldd r20,Z+1 + ldd r19,Z+2 + ldd r18,Z+3 + ldd r27,Z+4 + ldd r26,Z+5 + ldd r23,Z+6 + ldd r22,Z+7 + ldd r5,Z+8 + ldd r4,Z+9 + ldd r3,Z+10 + ldd r2,Z+11 + ldd r9,Z+12 + ldd r8,Z+13 + ldd r7,Z+14 + ldd r6,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r26 + std Y+8,r27 + std Y+9,r2 + std Y+10,r3 + std Y+11,r4 + std Y+12,r5 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r21,Z+16 + ldd r20,Z+17 + ldd r19,Z+18 + ldd r18,Z+19 + ldd r27,Z+20 + ldd r26,Z+21 + ldd r23,Z+22 + ldd r22,Z+23 + ldd r5,Z+24 + ldd r4,Z+25 + ldd r3,Z+26 + ldd r2,Z+27 + ldd r9,Z+28 + ldd r8,Z+29 + ldd r7,Z+30 + ldd r6,Z+31 + push r31 + push r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r1 +52: +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + inc r30 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + inc r30 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + com r12 + com r13 + com r14 + com r15 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Y+9 + ldd r19,Y+10 + ldd r20,Y+11 + ldd r21,Y+12 + com r18 + com r19 + com r20 + com r21 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + std Y+9,r2 + std Y+10,r3 + std Y+11,r4 + std Y+12,r5 + movw r2,r12 + movw r4,r14 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + com r13 + com r14 + com r15 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + eor r12,r10 + inc r30 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + std Y+5,r22 + std Y+6,r23 + std Y+7,r26 + std Y+8,r27 + ldd r22,Y+13 + ldd r23,Y+14 + ldd r26,Y+15 + ldd r27,Y+16 + com r23 + com r26 + com r27 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + eor r22,r10 + inc r30 + eor r22,r6 + eor r23,r7 + eor r26,r8 + eor r27,r9 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + movw r6,r12 + movw r8,r14 + ldi r25,72 + cpse r30,r25 + rjmp 52b +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + std Z+16,r21 + std Z+17,r20 + std Z+18,r19 + std Z+19,r18 + std Z+20,r27 + std Z+21,r26 + std Z+22,r23 + std Z+23,r22 + std Z+24,r5 + std Z+25,r4 + std Z+26,r3 + std Z+27,r2 + std Z+28,r9 + std Z+29,r8 + std Z+30,r7 + std Z+31,r6 + ldd r18,Y+1 + ldd r19,Y+2 + ldd r20,Y+3 + ldd r21,Y+4 + ldd r22,Y+5 + ldd r23,Y+6 + ldd r26,Y+7 + ldd r27,Y+8 + ldd r2,Y+9 + ldd r3,Y+10 + ldd r4,Y+11 + ldd r5,Y+12 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + st Z,r21 + std Z+1,r20 + std Z+2,r19 + std Z+3,r18 + std Z+4,r27 + std Z+5,r26 + std Z+6,r23 + std Z+7,r22 + std Z+8,r5 + std Z+9,r4 + std Z+10,r3 + std Z+11,r2 + std Z+12,r9 + std Z+13,r8 + std Z+14,r7 + std Z+15,r6 + adiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r15 + pop r14 + pop r13 + pop r12 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sliscp_light256_permute_spoc, .-sliscp_light256_permute_spoc + + .text +.global sliscp_light256_swap_spoc + .type sliscp_light256_swap_spoc, @function +sliscp_light256_swap_spoc: + movw r30,r24 +.L__stack_usage = 2 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+8,r22 + std Z+9,r23 + std Z+10,r26 + std Z+11,r27 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r26,Z+22 + ldd r27,Z+23 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + std Z+12,r22 + std Z+13,r23 + std Z+14,r26 + std Z+15,r27 + ret + .size sliscp_light256_swap_spoc, .-sliscp_light256_swap_spoc + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c index 69b4519..dd3a688 100644 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.c @@ -22,6 +22,8 @@ #include "internal-sliscp-light.h" +#if !defined(__AVR__) + /** * \brief Performs one round of the Simeck-64 block cipher. * @@ -173,11 +175,12 @@ void sliscp_light256_swap_spix(unsigned char block[32]) le_store_word32(block + 12, t2); } -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +void sliscp_light256_permute_spoc(unsigned char block[32]) { const unsigned char *rc = sliscp_light256_RC; uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t t0, t1; + unsigned round; /* Load the block into local state variables */ x0 = be_load_word32(block); @@ -190,7 +193,7 @@ void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) x7 = be_load_word32(block + 28); /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { + for (round = 0; round < 18; ++round, rc += 4) { /* Apply Simeck-64 to two of the 64-bit sub-blocks */ simeck64_box(x2, x3, rc[0]); simeck64_box(x6, x7, rc[1]); @@ -406,3 +409,5 @@ void sliscp_light320_swap(unsigned char block[40]) le_store_word32(block + 16, t1); le_store_word32(block + 4, t2); } + +#endif /* !__AVR__ */ diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h index fa6b9ba..8a5e8d5 100644 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-sliscp-light.h @@ -92,7 +92,6 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * \brief Performs the sLiSCP-light permutation on a 256-bit block. * * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. * * The bytes of the block are assumed to be rearranged to match the * requirements of the SpoC-128 cipher. SpoC-128 interleaves the @@ -112,7 +111,7 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * * \sa sliscp_light256_swap_spoc() */ -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); +void sliscp_light256_permute_spoc(unsigned char block[32]); /** * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c index 1af7d59..92ee233 100644 --- a/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c +++ b/spoc/Implementations/crypto_aead/spoc128sliscplight256v1/rhys/spoc.c @@ -106,7 +106,7 @@ static void spoc_128_init /* Absorb the associated data into the state */ if (adlen != 0) { while (adlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, ad, SPOC_128_RATE); state[0] ^= 0x20; /* domain separation */ ad += SPOC_128_RATE; @@ -114,7 +114,7 @@ static void spoc_128_init } temp = (unsigned)adlen; if (temp > 0) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, ad, temp); state[temp + 16] ^= 0x80; /* padding */ state[0] ^= 0x30; /* domain separation */ @@ -185,7 +185,7 @@ static void spoc_128_finalize { /* Pad and permute the state one more time */ state[0] ^= 0x80; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); /* Copy out the authentication tag */ memcpy(tag, state + 16, 16); @@ -229,7 +229,7 @@ int spoc_128_aead_encrypt /* Encrypt the plaintext to produce the ciphertext */ if (mlen != 0) { while (mlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, m, SPOC_128_RATE); lw_xor_block_2_src(c, m, state, SPOC_128_RATE); state[0] ^= 0x40; /* domain separation */ @@ -239,7 +239,7 @@ int spoc_128_aead_encrypt } if (mlen != 0) { unsigned temp = (unsigned)mlen; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, m, temp); lw_xor_block_2_src(c, m, state, temp); state[temp + 16] ^= 0x80; /* padding */ @@ -277,7 +277,7 @@ int spoc_128_aead_decrypt clen -= SPOC_128_TAG_SIZE; if (clen != 0) { while (clen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block_2_src(m, c, state, SPOC_128_RATE); lw_xor_block(state + 16, m, SPOC_128_RATE); state[0] ^= 0x40; /* domain separation */ @@ -287,7 +287,7 @@ int spoc_128_aead_decrypt } if (clen != 0) { unsigned temp = (unsigned)clen; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block_2_src(m, c, state, temp); lw_xor_block(state + 16, m, temp); state[temp + 16] ^= 0x80; /* padding */ diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/api.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/api.h deleted file mode 100644 index 4bf8f5c..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/encrypt.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/encrypt.c deleted file mode 100644 index f8dd710..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spoc.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spoc_64_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spoc_64_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-192-avr.S b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-192-avr.S deleted file mode 100644 index 5860b14..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-192-avr.S +++ /dev/null @@ -1,794 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 72 -table_0: - .byte 7 - .byte 39 - .byte 8 - .byte 41 - .byte 4 - .byte 52 - .byte 12 - .byte 29 - .byte 6 - .byte 46 - .byte 10 - .byte 51 - .byte 37 - .byte 25 - .byte 47 - .byte 42 - .byte 23 - .byte 53 - .byte 56 - .byte 31 - .byte 28 - .byte 15 - .byte 36 - .byte 16 - .byte 18 - .byte 8 - .byte 54 - .byte 24 - .byte 59 - .byte 12 - .byte 13 - .byte 20 - .byte 38 - .byte 10 - .byte 43 - .byte 30 - .byte 21 - .byte 47 - .byte 62 - .byte 49 - .byte 63 - .byte 56 - .byte 1 - .byte 9 - .byte 32 - .byte 36 - .byte 33 - .byte 45 - .byte 48 - .byte 54 - .byte 17 - .byte 27 - .byte 40 - .byte 13 - .byte 57 - .byte 22 - .byte 60 - .byte 43 - .byte 5 - .byte 61 - .byte 34 - .byte 62 - .byte 39 - .byte 3 - .byte 19 - .byte 1 - .byte 52 - .byte 2 - .byte 26 - .byte 33 - .byte 46 - .byte 35 - - .text -.global sliscp_light192_permute - .type sliscp_light192_permute, @function -sliscp_light192_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 -.L__stack_usage = 18 - ld r20,Z - ldd r19,Z+1 - ldd r18,Z+2 - ldd r21,Z+3 - ldd r23,Z+4 - ldd r22,Z+5 - ldd r28,Z+6 - ldd r27,Z+7 - ldd r26,Z+8 - ldd r29,Z+9 - ldd r3,Z+10 - ldd r2,Z+11 - ldd r6,Z+12 - ldd r5,Z+13 - ldd r4,Z+14 - ldd r7,Z+15 - ldd r9,Z+16 - ldd r8,Z+17 - ldd r12,Z+18 - ldd r11,Z+19 - ldd r10,Z+20 - ldd r13,Z+21 - ldd r15,Z+22 - ldd r14,Z+23 - push r31 - push r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r24,0 -28: - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - inc r24 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - movw r16,r26 - mov r1,r28 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r2,r16 - eor r3,r17 - eor r29,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r26 - and r17,r27 - and r1,r28 - eor r2,r16 - eor r3,r17 - eor r29,r1 - com r3 - com r29 - ldi r16,255 - lsr r25 - rol r16 - eor r2,r16 - movw r16,r2 - mov r1,r29 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r26,r16 - eor r27,r17 - eor r28,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r2 - and r17,r3 - and r1,r29 - eor r26,r16 - eor r27,r17 - eor r28,r1 - com r27 - com r28 - ldi r16,255 - lsr r25 - rol r16 - eor r26,r16 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - inc r24 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - movw r16,r10 - mov r1,r12 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r14,r16 - eor r15,r17 - eor r13,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r10 - and r17,r11 - and r1,r12 - eor r14,r16 - eor r15,r17 - eor r13,r1 - com r15 - com r13 - ldi r16,255 - lsr r25 - rol r16 - eor r14,r16 - movw r16,r14 - mov r1,r13 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - eor r10,r16 - eor r11,r17 - eor r12,r1 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - bst r1,7 - lsl r16 - rol r17 - rol r1 - bld r16,0 - and r16,r14 - and r17,r15 - and r1,r13 - eor r10,r16 - eor r11,r17 - eor r12,r1 - com r11 - com r12 - ldi r16,255 - lsr r25 - rol r16 - eor r10,r16 - com r18 - com r19 - com r20 - com r23 - com r21 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - eor r22,r25 - inc r24 - com r4 - com r5 - com r6 - com r9 - com r7 - mov r30,r24 -#if defined(RAMPZ) - elpm r25,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r25,Z -#elif defined(__AVR_TINY__) - ld r25,Z -#else - lpm - mov r25,r0 -#endif - eor r8,r25 - inc r24 - movw r16,r18 - mov r1,r20 - eor r16,r26 - eor r17,r27 - eor r1,r28 - movw r18,r26 - mov r20,r28 - movw r26,r4 - mov r28,r6 - eor r26,r10 - eor r27,r11 - eor r28,r12 - movw r4,r10 - mov r6,r12 - movw r10,r16 - mov r12,r1 - movw r16,r22 - mov r1,r21 - eor r16,r2 - eor r17,r3 - eor r1,r29 - movw r22,r2 - mov r21,r29 - movw r2,r8 - mov r29,r7 - eor r2,r14 - eor r3,r15 - eor r29,r13 - movw r8,r14 - mov r7,r13 - movw r14,r16 - mov r13,r1 - ldi r17,72 - cpse r24,r17 - rjmp 28b -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - st Z,r20 - std Z+1,r19 - std Z+2,r18 - std Z+3,r21 - std Z+4,r23 - std Z+5,r22 - std Z+6,r28 - std Z+7,r27 - std Z+8,r26 - std Z+9,r29 - std Z+10,r3 - std Z+11,r2 - std Z+12,r6 - std Z+13,r5 - std Z+14,r4 - std Z+15,r7 - std Z+16,r9 - std Z+17,r8 - std Z+18,r12 - std Z+19,r11 - std Z+20,r10 - std Z+21,r13 - std Z+22,r15 - std Z+23,r14 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - eor r1,r1 - ret - .size sliscp_light192_permute, .-sliscp_light192_permute - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-256-spoc-avr.S b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-256-spoc-avr.S deleted file mode 100644 index 84925b4..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-256-spoc-avr.S +++ /dev/null @@ -1,1142 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 72 -table_0: - .byte 15 - .byte 71 - .byte 8 - .byte 100 - .byte 4 - .byte 178 - .byte 134 - .byte 107 - .byte 67 - .byte 181 - .byte 226 - .byte 111 - .byte 241 - .byte 55 - .byte 137 - .byte 44 - .byte 68 - .byte 150 - .byte 230 - .byte 221 - .byte 115 - .byte 238 - .byte 202 - .byte 153 - .byte 229 - .byte 76 - .byte 23 - .byte 234 - .byte 11 - .byte 245 - .byte 142 - .byte 15 - .byte 71 - .byte 7 - .byte 100 - .byte 4 - .byte 178 - .byte 130 - .byte 107 - .byte 67 - .byte 181 - .byte 161 - .byte 111 - .byte 241 - .byte 55 - .byte 120 - .byte 44 - .byte 68 - .byte 150 - .byte 162 - .byte 221 - .byte 115 - .byte 238 - .byte 185 - .byte 153 - .byte 229 - .byte 76 - .byte 242 - .byte 234 - .byte 11 - .byte 245 - .byte 133 - .byte 15 - .byte 71 - .byte 7 - .byte 35 - .byte 4 - .byte 178 - .byte 130 - .byte 217 - .byte 67 - .byte 181 - - .text -.global sliscp_light256_permute_spoc - .type sliscp_light256_permute_spoc, @function -sliscp_light256_permute_spoc: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 31 - ld r21,Z - ldd r20,Z+1 - ldd r19,Z+2 - ldd r18,Z+3 - ldd r27,Z+4 - ldd r26,Z+5 - ldd r23,Z+6 - ldd r22,Z+7 - ldd r5,Z+8 - ldd r4,Z+9 - ldd r3,Z+10 - ldd r2,Z+11 - ldd r9,Z+12 - ldd r8,Z+13 - ldd r7,Z+14 - ldd r6,Z+15 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - std Y+5,r22 - std Y+6,r23 - std Y+7,r26 - std Y+8,r27 - std Y+9,r2 - std Y+10,r3 - std Y+11,r4 - std Y+12,r5 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - ldd r21,Z+16 - ldd r20,Z+17 - ldd r19,Z+18 - ldd r18,Z+19 - ldd r27,Z+20 - ldd r26,Z+21 - ldd r23,Z+22 - ldd r22,Z+23 - ldd r5,Z+24 - ldd r4,Z+25 - ldd r3,Z+26 - ldd r2,Z+27 - ldd r9,Z+28 - ldd r8,Z+29 - ldd r7,Z+30 - ldd r6,Z+31 - push r31 - push r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - mov r30,r1 -52: -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - inc r30 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 - movw r12,r18 - movw r14,r20 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r18 - and r13,r19 - and r14,r20 - and r15,r21 - eor r22,r12 - eor r23,r13 - eor r26,r14 - eor r27,r15 - com r23 - com r26 - com r27 - ldi r24,255 - lsr r10 - rol r24 - eor r22,r24 - movw r12,r22 - movw r14,r26 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r22 - and r13,r23 - and r14,r26 - and r15,r27 - eor r18,r12 - eor r19,r13 - eor r20,r14 - eor r21,r15 - com r19 - com r20 - com r21 - ldi r24,255 - lsr r10 - rol r24 - eor r18,r24 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - inc r30 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - movw r12,r2 - movw r14,r4 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r2 - and r13,r3 - and r14,r4 - and r15,r5 - eor r6,r12 - eor r7,r13 - eor r8,r14 - eor r9,r15 - com r7 - com r8 - com r9 - ldi r24,255 - lsr r10 - rol r24 - eor r6,r24 - movw r12,r6 - movw r14,r8 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - lsl r12 - rol r13 - rol r14 - rol r15 - adc r12,r1 - and r12,r6 - and r13,r7 - and r14,r8 - and r15,r9 - eor r2,r12 - eor r3,r13 - eor r4,r14 - eor r5,r15 - com r3 - com r4 - com r5 - ldi r24,255 - lsr r10 - rol r24 - eor r2,r24 - ldd r12,Y+1 - ldd r13,Y+2 - ldd r14,Y+3 - ldd r15,Y+4 - com r12 - com r13 - com r14 - com r15 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - std Y+1,r18 - std Y+2,r19 - std Y+3,r20 - std Y+4,r21 - ldd r18,Y+9 - ldd r19,Y+10 - ldd r20,Y+11 - ldd r21,Y+12 - com r18 - com r19 - com r20 - com r21 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - std Y+9,r2 - std Y+10,r3 - std Y+11,r4 - std Y+12,r5 - movw r2,r12 - movw r4,r14 - ldd r12,Y+5 - ldd r13,Y+6 - ldd r14,Y+7 - ldd r15,Y+8 - com r13 - com r14 - com r15 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - eor r12,r10 - inc r30 - eor r12,r22 - eor r13,r23 - eor r14,r26 - eor r15,r27 - std Y+5,r22 - std Y+6,r23 - std Y+7,r26 - std Y+8,r27 - ldd r22,Y+13 - ldd r23,Y+14 - ldd r26,Y+15 - ldd r27,Y+16 - com r23 - com r26 - com r27 -#if defined(RAMPZ) - elpm r10,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r10,Z -#elif defined(__AVR_TINY__) - ld r10,Z -#else - lpm - mov r10,r0 -#endif - eor r22,r10 - inc r30 - eor r22,r6 - eor r23,r7 - eor r26,r8 - eor r27,r9 - std Y+13,r6 - std Y+14,r7 - std Y+15,r8 - std Y+16,r9 - movw r6,r12 - movw r8,r14 - ldi r25,72 - cpse r30,r25 - rjmp 52b -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - pop r30 - pop r31 - std Z+16,r21 - std Z+17,r20 - std Z+18,r19 - std Z+19,r18 - std Z+20,r27 - std Z+21,r26 - std Z+22,r23 - std Z+23,r22 - std Z+24,r5 - std Z+25,r4 - std Z+26,r3 - std Z+27,r2 - std Z+28,r9 - std Z+29,r8 - std Z+30,r7 - std Z+31,r6 - ldd r18,Y+1 - ldd r19,Y+2 - ldd r20,Y+3 - ldd r21,Y+4 - ldd r22,Y+5 - ldd r23,Y+6 - ldd r26,Y+7 - ldd r27,Y+8 - ldd r2,Y+9 - ldd r3,Y+10 - ldd r4,Y+11 - ldd r5,Y+12 - ldd r6,Y+13 - ldd r7,Y+14 - ldd r8,Y+15 - ldd r9,Y+16 - st Z,r21 - std Z+1,r20 - std Z+2,r19 - std Z+3,r18 - std Z+4,r27 - std Z+5,r26 - std Z+6,r23 - std Z+7,r22 - std Z+8,r5 - std Z+9,r4 - std Z+10,r3 - std Z+11,r2 - std Z+12,r9 - std Z+13,r8 - std Z+14,r7 - std Z+15,r6 - adiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r15 - pop r14 - pop r13 - pop r12 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size sliscp_light256_permute_spoc, .-sliscp_light256_permute_spoc - - .text -.global sliscp_light256_swap_spoc - .type sliscp_light256_swap_spoc, @function -sliscp_light256_swap_spoc: - movw r30,r24 -.L__stack_usage = 2 - ldd r18,Z+8 - ldd r19,Z+9 - ldd r20,Z+10 - ldd r21,Z+11 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r26,Z+18 - ldd r27,Z+19 - std Z+16,r18 - std Z+17,r19 - std Z+18,r20 - std Z+19,r21 - std Z+8,r22 - std Z+9,r23 - std Z+10,r26 - std Z+11,r27 - ldd r18,Z+12 - ldd r19,Z+13 - ldd r20,Z+14 - ldd r21,Z+15 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r26,Z+22 - ldd r27,Z+23 - std Z+20,r18 - std Z+21,r19 - std Z+22,r20 - std Z+23,r21 - std Z+12,r22 - std Z+13,r23 - std Z+14,r26 - std Z+15,r27 - ret - .size sliscp_light256_swap_spoc, .-sliscp_light256_swap_spoc - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.c deleted file mode 100644 index dd3a688..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.c +++ /dev/null @@ -1,413 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-sliscp-light.h" - -#if !defined(__AVR__) - -/** - * \brief Performs one round of the Simeck-64 block cipher. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - */ -#define simeck64_round(x, y) \ - do { \ - (y) ^= (leftRotate5((x)) & (x)) ^ leftRotate1((x)) ^ \ - 0xFFFFFFFEU ^ (_rc & 1); \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 64-bit block with the 8 round version of Simeck-64. - * - * \param x Left half of the 64-bit block. - * \param y Right half of the 64-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck64_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck64_round(x, y); /* Round 1 */ \ - simeck64_round(y, x); /* Round 2 */ \ - simeck64_round(x, y); /* Round 3 */ \ - simeck64_round(y, x); /* Round 4 */ \ - simeck64_round(x, y); /* Round 5 */ \ - simeck64_round(y, x); /* Round 6 */ \ - simeck64_round(x, y); /* Round 7 */ \ - simeck64_round(y, x); /* Round 8 */ \ - } while (0) - -/* Helper macros for 48-bit left rotations */ -#define leftRotate5_48(x) (((x) << 5) | ((x) >> 19)) -#define leftRotate1_48(x) (((x) << 1) | ((x) >> 23)) - -/** - * \brief Performs one round of the Simeck-48 block cipher. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - */ -#define simeck48_round(x, y) \ - do { \ - (y) ^= (leftRotate5_48((x)) & (x)) ^ leftRotate1_48((x)) ^ \ - 0x00FFFFFEU ^ (_rc & 1); \ - (y) &= 0x00FFFFFFU; \ - _rc >>= 1; \ - } while (0) - -/** - * \brief Encrypts a 48-bit block with the 6 round version of Simeck-48. - * - * \param x Left half of the 48-bit block. - * \param y Right half of the 48-bit block. - * \param rc Round constants for the 8 rounds, 1 bit per round. - * - * It is assumed that the two halves have already been converted from - * big-endian to host byte order before calling this function. The output - * halves will also be in host byte order. - */ -#define simeck48_box(x, y, rc) \ - do { \ - unsigned char _rc = (rc); \ - simeck48_round(x, y); /* Round 1 */ \ - simeck48_round(y, x); /* Round 2 */ \ - simeck48_round(x, y); /* Round 3 */ \ - simeck48_round(y, x); /* Round 4 */ \ - simeck48_round(x, y); /* Round 5 */ \ - simeck48_round(y, x); /* Round 6 */ \ - } while (0) - -/* Interleaved rc0, rc1, sc0, and sc1 values for each round */ -static unsigned char const sliscp_light256_RC[18 * 4] = { - 0x0f, 0x47, 0x08, 0x64, 0x04, 0xb2, 0x86, 0x6b, - 0x43, 0xb5, 0xe2, 0x6f, 0xf1, 0x37, 0x89, 0x2c, - 0x44, 0x96, 0xe6, 0xdd, 0x73, 0xee, 0xca, 0x99, - 0xe5, 0x4c, 0x17, 0xea, 0x0b, 0xf5, 0x8e, 0x0f, - 0x47, 0x07, 0x64, 0x04, 0xb2, 0x82, 0x6b, 0x43, - 0xb5, 0xa1, 0x6f, 0xf1, 0x37, 0x78, 0x2c, 0x44, - 0x96, 0xa2, 0xdd, 0x73, 0xee, 0xb9, 0x99, 0xe5, - 0x4c, 0xf2, 0xea, 0x0b, 0xf5, 0x85, 0x0f, 0x47, - 0x07, 0x23, 0x04, 0xb2, 0x82, 0xd9, 0x43, 0xb5 -}; - -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 24); /* Assumes the block is pre-swapped */ - x4 = be_load_word32(block + 16); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 12); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 8, x2); - be_store_word32(block + 24, x3); /* Assumes the block is pre-swapped */ - be_store_word32(block + 16, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 12, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spix(unsigned char block[32]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 12); - t2 = le_load_word32(block + 24); - le_store_word32(block + 24, t1); - le_store_word32(block + 12, t2); -} - -void sliscp_light256_permute_spoc(unsigned char block[32]) -{ - const unsigned char *rc = sliscp_light256_RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 4); - x2 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x3 = be_load_word32(block + 20); - x4 = be_load_word32(block + 8); - x5 = be_load_word32(block + 12); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-64 to two of the 64-bit sub-blocks */ - simeck64_box(x2, x3, rc[0]); - simeck64_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0xFFFFFFFFU; - x1 ^= 0xFFFFFF00U ^ rc[2]; - x4 ^= 0xFFFFFFFFU; - x5 ^= 0xFFFFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 4, x1); - be_store_word32(block + 16, x2); /* Assumes the block is pre-swapped */ - be_store_word32(block + 20, x3); - be_store_word32(block + 8, x4); - be_store_word32(block + 12, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); -} - -void sliscp_light256_swap_spoc(unsigned char block[32]) -{ - uint64_t t1, t2; - t1 = le_load_word64(block + 8); - t2 = le_load_word64(block + 16); - le_store_word64(block + 16, t1); - le_store_word64(block + 8, t2); -} - -/* Load a big-endian 24-bit word from a byte buffer */ -#define be_load_word24(ptr) \ - ((((uint32_t)((ptr)[0])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[2]))) - -/* Store a big-endian 24-bit word into a byte buffer */ -#define be_store_word24(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 16); \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)_x; \ - } while (0) - -void sliscp_light192_permute(unsigned char block[24]) -{ - /* Interleaved rc0, rc1, sc0, and sc1 values for each round */ - static unsigned char const RC[18 * 4] = { - 0x07, 0x27, 0x08, 0x29, 0x04, 0x34, 0x0c, 0x1d, - 0x06, 0x2e, 0x0a, 0x33, 0x25, 0x19, 0x2f, 0x2a, - 0x17, 0x35, 0x38, 0x1f, 0x1c, 0x0f, 0x24, 0x10, - 0x12, 0x08, 0x36, 0x18, 0x3b, 0x0c, 0x0d, 0x14, - 0x26, 0x0a, 0x2b, 0x1e, 0x15, 0x2f, 0x3e, 0x31, - 0x3f, 0x38, 0x01, 0x09, 0x20, 0x24, 0x21, 0x2d, - 0x30, 0x36, 0x11, 0x1b, 0x28, 0x0d, 0x39, 0x16, - 0x3c, 0x2b, 0x05, 0x3d, 0x22, 0x3e, 0x27, 0x03, - 0x13, 0x01, 0x34, 0x02, 0x1a, 0x21, 0x2e, 0x23 - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables. Each 24-bit block is - * placed into a separate 32-bit word which improves efficiency below */ - x0 = be_load_word24(block); - x1 = be_load_word24(block + 3); - x2 = be_load_word24(block + 6); - x3 = be_load_word24(block + 9); - x4 = be_load_word24(block + 12); - x5 = be_load_word24(block + 15); - x6 = be_load_word24(block + 18); - x7 = be_load_word24(block + 21); - - /* Perform all permutation rounds */ - for (round = 0; round < 18; ++round, rc += 4) { - /* Apply Simeck-48 to two of the 48-bit sub-blocks */ - simeck48_box(x2, x3, rc[0]); - simeck48_box(x6, x7, rc[1]); - - /* Add step constants */ - x0 ^= 0x00FFFFFFU; - x1 ^= 0x00FFFF00U ^ rc[2]; - x4 ^= 0x00FFFFFFU; - x5 ^= 0x00FFFF00U ^ rc[3]; - - /* Mix the sub-blocks */ - t0 = x0 ^ x2; - t1 = x1 ^ x3; - x0 = x2; - x1 = x3; - x2 = x4 ^ x6; - x3 = x5 ^ x7; - x4 = x6; - x5 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word24(block, x0); - be_store_word24(block + 3, x1); - be_store_word24(block + 6, x2); - be_store_word24(block + 9, x3); - be_store_word24(block + 12, x4); - be_store_word24(block + 15, x5); - be_store_word24(block + 18, x6); - be_store_word24(block + 21, x7); -} - -void sliscp_light320_permute(unsigned char block[40]) -{ - /* Interleaved rc0, rc1, rc2, sc0, sc1, and sc2 values for each round */ - static unsigned char const RC[16 * 6] = { - 0x07, 0x53, 0x43, 0x50, 0x28, 0x14, 0x0a, 0x5d, - 0xe4, 0x5c, 0xae, 0x57, 0x9b, 0x49, 0x5e, 0x91, - 0x48, 0x24, 0xe0, 0x7f, 0xcc, 0x8d, 0xc6, 0x63, - 0xd1, 0xbe, 0x32, 0x53, 0xa9, 0x54, 0x1a, 0x1d, - 0x4e, 0x60, 0x30, 0x18, 0x22, 0x28, 0x75, 0x68, - 0x34, 0x9a, 0xf7, 0x6c, 0x25, 0xe1, 0x70, 0x38, - 0x62, 0x82, 0xfd, 0xf6, 0x7b, 0xbd, 0x96, 0x47, - 0xf9, 0x9d, 0xce, 0x67, 0x71, 0x6b, 0x76, 0x40, - 0x20, 0x10, 0xaa, 0x88, 0xa0, 0x4f, 0x27, 0x13, - 0x2b, 0xdc, 0xb0, 0xbe, 0x5f, 0x2f, 0xe9, 0x8b, - 0x09, 0x5b, 0xad, 0xd6, 0xcf, 0x59, 0x1e, 0xe9, - 0x74, 0xba, 0xb7, 0xc6, 0xad, 0x7f, 0x3f, 0x1f - }; - const unsigned char *rc = RC; - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9; - uint32_t t0, t1; - unsigned round; - - /* Load the block into local state variables */ - x0 = be_load_word32(block); - x1 = be_load_word32(block + 16); /* Assumes the block is pre-swapped */ - x2 = be_load_word32(block + 8); - x3 = be_load_word32(block + 12); - x4 = be_load_word32(block + 4); - x5 = be_load_word32(block + 20); - x6 = be_load_word32(block + 24); - x7 = be_load_word32(block + 28); - x8 = be_load_word32(block + 32); - x9 = be_load_word32(block + 36); - - /* Perform all permutation rounds */ - for (round = 0; round < 16; ++round, rc += 6) { - /* Apply Simeck-64 to three of the 64-bit sub-blocks */ - simeck64_box(x0, x1, rc[0]); - simeck64_box(x4, x5, rc[1]); - simeck64_box(x8, x9, rc[2]); - x6 ^= x8; - x7 ^= x9; - x2 ^= x4; - x3 ^= x5; - x8 ^= x0; - x9 ^= x1; - - /* Add step constants */ - x2 ^= 0xFFFFFFFFU; - x3 ^= 0xFFFFFF00U ^ rc[3]; - x6 ^= 0xFFFFFFFFU; - x7 ^= 0xFFFFFF00U ^ rc[4]; - x8 ^= 0xFFFFFFFFU; - x9 ^= 0xFFFFFF00U ^ rc[5]; - - /* Rotate the sub-blocks */ - t0 = x8; - t1 = x9; - x8 = x2; - x9 = x3; - x2 = x4; - x3 = x5; - x4 = x0; - x5 = x1; - x0 = x6; - x1 = x7; - x6 = t0; - x7 = t1; - } - - /* Store the state back into the block */ - be_store_word32(block, x0); - be_store_word32(block + 16, x1); /* Assumes the block is pre-swapped */ - be_store_word32(block + 8, x2); - be_store_word32(block + 12, x3); - be_store_word32(block + 4, x4); - be_store_word32(block + 20, x5); - be_store_word32(block + 24, x6); - be_store_word32(block + 28, x7); - be_store_word32(block + 32, x8); - be_store_word32(block + 36, x9); -} - -void sliscp_light320_swap(unsigned char block[40]) -{ - uint32_t t1, t2; - t1 = le_load_word32(block + 4); - t2 = le_load_word32(block + 16); - le_store_word32(block + 16, t1); - le_store_word32(block + 4, t2); -} - -#endif /* !__AVR__ */ diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.h deleted file mode 100644 index 8a5e8d5..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-sliscp-light.h +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SLISCP_LIGHT_H -#define LW_INTERNAL_SLISCP_LIGHT_H - -/** - * \file internal-sliscp-light.h - * \brief sLiSCP-light permutation - * - * There are three variants of sLiSCP-light in use in the NIST submissions: - * - * \li sLiSCP-light-256 with a 256-bit block size, used in SPIX and SpoC. - * \li sLiSCP-light-192 with a 192-bit block size, used in SpoC. - * \li sLiSCP-light-320 with a 320-bit block size, used in ACE. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/ace, - * https://uwaterloo.ca/communications-security-lab/lwc/spix, - * https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#include "internal-util.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the state for sLiSCP-light-256. - */ -#define SLISCP_LIGHT256_STATE_SIZE 32 - -/** - * \brief Size of the state for sLiSCP-light-192. - */ -#define SLISCP_LIGHT192_STATE_SIZE 24 - -/** - * \brief Size of the state for sLiSCP-light-320. - */ -#define SLISCP_LIGHT320_STATE_SIZE 40 - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SPIX cipher. SPIX places the rate bytes at - * positions 8, 9, 10, 11, 24, 25, 26, and 27. - * - * This function assumes that bytes 24-27 have been pre-swapped with - * bytes 12-15 so that the rate portion of the state is contiguous. - * - * The sliscp_light256_swap_spix() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spix() - */ -void sliscp_light256_permute_spix(unsigned char block[32], unsigned rounds); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SPIX. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spix() - */ -void sliscp_light256_swap_spix(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 256-bit block. - * - * \param block Points to the block to be permuted. - * - * The bytes of the block are assumed to be rearranged to match the - * requirements of the SpoC-128 cipher. SpoC-128 interleaves the - * rate bytes and the mask bytes. This version assumes that the - * rate and mask are in contiguous bytes of the state. - * - * SpoC-128 absorbs bytes using the mask bytes of the state at offsets - * 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, and 31. - * It squeezes bytes using the rate bytes of the state at offsets - * 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, and 23. - * - * This function assumes that bytes 8-15 have been pre-swapped with 16-23 - * so that the rate and mask portions of the state are contiguous. - * - * The sliscp_light256_swap_spoc() function can be used to switch - * between the canonical order and the pre-swapped order. - * - * \sa sliscp_light256_swap_spoc() - */ -void sliscp_light256_permute_spoc(unsigned char block[32]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light256_permute_spoc() - */ -void sliscp_light256_swap_spoc(unsigned char block[32]); - -/** - * \brief Performs the sLiSCP-light permutation on a 192-bit block. - * - * \param block Points to the block to be permuted. - */ -void sliscp_light192_permute(unsigned char block[24]); - -/** - * \brief Performs the sLiSCP-light permutation on a 320-bit block. - * - * \param block Points to the block to be permuted. - * - * The ACE specification refers to this permutation as "ACE" but that - * can be confused with the name of the AEAD mode so we call this - * permutation "sLiSCP-light-320" instead. - * - * ACE absorbs and squeezes data at the rate bytes 0, 1, 2, 3, 16, 17, 18, 19. - * Efficiency can suffer because of the discontinuity in rate byte positions. - * - * To counteract this, we assume that the input to the permutation has been - * pre-swapped: bytes 4, 5, 6, 7 are swapped with bytes 16, 17, 18, 19 so - * that the rate is contiguous at the start of the state. - * - * The sliscp_light320_swap() function can be used to switch between the - * canonical order and the pre-swapped order. - * - * \sa sliscp_light320_swap() - */ -void sliscp_light320_permute(unsigned char block[40]); - -/** - * \brief Swaps rate bytes in a sLiSCP-light 320-bit block. - * - * \param block Points to the block to be rate-swapped. - * - * \sa sliscp_light320_permute() - */ -void sliscp_light320_swap(unsigned char block[40]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-util.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.c deleted file mode 100644 index 92ee233..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.c +++ /dev/null @@ -1,406 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spoc.h" -#include "internal-sliscp-light.h" -#include "internal-util.h" -#include - -/** - * \brief Size of the state for the internal sLiSCP-light-256 permutation. - */ -#define SPOC_128_STATE_SIZE SLISCP_LIGHT256_STATE_SIZE - -/** - * \brief Rate for absorbing data into the sLiSCP-light-256 state and for - * squeezing data out again. - */ -#define SPOC_128_RATE 16 - -/** - * \brief Size of the state for the internal sLiSCP-light-192 permutation. - */ -#define SPOC_64_STATE_SIZE SLISCP_LIGHT192_STATE_SIZE - -/** - * \brief Rate for absorbing data into the sLiSCP-light-192 state and for - * squeezing data out again. - */ -#define SPOC_64_RATE 8 - -aead_cipher_t const spoc_128_cipher = { - "SpoC-128", - SPOC_KEY_SIZE, - SPOC_NONCE_SIZE, - SPOC_128_TAG_SIZE, - AEAD_FLAG_NONE, - spoc_128_aead_encrypt, - spoc_128_aead_decrypt -}; - -aead_cipher_t const spoc_64_cipher = { - "SpoC-64", - SPOC_KEY_SIZE, - SPOC_NONCE_SIZE, - SPOC_64_TAG_SIZE, - AEAD_FLAG_NONE, - spoc_64_aead_encrypt, - spoc_64_aead_decrypt -}; - -/* Indices of where a rate byte is located to help with padding */ -/* -static unsigned char const spoc_128_rate_posn[16] = { - 0, 1, 2, 3, 4, 5, 6, 7, 16, 17, 18, 19, 20, 21, 22, 23 -}; -static unsigned char const spoc_128_mask_posn[16] = { - 8, 9, 10, 11, 12, 13, 14, 15, 24, 25, 26, 27, 28, 29, 30, 31 -}; -*/ -static unsigned char const spoc_64_rate_posn[8] = { - 0, 1, 2, 3, 12, 13, 14, 15 -}; -static unsigned char const spoc_64_mask_posn[8] = { - 6, 7, 8, 9, 18, 19, 20, 21 -}; - -/** - * \brief Initializes the SpoC-128 state. - * - * \param state sLiSCP-light-256 permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void spoc_128_init - (unsigned char state[SPOC_128_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by combining the key and nonce */ - memcpy(state, npub, 16); - memcpy(state + 16, k, 16); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, ad, SPOC_128_RATE); - state[0] ^= 0x20; /* domain separation */ - ad += SPOC_128_RATE; - adlen -= SPOC_128_RATE; - } - temp = (unsigned)adlen; - if (temp > 0) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, ad, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x30; /* domain separation */ - } - } -} - -/** - * \brief Initializes the SpoC-64 state. - * - * \param state sLiSCP-light-192 permutation state. - * \param k Points to the 128-bit key. - * \param npub Points to the 128-bit nonce. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void spoc_64_init - (unsigned char state[SPOC_64_STATE_SIZE], - const unsigned char *k, const unsigned char *npub, - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Initialize the state by interleaving the key and nonce */ - memcpy(state, npub, 4); - state[4] = k[6]; - state[5] = k[7]; - memcpy(state + 6, k, 6); - memcpy(state + 12, npub + 4, 4); - state[16] = k[14]; - state[17] = k[15]; - memcpy(state + 18, k + 8, 6); - sliscp_light192_permute(state); - lw_xor_block(state + 6, npub + 8, 4); - lw_xor_block(state + 18, npub + 12, 4); - - /* Absorb the associated data into the state */ - if (adlen != 0) { - while (adlen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block(state + 6, ad, 4); - lw_xor_block(state + 18, ad + 4, 4); - state[0] ^= 0x20; /* domain separation */ - ad += SPOC_64_RATE; - adlen -= SPOC_64_RATE; - } - temp = (unsigned)adlen; - if (temp > 0) { - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - state[0] ^= 0x30; /* domain separation */ - while (temp > 0) { - --temp; - state[spoc_64_mask_posn[temp]] ^= ad[temp]; - } - } - } -} - -/** - * \brief Finalizes the SpoC-128 encryption or decryption operation. - * - * \param state sLiSCP-light-256 permutation state. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void spoc_128_finalize - (unsigned char state[SPOC_128_STATE_SIZE], unsigned char *tag) -{ - /* Pad and permute the state one more time */ - state[0] ^= 0x80; - sliscp_light256_permute_spoc(state); - - /* Copy out the authentication tag */ - memcpy(tag, state + 16, 16); -} - -/** - * \brief Finalizes the SpoC-64 encryption or decryption operation. - * - * \param state sLiSCP-light-192 permutation state. - * \param tag Points to the 16 byte buffer to receive the computed tag. - */ -static void spoc_64_finalize - (unsigned char state[SPOC_64_STATE_SIZE], unsigned char *tag) -{ - /* Pad and permute the state one more time */ - state[0] ^= 0x80; - sliscp_light192_permute(state); - - /* Copy out the authentication tag */ - memcpy(tag, state + 6, 4); - memcpy(tag + 4, state + 18, 4); -} - -int spoc_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_128_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOC_128_TAG_SIZE; - - /* Initialize the SpoC-128 state and absorb the associated data */ - spoc_128_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen != 0) { - while (mlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, m, SPOC_128_RATE); - lw_xor_block_2_src(c, m, state, SPOC_128_RATE); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_128_RATE; - m += SPOC_128_RATE; - mlen -= SPOC_128_RATE; - } - if (mlen != 0) { - unsigned temp = (unsigned)mlen; - sliscp_light256_permute_spoc(state); - lw_xor_block(state + 16, m, temp); - lw_xor_block_2_src(c, m, state, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x50; /* domain separation */ - c += mlen; - } - } - - /* Finalize and generate the authentication tag */ - spoc_128_finalize(state, c); - return 0; -} - -int spoc_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_128_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOC_128_TAG_SIZE) - return -1; - *mlen = clen - SPOC_128_TAG_SIZE; - - /* Initialize the Spoc-128 state and absorb the associated data */ - spoc_128_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOC_128_TAG_SIZE; - if (clen != 0) { - while (clen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state); - lw_xor_block_2_src(m, c, state, SPOC_128_RATE); - lw_xor_block(state + 16, m, SPOC_128_RATE); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_128_RATE; - m += SPOC_128_RATE; - clen -= SPOC_128_RATE; - } - if (clen != 0) { - unsigned temp = (unsigned)clen; - sliscp_light256_permute_spoc(state); - lw_xor_block_2_src(m, c, state, temp); - lw_xor_block(state + 16, m, temp); - state[temp + 16] ^= 0x80; /* padding */ - state[0] ^= 0x50; /* domain separation */ - c += clen; - } - } - - /* Finalize and check the authentication tag */ - spoc_128_finalize(state, state); - return aead_check_tag(mtemp, *mlen, state, c, SPOC_128_TAG_SIZE); -} - -int spoc_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_64_STATE_SIZE]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOC_64_TAG_SIZE; - - /* Initialize the SpoC-64 state and absorb the associated data */ - spoc_64_init(state, k, npub, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen != 0) { - while (mlen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block(state + 6, m, 4); - lw_xor_block(state + 18, m + 4, 4); - lw_xor_block_2_src(c, m, state, 4); - lw_xor_block_2_src(c + 4, m + 4, state + 12, 4); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_64_RATE; - m += SPOC_64_RATE; - mlen -= SPOC_64_RATE; - } - if (mlen != 0) { - unsigned temp = (unsigned)mlen; - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - while (temp > 0) { - --temp; - unsigned char mbyte = m[temp]; - state[spoc_64_mask_posn[temp]] ^= mbyte; - c[temp] = mbyte ^ state[spoc_64_rate_posn[temp]]; - } - state[0] ^= 0x50; /* domain separation */ - c += mlen; - } - } - - /* Finalize and generate the authentication tag */ - spoc_64_finalize(state, c); - return 0; -} - -int spoc_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[SPOC_64_STATE_SIZE]; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOC_64_TAG_SIZE) - return -1; - *mlen = clen - SPOC_64_TAG_SIZE; - - /* Initialize the Spoc-64 state and absorb the associated data */ - spoc_64_init(state, k, npub, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOC_64_TAG_SIZE; - if (clen != 0) { - while (clen >= SPOC_64_RATE) { - sliscp_light192_permute(state); - lw_xor_block_2_src(m, c, state, 4); - lw_xor_block_2_src(m + 4, c + 4, state + 12, 4); - lw_xor_block(state + 6, m, 4); - lw_xor_block(state + 18, m + 4, 4); - state[0] ^= 0x40; /* domain separation */ - c += SPOC_64_RATE; - m += SPOC_64_RATE; - clen -= SPOC_64_RATE; - } - if (clen != 0) { - unsigned temp = (unsigned)clen; - sliscp_light192_permute(state); - state[spoc_64_mask_posn[temp]] ^= 0x80; /* padding */ - while (temp > 0) { - --temp; - unsigned char mbyte = c[temp] ^ state[spoc_64_rate_posn[temp]]; - state[spoc_64_mask_posn[temp]] ^= mbyte; - m[temp] = mbyte; - } - state[0] ^= 0x50; /* domain separation */ - c += clen; - } - } - - /* Finalize and check the authentication tag */ - spoc_64_finalize(state, state); - return aead_check_tag(mtemp, *mlen, state, c, SPOC_64_TAG_SIZE); -} diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.h deleted file mode 100644 index 712c2d0..0000000 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys-avr/spoc.h +++ /dev/null @@ -1,204 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOC_H -#define LWCRYPTO_SPOC_H - -#include "aead-common.h" - -/** - * \file spoc.h - * \brief SpoC authenticated encryption algorithm. - * - * SpoC is a family of authenticated encryption algorithms with two - * members, SpoC-128 and Spoc-64. The algorithms use a Beetle-like - * sponge construction built on top of the sLiSCP-light permutation. - * - * \li Spoc-128 has a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * It is built around the 256-bit version of the sLiSCP-light permutation. - * This is the primary member of the family. - * \li Spoc-64 has a 128-bit key, a 128-bit nonce, and a 64-bit tag. - * It is built around the 192-bit version of the sLiSCP-light permutation. - * - * Spoc-128 has good performance on small packets (16 bytes or less) - * on 32-bit embedded platforms. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/spoc - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SpoC variants. - */ -#define SPOC_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for SpoC-128. - */ -#define SPOC_128_TAG_SIZE 16 - -/** - * \brief Size of the authentication tag for SpoC-64. - */ -#define SPOC_64_TAG_SIZE 8 - -/** - * \brief Size of the nonce for all SpoC variants. - */ -#define SPOC_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SpoC-128 cipher. - */ -extern aead_cipher_t const spoc_128_cipher; - -/** - * \brief Meta-information block for the SpoC-64 cipher. - */ -extern aead_cipher_t const spoc_64_cipher; - -/** - * \brief Encrypts and authenticates a packet with SpoC-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spoc_128_aead_decrypt() - */ -int spoc_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SpoC-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spoc_128_aead_encrypt() - */ -int spoc_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SpoC-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spoc_64_aead_decrypt() - */ -int spoc_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SpoC-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spoc_64_aead_encrypt() - */ -int spoc_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-192-avr.S b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-192-avr.S new file mode 100644 index 0000000..5860b14 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-192-avr.S @@ -0,0 +1,794 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 72 +table_0: + .byte 7 + .byte 39 + .byte 8 + .byte 41 + .byte 4 + .byte 52 + .byte 12 + .byte 29 + .byte 6 + .byte 46 + .byte 10 + .byte 51 + .byte 37 + .byte 25 + .byte 47 + .byte 42 + .byte 23 + .byte 53 + .byte 56 + .byte 31 + .byte 28 + .byte 15 + .byte 36 + .byte 16 + .byte 18 + .byte 8 + .byte 54 + .byte 24 + .byte 59 + .byte 12 + .byte 13 + .byte 20 + .byte 38 + .byte 10 + .byte 43 + .byte 30 + .byte 21 + .byte 47 + .byte 62 + .byte 49 + .byte 63 + .byte 56 + .byte 1 + .byte 9 + .byte 32 + .byte 36 + .byte 33 + .byte 45 + .byte 48 + .byte 54 + .byte 17 + .byte 27 + .byte 40 + .byte 13 + .byte 57 + .byte 22 + .byte 60 + .byte 43 + .byte 5 + .byte 61 + .byte 34 + .byte 62 + .byte 39 + .byte 3 + .byte 19 + .byte 1 + .byte 52 + .byte 2 + .byte 26 + .byte 33 + .byte 46 + .byte 35 + + .text +.global sliscp_light192_permute + .type sliscp_light192_permute, @function +sliscp_light192_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 +.L__stack_usage = 18 + ld r20,Z + ldd r19,Z+1 + ldd r18,Z+2 + ldd r21,Z+3 + ldd r23,Z+4 + ldd r22,Z+5 + ldd r28,Z+6 + ldd r27,Z+7 + ldd r26,Z+8 + ldd r29,Z+9 + ldd r3,Z+10 + ldd r2,Z+11 + ldd r6,Z+12 + ldd r5,Z+13 + ldd r4,Z+14 + ldd r7,Z+15 + ldd r9,Z+16 + ldd r8,Z+17 + ldd r12,Z+18 + ldd r11,Z+19 + ldd r10,Z+20 + ldd r13,Z+21 + ldd r15,Z+22 + ldd r14,Z+23 + push r31 + push r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r24,0 +28: + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + inc r24 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + movw r16,r26 + mov r1,r28 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r2,r16 + eor r3,r17 + eor r29,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r26 + and r17,r27 + and r1,r28 + eor r2,r16 + eor r3,r17 + eor r29,r1 + com r3 + com r29 + ldi r16,255 + lsr r25 + rol r16 + eor r2,r16 + movw r16,r2 + mov r1,r29 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r26,r16 + eor r27,r17 + eor r28,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r2 + and r17,r3 + and r1,r29 + eor r26,r16 + eor r27,r17 + eor r28,r1 + com r27 + com r28 + ldi r16,255 + lsr r25 + rol r16 + eor r26,r16 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + inc r24 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + movw r16,r10 + mov r1,r12 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r14,r16 + eor r15,r17 + eor r13,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r10 + and r17,r11 + and r1,r12 + eor r14,r16 + eor r15,r17 + eor r13,r1 + com r15 + com r13 + ldi r16,255 + lsr r25 + rol r16 + eor r14,r16 + movw r16,r14 + mov r1,r13 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + eor r10,r16 + eor r11,r17 + eor r12,r1 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + bst r1,7 + lsl r16 + rol r17 + rol r1 + bld r16,0 + and r16,r14 + and r17,r15 + and r1,r13 + eor r10,r16 + eor r11,r17 + eor r12,r1 + com r11 + com r12 + ldi r16,255 + lsr r25 + rol r16 + eor r10,r16 + com r18 + com r19 + com r20 + com r23 + com r21 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + eor r22,r25 + inc r24 + com r4 + com r5 + com r6 + com r9 + com r7 + mov r30,r24 +#if defined(RAMPZ) + elpm r25,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r25,Z +#elif defined(__AVR_TINY__) + ld r25,Z +#else + lpm + mov r25,r0 +#endif + eor r8,r25 + inc r24 + movw r16,r18 + mov r1,r20 + eor r16,r26 + eor r17,r27 + eor r1,r28 + movw r18,r26 + mov r20,r28 + movw r26,r4 + mov r28,r6 + eor r26,r10 + eor r27,r11 + eor r28,r12 + movw r4,r10 + mov r6,r12 + movw r10,r16 + mov r12,r1 + movw r16,r22 + mov r1,r21 + eor r16,r2 + eor r17,r3 + eor r1,r29 + movw r22,r2 + mov r21,r29 + movw r2,r8 + mov r29,r7 + eor r2,r14 + eor r3,r15 + eor r29,r13 + movw r8,r14 + mov r7,r13 + movw r14,r16 + mov r13,r1 + ldi r17,72 + cpse r24,r17 + rjmp 28b +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + st Z,r20 + std Z+1,r19 + std Z+2,r18 + std Z+3,r21 + std Z+4,r23 + std Z+5,r22 + std Z+6,r28 + std Z+7,r27 + std Z+8,r26 + std Z+9,r29 + std Z+10,r3 + std Z+11,r2 + std Z+12,r6 + std Z+13,r5 + std Z+14,r4 + std Z+15,r7 + std Z+16,r9 + std Z+17,r8 + std Z+18,r12 + std Z+19,r11 + std Z+20,r10 + std Z+21,r13 + std Z+22,r15 + std Z+23,r14 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + eor r1,r1 + ret + .size sliscp_light192_permute, .-sliscp_light192_permute + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-256-spoc-avr.S b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-256-spoc-avr.S new file mode 100644 index 0000000..84925b4 --- /dev/null +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-256-spoc-avr.S @@ -0,0 +1,1142 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 72 +table_0: + .byte 15 + .byte 71 + .byte 8 + .byte 100 + .byte 4 + .byte 178 + .byte 134 + .byte 107 + .byte 67 + .byte 181 + .byte 226 + .byte 111 + .byte 241 + .byte 55 + .byte 137 + .byte 44 + .byte 68 + .byte 150 + .byte 230 + .byte 221 + .byte 115 + .byte 238 + .byte 202 + .byte 153 + .byte 229 + .byte 76 + .byte 23 + .byte 234 + .byte 11 + .byte 245 + .byte 142 + .byte 15 + .byte 71 + .byte 7 + .byte 100 + .byte 4 + .byte 178 + .byte 130 + .byte 107 + .byte 67 + .byte 181 + .byte 161 + .byte 111 + .byte 241 + .byte 55 + .byte 120 + .byte 44 + .byte 68 + .byte 150 + .byte 162 + .byte 221 + .byte 115 + .byte 238 + .byte 185 + .byte 153 + .byte 229 + .byte 76 + .byte 242 + .byte 234 + .byte 11 + .byte 245 + .byte 133 + .byte 15 + .byte 71 + .byte 7 + .byte 35 + .byte 4 + .byte 178 + .byte 130 + .byte 217 + .byte 67 + .byte 181 + + .text +.global sliscp_light256_permute_spoc + .type sliscp_light256_permute_spoc, @function +sliscp_light256_permute_spoc: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 31 + ld r21,Z + ldd r20,Z+1 + ldd r19,Z+2 + ldd r18,Z+3 + ldd r27,Z+4 + ldd r26,Z+5 + ldd r23,Z+6 + ldd r22,Z+7 + ldd r5,Z+8 + ldd r4,Z+9 + ldd r3,Z+10 + ldd r2,Z+11 + ldd r9,Z+12 + ldd r8,Z+13 + ldd r7,Z+14 + ldd r6,Z+15 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + std Y+5,r22 + std Y+6,r23 + std Y+7,r26 + std Y+8,r27 + std Y+9,r2 + std Y+10,r3 + std Y+11,r4 + std Y+12,r5 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + ldd r21,Z+16 + ldd r20,Z+17 + ldd r19,Z+18 + ldd r18,Z+19 + ldd r27,Z+20 + ldd r26,Z+21 + ldd r23,Z+22 + ldd r22,Z+23 + ldd r5,Z+24 + ldd r4,Z+25 + ldd r3,Z+26 + ldd r2,Z+27 + ldd r9,Z+28 + ldd r8,Z+29 + ldd r7,Z+30 + ldd r6,Z+31 + push r31 + push r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + mov r30,r1 +52: +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + inc r30 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 + movw r12,r18 + movw r14,r20 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r18 + and r13,r19 + and r14,r20 + and r15,r21 + eor r22,r12 + eor r23,r13 + eor r26,r14 + eor r27,r15 + com r23 + com r26 + com r27 + ldi r24,255 + lsr r10 + rol r24 + eor r22,r24 + movw r12,r22 + movw r14,r26 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r22 + and r13,r23 + and r14,r26 + and r15,r27 + eor r18,r12 + eor r19,r13 + eor r20,r14 + eor r21,r15 + com r19 + com r20 + com r21 + ldi r24,255 + lsr r10 + rol r24 + eor r18,r24 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + inc r30 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + movw r12,r2 + movw r14,r4 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r2 + and r13,r3 + and r14,r4 + and r15,r5 + eor r6,r12 + eor r7,r13 + eor r8,r14 + eor r9,r15 + com r7 + com r8 + com r9 + ldi r24,255 + lsr r10 + rol r24 + eor r6,r24 + movw r12,r6 + movw r14,r8 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + lsl r12 + rol r13 + rol r14 + rol r15 + adc r12,r1 + and r12,r6 + and r13,r7 + and r14,r8 + and r15,r9 + eor r2,r12 + eor r3,r13 + eor r4,r14 + eor r5,r15 + com r3 + com r4 + com r5 + ldi r24,255 + lsr r10 + rol r24 + eor r2,r24 + ldd r12,Y+1 + ldd r13,Y+2 + ldd r14,Y+3 + ldd r15,Y+4 + com r12 + com r13 + com r14 + com r15 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + std Y+1,r18 + std Y+2,r19 + std Y+3,r20 + std Y+4,r21 + ldd r18,Y+9 + ldd r19,Y+10 + ldd r20,Y+11 + ldd r21,Y+12 + com r18 + com r19 + com r20 + com r21 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + std Y+9,r2 + std Y+10,r3 + std Y+11,r4 + std Y+12,r5 + movw r2,r12 + movw r4,r14 + ldd r12,Y+5 + ldd r13,Y+6 + ldd r14,Y+7 + ldd r15,Y+8 + com r13 + com r14 + com r15 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + eor r12,r10 + inc r30 + eor r12,r22 + eor r13,r23 + eor r14,r26 + eor r15,r27 + std Y+5,r22 + std Y+6,r23 + std Y+7,r26 + std Y+8,r27 + ldd r22,Y+13 + ldd r23,Y+14 + ldd r26,Y+15 + ldd r27,Y+16 + com r23 + com r26 + com r27 +#if defined(RAMPZ) + elpm r10,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r10,Z +#elif defined(__AVR_TINY__) + ld r10,Z +#else + lpm + mov r10,r0 +#endif + eor r22,r10 + inc r30 + eor r22,r6 + eor r23,r7 + eor r26,r8 + eor r27,r9 + std Y+13,r6 + std Y+14,r7 + std Y+15,r8 + std Y+16,r9 + movw r6,r12 + movw r8,r14 + ldi r25,72 + cpse r30,r25 + rjmp 52b +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + pop r30 + pop r31 + std Z+16,r21 + std Z+17,r20 + std Z+18,r19 + std Z+19,r18 + std Z+20,r27 + std Z+21,r26 + std Z+22,r23 + std Z+23,r22 + std Z+24,r5 + std Z+25,r4 + std Z+26,r3 + std Z+27,r2 + std Z+28,r9 + std Z+29,r8 + std Z+30,r7 + std Z+31,r6 + ldd r18,Y+1 + ldd r19,Y+2 + ldd r20,Y+3 + ldd r21,Y+4 + ldd r22,Y+5 + ldd r23,Y+6 + ldd r26,Y+7 + ldd r27,Y+8 + ldd r2,Y+9 + ldd r3,Y+10 + ldd r4,Y+11 + ldd r5,Y+12 + ldd r6,Y+13 + ldd r7,Y+14 + ldd r8,Y+15 + ldd r9,Y+16 + st Z,r21 + std Z+1,r20 + std Z+2,r19 + std Z+3,r18 + std Z+4,r27 + std Z+5,r26 + std Z+6,r23 + std Z+7,r22 + std Z+8,r5 + std Z+9,r4 + std Z+10,r3 + std Z+11,r2 + std Z+12,r9 + std Z+13,r8 + std Z+14,r7 + std Z+15,r6 + adiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r15 + pop r14 + pop r13 + pop r12 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size sliscp_light256_permute_spoc, .-sliscp_light256_permute_spoc + + .text +.global sliscp_light256_swap_spoc + .type sliscp_light256_swap_spoc, @function +sliscp_light256_swap_spoc: + movw r30,r24 +.L__stack_usage = 2 + ldd r18,Z+8 + ldd r19,Z+9 + ldd r20,Z+10 + ldd r21,Z+11 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r26,Z+18 + ldd r27,Z+19 + std Z+16,r18 + std Z+17,r19 + std Z+18,r20 + std Z+19,r21 + std Z+8,r22 + std Z+9,r23 + std Z+10,r26 + std Z+11,r27 + ldd r18,Z+12 + ldd r19,Z+13 + ldd r20,Z+14 + ldd r21,Z+15 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r26,Z+22 + ldd r27,Z+23 + std Z+20,r18 + std Z+21,r19 + std Z+22,r20 + std Z+23,r21 + std Z+12,r22 + std Z+13,r23 + std Z+14,r26 + std Z+15,r27 + ret + .size sliscp_light256_swap_spoc, .-sliscp_light256_swap_spoc + +#endif diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c index 69b4519..dd3a688 100644 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.c @@ -22,6 +22,8 @@ #include "internal-sliscp-light.h" +#if !defined(__AVR__) + /** * \brief Performs one round of the Simeck-64 block cipher. * @@ -173,11 +175,12 @@ void sliscp_light256_swap_spix(unsigned char block[32]) le_store_word32(block + 12, t2); } -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) +void sliscp_light256_permute_spoc(unsigned char block[32]) { const unsigned char *rc = sliscp_light256_RC; uint32_t x0, x1, x2, x3, x4, x5, x6, x7; uint32_t t0, t1; + unsigned round; /* Load the block into local state variables */ x0 = be_load_word32(block); @@ -190,7 +193,7 @@ void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds) x7 = be_load_word32(block + 28); /* Perform all permutation rounds */ - for (; rounds > 0; --rounds, rc += 4) { + for (round = 0; round < 18; ++round, rc += 4) { /* Apply Simeck-64 to two of the 64-bit sub-blocks */ simeck64_box(x2, x3, rc[0]); simeck64_box(x6, x7, rc[1]); @@ -406,3 +409,5 @@ void sliscp_light320_swap(unsigned char block[40]) le_store_word32(block + 16, t1); le_store_word32(block + 4, t2); } + +#endif /* !__AVR__ */ diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h index fa6b9ba..8a5e8d5 100644 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-sliscp-light.h @@ -92,7 +92,6 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * \brief Performs the sLiSCP-light permutation on a 256-bit block. * * \param block Points to the block to be permuted. - * \param rounds Number of rounds to be performed, usually 9 or 18. * * The bytes of the block are assumed to be rearranged to match the * requirements of the SpoC-128 cipher. SpoC-128 interleaves the @@ -112,7 +111,7 @@ void sliscp_light256_swap_spix(unsigned char block[32]); * * \sa sliscp_light256_swap_spoc() */ -void sliscp_light256_permute_spoc(unsigned char block[32], unsigned rounds); +void sliscp_light256_permute_spoc(unsigned char block[32]); /** * \brief Swaps rate bytes in a sLiSCP-light 256-bit block for SpoC-128. diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c index 1af7d59..92ee233 100644 --- a/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c +++ b/spoc/Implementations/crypto_aead/spoc64sliscplight192v1/rhys/spoc.c @@ -106,7 +106,7 @@ static void spoc_128_init /* Absorb the associated data into the state */ if (adlen != 0) { while (adlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, ad, SPOC_128_RATE); state[0] ^= 0x20; /* domain separation */ ad += SPOC_128_RATE; @@ -114,7 +114,7 @@ static void spoc_128_init } temp = (unsigned)adlen; if (temp > 0) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, ad, temp); state[temp + 16] ^= 0x80; /* padding */ state[0] ^= 0x30; /* domain separation */ @@ -185,7 +185,7 @@ static void spoc_128_finalize { /* Pad and permute the state one more time */ state[0] ^= 0x80; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); /* Copy out the authentication tag */ memcpy(tag, state + 16, 16); @@ -229,7 +229,7 @@ int spoc_128_aead_encrypt /* Encrypt the plaintext to produce the ciphertext */ if (mlen != 0) { while (mlen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, m, SPOC_128_RATE); lw_xor_block_2_src(c, m, state, SPOC_128_RATE); state[0] ^= 0x40; /* domain separation */ @@ -239,7 +239,7 @@ int spoc_128_aead_encrypt } if (mlen != 0) { unsigned temp = (unsigned)mlen; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block(state + 16, m, temp); lw_xor_block_2_src(c, m, state, temp); state[temp + 16] ^= 0x80; /* padding */ @@ -277,7 +277,7 @@ int spoc_128_aead_decrypt clen -= SPOC_128_TAG_SIZE; if (clen != 0) { while (clen >= SPOC_128_RATE) { - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block_2_src(m, c, state, SPOC_128_RATE); lw_xor_block(state + 16, m, SPOC_128_RATE); state[0] ^= 0x40; /* domain separation */ @@ -287,7 +287,7 @@ int spoc_128_aead_decrypt } if (clen != 0) { unsigned temp = (unsigned)clen; - sliscp_light256_permute_spoc(state, 18); + sliscp_light256_permute_spoc(state); lw_xor_block_2_src(m, c, state, temp); lw_xor_block(state + 16, m, temp); state[temp + 16] ^= 0x80; /* padding */ diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/api.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/api.h deleted file mode 100644 index fb1dab8..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/encrypt.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/encrypt.c deleted file mode 100644 index df13efc..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spook.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_384_mu_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_384_mu_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.c deleted file mode 100644 index 0e19216..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spook.h" - -/** - * \brief Number of steps in the Clyde-128 block cipher. - * - * This is also the number of steps in the Shadow-512 and Shadow-384 - * permutations. - */ -#define CLYDE128_STEPS 6 - -/** - * \brief Round constants for the steps of Clyde-128. - */ -static uint8_t const rc[CLYDE128_STEPS][8] = { - {1, 0, 0, 0, 0, 1, 0, 0}, - {0, 0, 1, 0, 0, 0, 0, 1}, - {1, 1, 0, 0, 0, 1, 1, 0}, - {0, 0, 1, 1, 1, 1, 0, 1}, - {1, 0, 1, 0, 0, 1, 0, 1}, - {1, 1, 1, 0, 0, 1, 1, 1} -}; - -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t c, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); - s0 = le_load_word32((const unsigned char *)&(input[0])); - s1 = le_load_word32((const unsigned char *)&(input[1])); - s2 = le_load_word32((const unsigned char *)&(input[2])); - s3 = le_load_word32((const unsigned char *)&(input[3])); -#endif - - /* Add the initial tweakey to the state */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Perform the two rounds of this step */ - #define clyde128_sbox(s0, s1, s2, s3) \ - do { \ - c = (s0 & s1) ^ s2; \ - d = (s3 & s0) ^ s1; \ - s2 = (c & d) ^ s3; \ - s3 = (c & s3) ^ s0; \ - s0 = d; \ - s1 = c; \ - } while (0) - #define clyde128_lbox(x, y) \ - do { \ - c = x ^ rightRotate12(x); \ - d = y ^ rightRotate12(y); \ - c ^= rightRotate3(c); \ - d ^= rightRotate3(d); \ - x = c ^ leftRotate15(x); \ - y = d ^ leftRotate15(y); \ - c = x ^ leftRotate1(x); \ - d = y ^ leftRotate1(y); \ - x ^= leftRotate6(d); \ - y ^= leftRotate7(c); \ - x ^= rightRotate15(c); \ - y ^= rightRotate15(d); \ - } while (0) - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - - /* Update the tweakey on the fly and add it to the state */ - c = t2 ^ t0; - d = t3 ^ t1; - t2 = t0; - t3 = t1; - t0 = c; - t1 = d; - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - } - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t a, b, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); -#endif - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all rounds in pairs */ - for (step = CLYDE128_STEPS - 1; step >= 0; --step) { - /* Add the tweakey to the state and update the tweakey */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - a = t2 ^ t0; - b = t3 ^ t1; - t0 = t2; - t1 = t3; - t2 = a; - t3 = b; - - /* Perform the two rounds of this step */ - #define clyde128_inv_sbox(s0, s1, s2, s3) \ - do { \ - d = (s0 & s1) ^ s2; \ - a = (s1 & d) ^ s3; \ - b = (d & a) ^ s0; \ - s2 = (a & b) ^ s1; \ - s0 = a; \ - s1 = b; \ - s3 = d; \ - } while (0) - #define clyde128_inv_lbox(x, y) \ - do { \ - a = x ^ leftRotate7(x); \ - b = y ^ leftRotate7(y); \ - x ^= leftRotate1(a); \ - y ^= leftRotate1(b); \ - x ^= leftRotate12(a); \ - y ^= leftRotate12(b); \ - a = x ^ leftRotate1(x); \ - b = y ^ leftRotate1(y); \ - x ^= leftRotate6(b); \ - y ^= leftRotate7(a); \ - a ^= leftRotate15(x); \ - b ^= leftRotate15(y); \ - x = rightRotate16(a); \ - y = rightRotate16(b); \ - } while (0) - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - } - - /* Add the tweakey to the state one last time */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void shadow512(shadow512_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t s30, s31, s32, s33; - uint32_t c, d, w, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; - s30 = state->W[12]; - s31 = state->W[13]; - s32 = state->W[14]; - s33 = state->W[15]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); - s30 = le_load_word32(state->B + 48); - s31 = le_load_word32(state->B + 52); - s32 = le_load_word32(state->B + 56); - s33 = le_load_word32(state->B + 60); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the S-box and L-box to bundle 3 */ - clyde128_sbox(s30, s31, s32, s33); - clyde128_lbox(s30, s31); - clyde128_lbox(s32, s33); - s30 ^= rc[step][0] << 3; - s31 ^= rc[step][1] << 3; - s32 ^= rc[step][2] << 3; - s33 ^= rc[step][3] << 3; - clyde128_sbox(s30, s31, s32, s33); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow512_diffusion_layer(row) \ - do { \ - w = s0##row; \ - x = s1##row; \ - y = s2##row; \ - z = s3##row; \ - c = w ^ x; \ - d = y ^ z; \ - s0##row = x ^ d; \ - s1##row = w ^ d; \ - s2##row = c ^ z; \ - s3##row = c ^ y; \ - } while (0) - shadow512_diffusion_layer(0); - shadow512_diffusion_layer(1); - shadow512_diffusion_layer(2); - shadow512_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - s30 ^= rc[step][4] << 3; - s31 ^= rc[step][5] << 3; - s32 ^= rc[step][6] << 3; - s33 ^= rc[step][7] << 3; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; - state->W[12] = s30; - state->W[13] = s31; - state->W[14] = s32; - state->W[15] = s33; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); - le_store_word32(state->B + 48, s30); - le_store_word32(state->B + 52, s31); - le_store_word32(state->B + 56, s32); - le_store_word32(state->B + 60, s33); -#endif -} - -void shadow384(shadow384_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t c, d, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow384_diffusion_layer(row) \ - do { \ - x = s0##row; \ - y = s1##row; \ - z = s2##row; \ - s0##row = x ^ y ^ z; \ - s1##row = x ^ z; \ - s2##row = x ^ y; \ - } while (0) - shadow384_diffusion_layer(0); - shadow384_diffusion_layer(1); - shadow384_diffusion_layer(2); - shadow384_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); -#endif -} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.h deleted file mode 100644 index b08ce80..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-spook.h +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPOOK_H -#define LW_INTERNAL_SPOOK_H - -#include "internal-util.h" - -/** - * \file internal-spook.h - * \brief Internal implementation details of the Spook AEAD mode. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the block for the Clyde-128 block cipher. - */ -#define CLYDE128_BLOCK_SIZE 16 - -/** - * \brief Size of the key for the Clyde-128 block cipher. - */ -#define CLYDE128_KEY_SIZE 16 - -/** - * \brief Size of the tweak for the Clyde-128 block cipher. - */ -#define CLYDE128_TWEAK_SIZE 16 - -/** - * \brief Size of the state for Shadow-512. - */ -#define SHADOW512_STATE_SIZE 64 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. - */ -#define SHADOW512_RATE 32 - -/** - * \brief Size of the state for Shadow-384. - */ -#define SHADOW384_STATE_SIZE 48 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. - */ -#define SHADOW384_RATE 16 - -/** - * \brief Internal state of the Shadow-512 permutation. - */ -typedef union -{ - uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ - -} shadow512_state_t; - -/** - * \brief Internal state of the Shadow-384 permutation. - */ -typedef union -{ - uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ - -} shadow384_state_t; - -/** - * \brief Encrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to encrypt with. - * \param tweak Points to the tweak to encrypt with. - * \param output Output buffer for the ciphertext. - * \param input Input buffer for the plaintext. - * - * \sa clyde128_decrypt() - */ -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); - -/** - * \brief Decrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to decrypt with. - * \param tweak Points to the tweak to decrypt with. - * \param output Output buffer for the plaintext. - * \param input Input buffer for the ciphertext. - * - * \sa clyde128_encrypt() - */ -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]); - -/** - * \brief Performs the Shadow-512 permutation on a state. - * - * \param state The Shadow-512 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow384() - */ -void shadow512(shadow512_state_t *state); - -/** - * \brief Performs the Shadow-384 permutation on a state. - * - * \param state The Shadow-384 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow512() - */ -void shadow384(shadow384_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-util.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.c b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.c deleted file mode 100644 index d075b33..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.c +++ /dev/null @@ -1,552 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spook.h" -#include "internal-spook.h" -#include "internal-util.h" -#include - -aead_cipher_t const spook_128_512_su_cipher = { - "Spook-128-512-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_su_aead_encrypt, - spook_128_512_su_aead_decrypt -}; - -aead_cipher_t const spook_128_384_su_cipher = { - "Spook-128-384-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_su_aead_encrypt, - spook_128_384_su_aead_decrypt -}; - -aead_cipher_t const spook_128_512_mu_cipher = { - "Spook-128-512-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_mu_aead_encrypt, - spook_128_512_mu_aead_decrypt -}; - -aead_cipher_t const spook_128_384_mu_cipher = { - "Spook-128-384-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_mu_aead_encrypt, - spook_128_384_mu_aead_decrypt -}; - -/** - * \brief Initializes the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_512_init - (shadow512_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW512_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); - shadow512(state); -} - -/** - * \brief Initializes the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_384_init - (shadow384_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW384_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); - shadow384(state); -} - -/** - * \brief Absorbs associated data into the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_512_absorb - (shadow512_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW512_RATE) { - lw_xor_block(state->B, ad, SHADOW512_RATE); - shadow512(state); - ad += SHADOW512_RATE; - adlen -= SHADOW512_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Absorbs associated data into the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_384_absorb - (shadow384_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW384_RATE) { - lw_xor_block(state->B, ad, SHADOW384_RATE); - shadow384(state); - ad += SHADOW384_RATE; - adlen -= SHADOW384_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_512_encrypt - (shadow512_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (mlen >= SHADOW512_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - mlen -= SHADOW512_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_384_encrypt - (shadow384_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (mlen >= SHADOW384_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - mlen -= SHADOW384_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_512_decrypt - (shadow512_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (clen >= SHADOW512_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - clen -= SHADOW512_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_384_decrypt - (shadow384_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (clen >= SHADOW384_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - clen -= SHADOW384_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.h deleted file mode 100644 index 68b6a25..0000000 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys-avr/spook.h +++ /dev/null @@ -1,344 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOOK_H -#define LWCRYPTO_SPOOK_H - -#include "aead-common.h" - -/** - * \file spook.h - * \brief Spook authenticated encryption algorithm. - * - * Spook is a family of authenticated encryption algorithms that are - * built around a tweakable block cipher and a permutation. If the - * tweakable block cipher is implemented as a masked block cipher, - * then Spook provides protection against power analysis side channels. - * - * There are four members in the Spook family: - * - * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 512-bit permutation. This is the primary - * member of the family. - * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 384-bit permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit - * permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit - * permutation. - * - * In this library, the "mu" (multi-user) variants combine the 128-bit key - * and the 128-bit public tweak into a single 256-bit key value. - * Applications can either view this as a cipher with a 256-bit key, - * or they can split the key value into secret and public halves. - * Even with the use of 256-bit keys, Spook only has 128-bit security. - * - * References: https://www.spook.dev/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for the single-user version of Spook. - */ -#define SPOOK_SU_KEY_SIZE 16 - -/** - * \brief Size of the key for the multi-user version of Spook. - */ -#define SPOOK_MU_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all Spook family members. - */ -#define SPOOK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all Spook family members. - */ -#define SPOOK_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the Spook-128-512-su cipher. - */ -extern aead_cipher_t const spook_128_512_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-su cipher. - */ -extern aead_cipher_t const spook_128_384_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-512-mu cipher. - */ -extern aead_cipher_t const spook_128_512_mu_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-mu cipher. - */ -extern aead_cipher_t const spook_128_384_mu_cipher; - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_su_aead_decrypt() - */ -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_su_aead_encrypt() - */ -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_su_aead_decrypt() - */ -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_su_aead_encrypt() - */ -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_mu_aead_decrypt() - */ -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_mu_aead_encrypt() - */ -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_mu_aead_decrypt() - */ -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_mu_aead_encrypt() - */ -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h +++ b/spook/Implementations/crypto_aead/spook128mu384v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/api.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/api.h deleted file mode 100644 index fb1dab8..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/encrypt.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/encrypt.c deleted file mode 100644 index 52c6ec8..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spook.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_512_mu_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_512_mu_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.c deleted file mode 100644 index 0e19216..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spook.h" - -/** - * \brief Number of steps in the Clyde-128 block cipher. - * - * This is also the number of steps in the Shadow-512 and Shadow-384 - * permutations. - */ -#define CLYDE128_STEPS 6 - -/** - * \brief Round constants for the steps of Clyde-128. - */ -static uint8_t const rc[CLYDE128_STEPS][8] = { - {1, 0, 0, 0, 0, 1, 0, 0}, - {0, 0, 1, 0, 0, 0, 0, 1}, - {1, 1, 0, 0, 0, 1, 1, 0}, - {0, 0, 1, 1, 1, 1, 0, 1}, - {1, 0, 1, 0, 0, 1, 0, 1}, - {1, 1, 1, 0, 0, 1, 1, 1} -}; - -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t c, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); - s0 = le_load_word32((const unsigned char *)&(input[0])); - s1 = le_load_word32((const unsigned char *)&(input[1])); - s2 = le_load_word32((const unsigned char *)&(input[2])); - s3 = le_load_word32((const unsigned char *)&(input[3])); -#endif - - /* Add the initial tweakey to the state */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Perform the two rounds of this step */ - #define clyde128_sbox(s0, s1, s2, s3) \ - do { \ - c = (s0 & s1) ^ s2; \ - d = (s3 & s0) ^ s1; \ - s2 = (c & d) ^ s3; \ - s3 = (c & s3) ^ s0; \ - s0 = d; \ - s1 = c; \ - } while (0) - #define clyde128_lbox(x, y) \ - do { \ - c = x ^ rightRotate12(x); \ - d = y ^ rightRotate12(y); \ - c ^= rightRotate3(c); \ - d ^= rightRotate3(d); \ - x = c ^ leftRotate15(x); \ - y = d ^ leftRotate15(y); \ - c = x ^ leftRotate1(x); \ - d = y ^ leftRotate1(y); \ - x ^= leftRotate6(d); \ - y ^= leftRotate7(c); \ - x ^= rightRotate15(c); \ - y ^= rightRotate15(d); \ - } while (0) - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - - /* Update the tweakey on the fly and add it to the state */ - c = t2 ^ t0; - d = t3 ^ t1; - t2 = t0; - t3 = t1; - t0 = c; - t1 = d; - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - } - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t a, b, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); -#endif - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all rounds in pairs */ - for (step = CLYDE128_STEPS - 1; step >= 0; --step) { - /* Add the tweakey to the state and update the tweakey */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - a = t2 ^ t0; - b = t3 ^ t1; - t0 = t2; - t1 = t3; - t2 = a; - t3 = b; - - /* Perform the two rounds of this step */ - #define clyde128_inv_sbox(s0, s1, s2, s3) \ - do { \ - d = (s0 & s1) ^ s2; \ - a = (s1 & d) ^ s3; \ - b = (d & a) ^ s0; \ - s2 = (a & b) ^ s1; \ - s0 = a; \ - s1 = b; \ - s3 = d; \ - } while (0) - #define clyde128_inv_lbox(x, y) \ - do { \ - a = x ^ leftRotate7(x); \ - b = y ^ leftRotate7(y); \ - x ^= leftRotate1(a); \ - y ^= leftRotate1(b); \ - x ^= leftRotate12(a); \ - y ^= leftRotate12(b); \ - a = x ^ leftRotate1(x); \ - b = y ^ leftRotate1(y); \ - x ^= leftRotate6(b); \ - y ^= leftRotate7(a); \ - a ^= leftRotate15(x); \ - b ^= leftRotate15(y); \ - x = rightRotate16(a); \ - y = rightRotate16(b); \ - } while (0) - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - } - - /* Add the tweakey to the state one last time */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void shadow512(shadow512_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t s30, s31, s32, s33; - uint32_t c, d, w, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; - s30 = state->W[12]; - s31 = state->W[13]; - s32 = state->W[14]; - s33 = state->W[15]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); - s30 = le_load_word32(state->B + 48); - s31 = le_load_word32(state->B + 52); - s32 = le_load_word32(state->B + 56); - s33 = le_load_word32(state->B + 60); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the S-box and L-box to bundle 3 */ - clyde128_sbox(s30, s31, s32, s33); - clyde128_lbox(s30, s31); - clyde128_lbox(s32, s33); - s30 ^= rc[step][0] << 3; - s31 ^= rc[step][1] << 3; - s32 ^= rc[step][2] << 3; - s33 ^= rc[step][3] << 3; - clyde128_sbox(s30, s31, s32, s33); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow512_diffusion_layer(row) \ - do { \ - w = s0##row; \ - x = s1##row; \ - y = s2##row; \ - z = s3##row; \ - c = w ^ x; \ - d = y ^ z; \ - s0##row = x ^ d; \ - s1##row = w ^ d; \ - s2##row = c ^ z; \ - s3##row = c ^ y; \ - } while (0) - shadow512_diffusion_layer(0); - shadow512_diffusion_layer(1); - shadow512_diffusion_layer(2); - shadow512_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - s30 ^= rc[step][4] << 3; - s31 ^= rc[step][5] << 3; - s32 ^= rc[step][6] << 3; - s33 ^= rc[step][7] << 3; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; - state->W[12] = s30; - state->W[13] = s31; - state->W[14] = s32; - state->W[15] = s33; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); - le_store_word32(state->B + 48, s30); - le_store_word32(state->B + 52, s31); - le_store_word32(state->B + 56, s32); - le_store_word32(state->B + 60, s33); -#endif -} - -void shadow384(shadow384_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t c, d, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow384_diffusion_layer(row) \ - do { \ - x = s0##row; \ - y = s1##row; \ - z = s2##row; \ - s0##row = x ^ y ^ z; \ - s1##row = x ^ z; \ - s2##row = x ^ y; \ - } while (0) - shadow384_diffusion_layer(0); - shadow384_diffusion_layer(1); - shadow384_diffusion_layer(2); - shadow384_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); -#endif -} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.h deleted file mode 100644 index b08ce80..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-spook.h +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPOOK_H -#define LW_INTERNAL_SPOOK_H - -#include "internal-util.h" - -/** - * \file internal-spook.h - * \brief Internal implementation details of the Spook AEAD mode. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the block for the Clyde-128 block cipher. - */ -#define CLYDE128_BLOCK_SIZE 16 - -/** - * \brief Size of the key for the Clyde-128 block cipher. - */ -#define CLYDE128_KEY_SIZE 16 - -/** - * \brief Size of the tweak for the Clyde-128 block cipher. - */ -#define CLYDE128_TWEAK_SIZE 16 - -/** - * \brief Size of the state for Shadow-512. - */ -#define SHADOW512_STATE_SIZE 64 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. - */ -#define SHADOW512_RATE 32 - -/** - * \brief Size of the state for Shadow-384. - */ -#define SHADOW384_STATE_SIZE 48 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. - */ -#define SHADOW384_RATE 16 - -/** - * \brief Internal state of the Shadow-512 permutation. - */ -typedef union -{ - uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ - -} shadow512_state_t; - -/** - * \brief Internal state of the Shadow-384 permutation. - */ -typedef union -{ - uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ - -} shadow384_state_t; - -/** - * \brief Encrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to encrypt with. - * \param tweak Points to the tweak to encrypt with. - * \param output Output buffer for the ciphertext. - * \param input Input buffer for the plaintext. - * - * \sa clyde128_decrypt() - */ -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); - -/** - * \brief Decrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to decrypt with. - * \param tweak Points to the tweak to decrypt with. - * \param output Output buffer for the plaintext. - * \param input Input buffer for the ciphertext. - * - * \sa clyde128_encrypt() - */ -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]); - -/** - * \brief Performs the Shadow-512 permutation on a state. - * - * \param state The Shadow-512 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow384() - */ -void shadow512(shadow512_state_t *state); - -/** - * \brief Performs the Shadow-384 permutation on a state. - * - * \param state The Shadow-384 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow512() - */ -void shadow384(shadow384_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-util.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.c b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.c deleted file mode 100644 index d075b33..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.c +++ /dev/null @@ -1,552 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spook.h" -#include "internal-spook.h" -#include "internal-util.h" -#include - -aead_cipher_t const spook_128_512_su_cipher = { - "Spook-128-512-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_su_aead_encrypt, - spook_128_512_su_aead_decrypt -}; - -aead_cipher_t const spook_128_384_su_cipher = { - "Spook-128-384-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_su_aead_encrypt, - spook_128_384_su_aead_decrypt -}; - -aead_cipher_t const spook_128_512_mu_cipher = { - "Spook-128-512-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_mu_aead_encrypt, - spook_128_512_mu_aead_decrypt -}; - -aead_cipher_t const spook_128_384_mu_cipher = { - "Spook-128-384-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_mu_aead_encrypt, - spook_128_384_mu_aead_decrypt -}; - -/** - * \brief Initializes the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_512_init - (shadow512_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW512_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); - shadow512(state); -} - -/** - * \brief Initializes the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_384_init - (shadow384_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW384_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); - shadow384(state); -} - -/** - * \brief Absorbs associated data into the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_512_absorb - (shadow512_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW512_RATE) { - lw_xor_block(state->B, ad, SHADOW512_RATE); - shadow512(state); - ad += SHADOW512_RATE; - adlen -= SHADOW512_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Absorbs associated data into the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_384_absorb - (shadow384_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW384_RATE) { - lw_xor_block(state->B, ad, SHADOW384_RATE); - shadow384(state); - ad += SHADOW384_RATE; - adlen -= SHADOW384_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_512_encrypt - (shadow512_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (mlen >= SHADOW512_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - mlen -= SHADOW512_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_384_encrypt - (shadow384_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (mlen >= SHADOW384_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - mlen -= SHADOW384_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_512_decrypt - (shadow512_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (clen >= SHADOW512_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - clen -= SHADOW512_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_384_decrypt - (shadow384_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (clen >= SHADOW384_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - clen -= SHADOW384_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.h deleted file mode 100644 index 68b6a25..0000000 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys-avr/spook.h +++ /dev/null @@ -1,344 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOOK_H -#define LWCRYPTO_SPOOK_H - -#include "aead-common.h" - -/** - * \file spook.h - * \brief Spook authenticated encryption algorithm. - * - * Spook is a family of authenticated encryption algorithms that are - * built around a tweakable block cipher and a permutation. If the - * tweakable block cipher is implemented as a masked block cipher, - * then Spook provides protection against power analysis side channels. - * - * There are four members in the Spook family: - * - * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 512-bit permutation. This is the primary - * member of the family. - * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 384-bit permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit - * permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit - * permutation. - * - * In this library, the "mu" (multi-user) variants combine the 128-bit key - * and the 128-bit public tweak into a single 256-bit key value. - * Applications can either view this as a cipher with a 256-bit key, - * or they can split the key value into secret and public halves. - * Even with the use of 256-bit keys, Spook only has 128-bit security. - * - * References: https://www.spook.dev/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for the single-user version of Spook. - */ -#define SPOOK_SU_KEY_SIZE 16 - -/** - * \brief Size of the key for the multi-user version of Spook. - */ -#define SPOOK_MU_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all Spook family members. - */ -#define SPOOK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all Spook family members. - */ -#define SPOOK_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the Spook-128-512-su cipher. - */ -extern aead_cipher_t const spook_128_512_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-su cipher. - */ -extern aead_cipher_t const spook_128_384_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-512-mu cipher. - */ -extern aead_cipher_t const spook_128_512_mu_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-mu cipher. - */ -extern aead_cipher_t const spook_128_384_mu_cipher; - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_su_aead_decrypt() - */ -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_su_aead_encrypt() - */ -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_su_aead_decrypt() - */ -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_su_aead_encrypt() - */ -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_mu_aead_decrypt() - */ -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_mu_aead_encrypt() - */ -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_mu_aead_decrypt() - */ -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_mu_aead_encrypt() - */ -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h +++ b/spook/Implementations/crypto_aead/spook128mu512v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/api.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/encrypt.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/encrypt.c deleted file mode 100644 index e61a44a..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spook.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_384_su_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_384_su_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.c deleted file mode 100644 index 0e19216..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spook.h" - -/** - * \brief Number of steps in the Clyde-128 block cipher. - * - * This is also the number of steps in the Shadow-512 and Shadow-384 - * permutations. - */ -#define CLYDE128_STEPS 6 - -/** - * \brief Round constants for the steps of Clyde-128. - */ -static uint8_t const rc[CLYDE128_STEPS][8] = { - {1, 0, 0, 0, 0, 1, 0, 0}, - {0, 0, 1, 0, 0, 0, 0, 1}, - {1, 1, 0, 0, 0, 1, 1, 0}, - {0, 0, 1, 1, 1, 1, 0, 1}, - {1, 0, 1, 0, 0, 1, 0, 1}, - {1, 1, 1, 0, 0, 1, 1, 1} -}; - -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t c, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); - s0 = le_load_word32((const unsigned char *)&(input[0])); - s1 = le_load_word32((const unsigned char *)&(input[1])); - s2 = le_load_word32((const unsigned char *)&(input[2])); - s3 = le_load_word32((const unsigned char *)&(input[3])); -#endif - - /* Add the initial tweakey to the state */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Perform the two rounds of this step */ - #define clyde128_sbox(s0, s1, s2, s3) \ - do { \ - c = (s0 & s1) ^ s2; \ - d = (s3 & s0) ^ s1; \ - s2 = (c & d) ^ s3; \ - s3 = (c & s3) ^ s0; \ - s0 = d; \ - s1 = c; \ - } while (0) - #define clyde128_lbox(x, y) \ - do { \ - c = x ^ rightRotate12(x); \ - d = y ^ rightRotate12(y); \ - c ^= rightRotate3(c); \ - d ^= rightRotate3(d); \ - x = c ^ leftRotate15(x); \ - y = d ^ leftRotate15(y); \ - c = x ^ leftRotate1(x); \ - d = y ^ leftRotate1(y); \ - x ^= leftRotate6(d); \ - y ^= leftRotate7(c); \ - x ^= rightRotate15(c); \ - y ^= rightRotate15(d); \ - } while (0) - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - - /* Update the tweakey on the fly and add it to the state */ - c = t2 ^ t0; - d = t3 ^ t1; - t2 = t0; - t3 = t1; - t0 = c; - t1 = d; - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - } - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t a, b, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); -#endif - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all rounds in pairs */ - for (step = CLYDE128_STEPS - 1; step >= 0; --step) { - /* Add the tweakey to the state and update the tweakey */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - a = t2 ^ t0; - b = t3 ^ t1; - t0 = t2; - t1 = t3; - t2 = a; - t3 = b; - - /* Perform the two rounds of this step */ - #define clyde128_inv_sbox(s0, s1, s2, s3) \ - do { \ - d = (s0 & s1) ^ s2; \ - a = (s1 & d) ^ s3; \ - b = (d & a) ^ s0; \ - s2 = (a & b) ^ s1; \ - s0 = a; \ - s1 = b; \ - s3 = d; \ - } while (0) - #define clyde128_inv_lbox(x, y) \ - do { \ - a = x ^ leftRotate7(x); \ - b = y ^ leftRotate7(y); \ - x ^= leftRotate1(a); \ - y ^= leftRotate1(b); \ - x ^= leftRotate12(a); \ - y ^= leftRotate12(b); \ - a = x ^ leftRotate1(x); \ - b = y ^ leftRotate1(y); \ - x ^= leftRotate6(b); \ - y ^= leftRotate7(a); \ - a ^= leftRotate15(x); \ - b ^= leftRotate15(y); \ - x = rightRotate16(a); \ - y = rightRotate16(b); \ - } while (0) - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - } - - /* Add the tweakey to the state one last time */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void shadow512(shadow512_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t s30, s31, s32, s33; - uint32_t c, d, w, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; - s30 = state->W[12]; - s31 = state->W[13]; - s32 = state->W[14]; - s33 = state->W[15]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); - s30 = le_load_word32(state->B + 48); - s31 = le_load_word32(state->B + 52); - s32 = le_load_word32(state->B + 56); - s33 = le_load_word32(state->B + 60); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the S-box and L-box to bundle 3 */ - clyde128_sbox(s30, s31, s32, s33); - clyde128_lbox(s30, s31); - clyde128_lbox(s32, s33); - s30 ^= rc[step][0] << 3; - s31 ^= rc[step][1] << 3; - s32 ^= rc[step][2] << 3; - s33 ^= rc[step][3] << 3; - clyde128_sbox(s30, s31, s32, s33); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow512_diffusion_layer(row) \ - do { \ - w = s0##row; \ - x = s1##row; \ - y = s2##row; \ - z = s3##row; \ - c = w ^ x; \ - d = y ^ z; \ - s0##row = x ^ d; \ - s1##row = w ^ d; \ - s2##row = c ^ z; \ - s3##row = c ^ y; \ - } while (0) - shadow512_diffusion_layer(0); - shadow512_diffusion_layer(1); - shadow512_diffusion_layer(2); - shadow512_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - s30 ^= rc[step][4] << 3; - s31 ^= rc[step][5] << 3; - s32 ^= rc[step][6] << 3; - s33 ^= rc[step][7] << 3; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; - state->W[12] = s30; - state->W[13] = s31; - state->W[14] = s32; - state->W[15] = s33; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); - le_store_word32(state->B + 48, s30); - le_store_word32(state->B + 52, s31); - le_store_word32(state->B + 56, s32); - le_store_word32(state->B + 60, s33); -#endif -} - -void shadow384(shadow384_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t c, d, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow384_diffusion_layer(row) \ - do { \ - x = s0##row; \ - y = s1##row; \ - z = s2##row; \ - s0##row = x ^ y ^ z; \ - s1##row = x ^ z; \ - s2##row = x ^ y; \ - } while (0) - shadow384_diffusion_layer(0); - shadow384_diffusion_layer(1); - shadow384_diffusion_layer(2); - shadow384_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); -#endif -} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.h deleted file mode 100644 index b08ce80..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-spook.h +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPOOK_H -#define LW_INTERNAL_SPOOK_H - -#include "internal-util.h" - -/** - * \file internal-spook.h - * \brief Internal implementation details of the Spook AEAD mode. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the block for the Clyde-128 block cipher. - */ -#define CLYDE128_BLOCK_SIZE 16 - -/** - * \brief Size of the key for the Clyde-128 block cipher. - */ -#define CLYDE128_KEY_SIZE 16 - -/** - * \brief Size of the tweak for the Clyde-128 block cipher. - */ -#define CLYDE128_TWEAK_SIZE 16 - -/** - * \brief Size of the state for Shadow-512. - */ -#define SHADOW512_STATE_SIZE 64 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. - */ -#define SHADOW512_RATE 32 - -/** - * \brief Size of the state for Shadow-384. - */ -#define SHADOW384_STATE_SIZE 48 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. - */ -#define SHADOW384_RATE 16 - -/** - * \brief Internal state of the Shadow-512 permutation. - */ -typedef union -{ - uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ - -} shadow512_state_t; - -/** - * \brief Internal state of the Shadow-384 permutation. - */ -typedef union -{ - uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ - -} shadow384_state_t; - -/** - * \brief Encrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to encrypt with. - * \param tweak Points to the tweak to encrypt with. - * \param output Output buffer for the ciphertext. - * \param input Input buffer for the plaintext. - * - * \sa clyde128_decrypt() - */ -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); - -/** - * \brief Decrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to decrypt with. - * \param tweak Points to the tweak to decrypt with. - * \param output Output buffer for the plaintext. - * \param input Input buffer for the ciphertext. - * - * \sa clyde128_encrypt() - */ -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]); - -/** - * \brief Performs the Shadow-512 permutation on a state. - * - * \param state The Shadow-512 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow384() - */ -void shadow512(shadow512_state_t *state); - -/** - * \brief Performs the Shadow-384 permutation on a state. - * - * \param state The Shadow-384 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow512() - */ -void shadow384(shadow384_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-util.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.c b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.c deleted file mode 100644 index d075b33..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.c +++ /dev/null @@ -1,552 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spook.h" -#include "internal-spook.h" -#include "internal-util.h" -#include - -aead_cipher_t const spook_128_512_su_cipher = { - "Spook-128-512-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_su_aead_encrypt, - spook_128_512_su_aead_decrypt -}; - -aead_cipher_t const spook_128_384_su_cipher = { - "Spook-128-384-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_su_aead_encrypt, - spook_128_384_su_aead_decrypt -}; - -aead_cipher_t const spook_128_512_mu_cipher = { - "Spook-128-512-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_mu_aead_encrypt, - spook_128_512_mu_aead_decrypt -}; - -aead_cipher_t const spook_128_384_mu_cipher = { - "Spook-128-384-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_mu_aead_encrypt, - spook_128_384_mu_aead_decrypt -}; - -/** - * \brief Initializes the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_512_init - (shadow512_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW512_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); - shadow512(state); -} - -/** - * \brief Initializes the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_384_init - (shadow384_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW384_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); - shadow384(state); -} - -/** - * \brief Absorbs associated data into the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_512_absorb - (shadow512_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW512_RATE) { - lw_xor_block(state->B, ad, SHADOW512_RATE); - shadow512(state); - ad += SHADOW512_RATE; - adlen -= SHADOW512_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Absorbs associated data into the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_384_absorb - (shadow384_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW384_RATE) { - lw_xor_block(state->B, ad, SHADOW384_RATE); - shadow384(state); - ad += SHADOW384_RATE; - adlen -= SHADOW384_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_512_encrypt - (shadow512_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (mlen >= SHADOW512_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - mlen -= SHADOW512_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_384_encrypt - (shadow384_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (mlen >= SHADOW384_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - mlen -= SHADOW384_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_512_decrypt - (shadow512_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (clen >= SHADOW512_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - clen -= SHADOW512_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_384_decrypt - (shadow384_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (clen >= SHADOW384_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - clen -= SHADOW384_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.h deleted file mode 100644 index 68b6a25..0000000 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys-avr/spook.h +++ /dev/null @@ -1,344 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOOK_H -#define LWCRYPTO_SPOOK_H - -#include "aead-common.h" - -/** - * \file spook.h - * \brief Spook authenticated encryption algorithm. - * - * Spook is a family of authenticated encryption algorithms that are - * built around a tweakable block cipher and a permutation. If the - * tweakable block cipher is implemented as a masked block cipher, - * then Spook provides protection against power analysis side channels. - * - * There are four members in the Spook family: - * - * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 512-bit permutation. This is the primary - * member of the family. - * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 384-bit permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit - * permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit - * permutation. - * - * In this library, the "mu" (multi-user) variants combine the 128-bit key - * and the 128-bit public tweak into a single 256-bit key value. - * Applications can either view this as a cipher with a 256-bit key, - * or they can split the key value into secret and public halves. - * Even with the use of 256-bit keys, Spook only has 128-bit security. - * - * References: https://www.spook.dev/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for the single-user version of Spook. - */ -#define SPOOK_SU_KEY_SIZE 16 - -/** - * \brief Size of the key for the multi-user version of Spook. - */ -#define SPOOK_MU_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all Spook family members. - */ -#define SPOOK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all Spook family members. - */ -#define SPOOK_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the Spook-128-512-su cipher. - */ -extern aead_cipher_t const spook_128_512_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-su cipher. - */ -extern aead_cipher_t const spook_128_384_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-512-mu cipher. - */ -extern aead_cipher_t const spook_128_512_mu_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-mu cipher. - */ -extern aead_cipher_t const spook_128_384_mu_cipher; - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_su_aead_decrypt() - */ -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_su_aead_encrypt() - */ -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_su_aead_decrypt() - */ -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_su_aead_encrypt() - */ -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_mu_aead_decrypt() - */ -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_mu_aead_encrypt() - */ -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_mu_aead_decrypt() - */ -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_mu_aead_encrypt() - */ -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h +++ b/spook/Implementations/crypto_aead/spook128su384v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/api.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/encrypt.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/encrypt.c deleted file mode 100644 index 0d3db2e..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "spook.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_512_su_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return spook_128_512_su_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.c deleted file mode 100644 index 0e19216..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.c +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-spook.h" - -/** - * \brief Number of steps in the Clyde-128 block cipher. - * - * This is also the number of steps in the Shadow-512 and Shadow-384 - * permutations. - */ -#define CLYDE128_STEPS 6 - -/** - * \brief Round constants for the steps of Clyde-128. - */ -static uint8_t const rc[CLYDE128_STEPS][8] = { - {1, 0, 0, 0, 0, 1, 0, 0}, - {0, 0, 1, 0, 0, 0, 0, 1}, - {1, 1, 0, 0, 0, 1, 1, 0}, - {0, 0, 1, 1, 1, 1, 0, 1}, - {1, 0, 1, 0, 0, 1, 0, 1}, - {1, 1, 1, 0, 0, 1, 1, 1} -}; - -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t c, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); - s0 = le_load_word32((const unsigned char *)&(input[0])); - s1 = le_load_word32((const unsigned char *)&(input[1])); - s2 = le_load_word32((const unsigned char *)&(input[2])); - s3 = le_load_word32((const unsigned char *)&(input[3])); -#endif - - /* Add the initial tweakey to the state */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Perform the two rounds of this step */ - #define clyde128_sbox(s0, s1, s2, s3) \ - do { \ - c = (s0 & s1) ^ s2; \ - d = (s3 & s0) ^ s1; \ - s2 = (c & d) ^ s3; \ - s3 = (c & s3) ^ s0; \ - s0 = d; \ - s1 = c; \ - } while (0) - #define clyde128_lbox(x, y) \ - do { \ - c = x ^ rightRotate12(x); \ - d = y ^ rightRotate12(y); \ - c ^= rightRotate3(c); \ - d ^= rightRotate3(d); \ - x = c ^ leftRotate15(x); \ - y = d ^ leftRotate15(y); \ - c = x ^ leftRotate1(x); \ - d = y ^ leftRotate1(y); \ - x ^= leftRotate6(d); \ - y ^= leftRotate7(c); \ - x ^= rightRotate15(c); \ - y ^= rightRotate15(d); \ - } while (0) - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_sbox(s0, s1, s2, s3); - clyde128_lbox(s0, s1); - clyde128_lbox(s2, s3); - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - - /* Update the tweakey on the fly and add it to the state */ - c = t2 ^ t0; - d = t3 ^ t1; - t2 = t0; - t3 = t1; - t0 = c; - t1 = d; - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - } - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]) -{ - uint32_t k0, k1, k2, k3; - uint32_t t0, t1, t2, t3; - uint32_t s0, s1, s2, s3; - uint32_t a, b, d; - int step; - - /* Unpack the key, tweak, and state */ - k0 = le_load_word32(key); - k1 = le_load_word32(key + 4); - k2 = le_load_word32(key + 8); - k3 = le_load_word32(key + 12); -#if defined(LW_UTIL_LITTLE_ENDIAN) - t0 = tweak[0]; - t1 = tweak[1]; - t2 = tweak[2]; - t3 = tweak[3]; -#else - t0 = le_load_word32((const unsigned char *)&(tweak[0])); - t1 = le_load_word32((const unsigned char *)&(tweak[1])); - t2 = le_load_word32((const unsigned char *)&(tweak[2])); - t3 = le_load_word32((const unsigned char *)&(tweak[3])); -#endif - s0 = le_load_word32(input); - s1 = le_load_word32(input + 4); - s2 = le_load_word32(input + 8); - s3 = le_load_word32(input + 12); - - /* Perform all rounds in pairs */ - for (step = CLYDE128_STEPS - 1; step >= 0; --step) { - /* Add the tweakey to the state and update the tweakey */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - a = t2 ^ t0; - b = t3 ^ t1; - t0 = t2; - t1 = t3; - t2 = a; - t3 = b; - - /* Perform the two rounds of this step */ - #define clyde128_inv_sbox(s0, s1, s2, s3) \ - do { \ - d = (s0 & s1) ^ s2; \ - a = (s1 & d) ^ s3; \ - b = (d & a) ^ s0; \ - s2 = (a & b) ^ s1; \ - s0 = a; \ - s1 = b; \ - s3 = d; \ - } while (0) - #define clyde128_inv_lbox(x, y) \ - do { \ - a = x ^ leftRotate7(x); \ - b = y ^ leftRotate7(y); \ - x ^= leftRotate1(a); \ - y ^= leftRotate1(b); \ - x ^= leftRotate12(a); \ - y ^= leftRotate12(b); \ - a = x ^ leftRotate1(x); \ - b = y ^ leftRotate1(y); \ - x ^= leftRotate6(b); \ - y ^= leftRotate7(a); \ - a ^= leftRotate15(x); \ - b ^= leftRotate15(y); \ - x = rightRotate16(a); \ - y = rightRotate16(b); \ - } while (0) - s0 ^= rc[step][4]; - s1 ^= rc[step][5]; - s2 ^= rc[step][6]; - s3 ^= rc[step][7]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - s0 ^= rc[step][0]; - s1 ^= rc[step][1]; - s2 ^= rc[step][2]; - s3 ^= rc[step][3]; - clyde128_inv_lbox(s0, s1); - clyde128_inv_lbox(s2, s3); - clyde128_inv_sbox(s0, s1, s2, s3); - } - - /* Add the tweakey to the state one last time */ - s0 ^= k0 ^ t0; - s1 ^= k1 ^ t1; - s2 ^= k2 ^ t2; - s3 ^= k3 ^ t3; - - /* Pack the state into the output buffer */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -#else - le_store_word32((unsigned char *)&(output[0]), s0); - le_store_word32((unsigned char *)&(output[1]), s1); - le_store_word32((unsigned char *)&(output[2]), s2); - le_store_word32((unsigned char *)&(output[3]), s3); -#endif -} - -void shadow512(shadow512_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t s30, s31, s32, s33; - uint32_t c, d, w, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; - s30 = state->W[12]; - s31 = state->W[13]; - s32 = state->W[14]; - s33 = state->W[15]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); - s30 = le_load_word32(state->B + 48); - s31 = le_load_word32(state->B + 52); - s32 = le_load_word32(state->B + 56); - s33 = le_load_word32(state->B + 60); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the S-box and L-box to bundle 3 */ - clyde128_sbox(s30, s31, s32, s33); - clyde128_lbox(s30, s31); - clyde128_lbox(s32, s33); - s30 ^= rc[step][0] << 3; - s31 ^= rc[step][1] << 3; - s32 ^= rc[step][2] << 3; - s33 ^= rc[step][3] << 3; - clyde128_sbox(s30, s31, s32, s33); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow512_diffusion_layer(row) \ - do { \ - w = s0##row; \ - x = s1##row; \ - y = s2##row; \ - z = s3##row; \ - c = w ^ x; \ - d = y ^ z; \ - s0##row = x ^ d; \ - s1##row = w ^ d; \ - s2##row = c ^ z; \ - s3##row = c ^ y; \ - } while (0) - shadow512_diffusion_layer(0); - shadow512_diffusion_layer(1); - shadow512_diffusion_layer(2); - shadow512_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - s30 ^= rc[step][4] << 3; - s31 ^= rc[step][5] << 3; - s32 ^= rc[step][6] << 3; - s33 ^= rc[step][7] << 3; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; - state->W[12] = s30; - state->W[13] = s31; - state->W[14] = s32; - state->W[15] = s33; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); - le_store_word32(state->B + 48, s30); - le_store_word32(state->B + 52, s31); - le_store_word32(state->B + 56, s32); - le_store_word32(state->B + 60, s33); -#endif -} - -void shadow384(shadow384_state_t *state) -{ - uint32_t s00, s01, s02, s03; - uint32_t s10, s11, s12, s13; - uint32_t s20, s21, s22, s23; - uint32_t c, d, x, y, z; - int step; - - /* Unpack the state into local variables */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - s00 = state->W[0]; - s01 = state->W[1]; - s02 = state->W[2]; - s03 = state->W[3]; - s10 = state->W[4]; - s11 = state->W[5]; - s12 = state->W[6]; - s13 = state->W[7]; - s20 = state->W[8]; - s21 = state->W[9]; - s22 = state->W[10]; - s23 = state->W[11]; -#else - s00 = le_load_word32(state->B); - s01 = le_load_word32(state->B + 4); - s02 = le_load_word32(state->B + 8); - s03 = le_load_word32(state->B + 12); - s10 = le_load_word32(state->B + 16); - s11 = le_load_word32(state->B + 20); - s12 = le_load_word32(state->B + 24); - s13 = le_load_word32(state->B + 28); - s20 = le_load_word32(state->B + 32); - s21 = le_load_word32(state->B + 36); - s22 = le_load_word32(state->B + 40); - s23 = le_load_word32(state->B + 44); -#endif - - /* Perform all rounds in pairs */ - for (step = 0; step < CLYDE128_STEPS; ++step) { - /* Apply the S-box and L-box to bundle 0 */ - clyde128_sbox(s00, s01, s02, s03); - clyde128_lbox(s00, s01); - clyde128_lbox(s02, s03); - s00 ^= rc[step][0]; - s01 ^= rc[step][1]; - s02 ^= rc[step][2]; - s03 ^= rc[step][3]; - clyde128_sbox(s00, s01, s02, s03); - - /* Apply the S-box and L-box to bundle 1 */ - clyde128_sbox(s10, s11, s12, s13); - clyde128_lbox(s10, s11); - clyde128_lbox(s12, s13); - s10 ^= rc[step][0] << 1; - s11 ^= rc[step][1] << 1; - s12 ^= rc[step][2] << 1; - s13 ^= rc[step][3] << 1; - clyde128_sbox(s10, s11, s12, s13); - - /* Apply the S-box and L-box to bundle 2 */ - clyde128_sbox(s20, s21, s22, s23); - clyde128_lbox(s20, s21); - clyde128_lbox(s22, s23); - s20 ^= rc[step][0] << 2; - s21 ^= rc[step][1] << 2; - s22 ^= rc[step][2] << 2; - s23 ^= rc[step][3] << 2; - clyde128_sbox(s20, s21, s22, s23); - - /* Apply the diffusion layer to the rows of the state */ - #define shadow384_diffusion_layer(row) \ - do { \ - x = s0##row; \ - y = s1##row; \ - z = s2##row; \ - s0##row = x ^ y ^ z; \ - s1##row = x ^ z; \ - s2##row = x ^ y; \ - } while (0) - shadow384_diffusion_layer(0); - shadow384_diffusion_layer(1); - shadow384_diffusion_layer(2); - shadow384_diffusion_layer(3); - - /* Add round constants to all bundles again */ - s00 ^= rc[step][4]; - s01 ^= rc[step][5]; - s02 ^= rc[step][6]; - s03 ^= rc[step][7]; - s10 ^= rc[step][4] << 1; - s11 ^= rc[step][5] << 1; - s12 ^= rc[step][6] << 1; - s13 ^= rc[step][7] << 1; - s20 ^= rc[step][4] << 2; - s21 ^= rc[step][5] << 2; - s22 ^= rc[step][6] << 2; - s23 ^= rc[step][7] << 2; - } - - /* Pack the local variables back into the state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->W[0] = s00; - state->W[1] = s01; - state->W[2] = s02; - state->W[3] = s03; - state->W[4] = s10; - state->W[5] = s11; - state->W[6] = s12; - state->W[7] = s13; - state->W[8] = s20; - state->W[9] = s21; - state->W[10] = s22; - state->W[11] = s23; -#else - le_store_word32(state->B, s00); - le_store_word32(state->B + 4, s01); - le_store_word32(state->B + 8, s02); - le_store_word32(state->B + 12, s03); - le_store_word32(state->B + 16, s10); - le_store_word32(state->B + 20, s11); - le_store_word32(state->B + 24, s12); - le_store_word32(state->B + 28, s13); - le_store_word32(state->B + 32, s20); - le_store_word32(state->B + 36, s21); - le_store_word32(state->B + 40, s22); - le_store_word32(state->B + 44, s23); -#endif -} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.h deleted file mode 100644 index b08ce80..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-spook.h +++ /dev/null @@ -1,146 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SPOOK_H -#define LW_INTERNAL_SPOOK_H - -#include "internal-util.h" - -/** - * \file internal-spook.h - * \brief Internal implementation details of the Spook AEAD mode. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the block for the Clyde-128 block cipher. - */ -#define CLYDE128_BLOCK_SIZE 16 - -/** - * \brief Size of the key for the Clyde-128 block cipher. - */ -#define CLYDE128_KEY_SIZE 16 - -/** - * \brief Size of the tweak for the Clyde-128 block cipher. - */ -#define CLYDE128_TWEAK_SIZE 16 - -/** - * \brief Size of the state for Shadow-512. - */ -#define SHADOW512_STATE_SIZE 64 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-512 state. - */ -#define SHADOW512_RATE 32 - -/** - * \brief Size of the state for Shadow-384. - */ -#define SHADOW384_STATE_SIZE 48 - -/** - * \brief Rate to absorb data into or squeeze data out of a Shadow-384 state. - */ -#define SHADOW384_RATE 16 - -/** - * \brief Internal state of the Shadow-512 permutation. - */ -typedef union -{ - uint32_t W[SHADOW512_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW512_STATE_SIZE]; /**< Bytes of the state */ - -} shadow512_state_t; - -/** - * \brief Internal state of the Shadow-384 permutation. - */ -typedef union -{ - uint32_t W[SHADOW384_STATE_SIZE / 4]; /**< Words of the state */ - uint8_t B[SHADOW384_STATE_SIZE]; /**< Bytes of the state */ - -} shadow384_state_t; - -/** - * \brief Encrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to encrypt with. - * \param tweak Points to the tweak to encrypt with. - * \param output Output buffer for the ciphertext. - * \param input Input buffer for the plaintext. - * - * \sa clyde128_decrypt() - */ -void clyde128_encrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const uint32_t input[CLYDE128_BLOCK_SIZE / 4]); - -/** - * \brief Decrypts a block with the Clyde-128 block cipher. - * - * \param key Points to the key to decrypt with. - * \param tweak Points to the tweak to decrypt with. - * \param output Output buffer for the plaintext. - * \param input Input buffer for the ciphertext. - * - * \sa clyde128_encrypt() - */ -void clyde128_decrypt(const unsigned char key[CLYDE128_KEY_SIZE], - const uint32_t tweak[CLYDE128_TWEAK_SIZE / 4], - uint32_t output[CLYDE128_BLOCK_SIZE / 4], - const unsigned char input[CLYDE128_BLOCK_SIZE]); - -/** - * \brief Performs the Shadow-512 permutation on a state. - * - * \param state The Shadow-512 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow384() - */ -void shadow512(shadow512_state_t *state); - -/** - * \brief Performs the Shadow-384 permutation on a state. - * - * \param state The Shadow-384 state which will be in little-endian - * byte order on input and output. - * - * \sa shadow512() - */ -void shadow384(shadow384_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-util.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.c b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.c deleted file mode 100644 index d075b33..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.c +++ /dev/null @@ -1,552 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "spook.h" -#include "internal-spook.h" -#include "internal-util.h" -#include - -aead_cipher_t const spook_128_512_su_cipher = { - "Spook-128-512-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_su_aead_encrypt, - spook_128_512_su_aead_decrypt -}; - -aead_cipher_t const spook_128_384_su_cipher = { - "Spook-128-384-su", - SPOOK_SU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_su_aead_encrypt, - spook_128_384_su_aead_decrypt -}; - -aead_cipher_t const spook_128_512_mu_cipher = { - "Spook-128-512-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_512_mu_aead_encrypt, - spook_128_512_mu_aead_decrypt -}; - -aead_cipher_t const spook_128_384_mu_cipher = { - "Spook-128-384-mu", - SPOOK_MU_KEY_SIZE, - SPOOK_NONCE_SIZE, - SPOOK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - spook_128_384_mu_aead_encrypt, - spook_128_384_mu_aead_decrypt -}; - -/** - * \brief Initializes the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_512_init - (shadow512_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW512_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 12, state->W + 4); - shadow512(state); -} - -/** - * \brief Initializes the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param k Points to the key. - * \param klen Length of the key in bytes, either 16 or 32. - * \param npub Public nonce for the state. - */ -static void spook_128_384_init - (shadow384_state_t *state, - const unsigned char *k, unsigned klen, - const unsigned char *npub) -{ - memset(state->B, 0, SHADOW384_STATE_SIZE); - if (klen == SPOOK_MU_KEY_SIZE) { - /* The public tweak is 126 bits in size followed by a 1 bit */ - memcpy(state->B, k + CLYDE128_BLOCK_SIZE, CLYDE128_BLOCK_SIZE); - state->B[CLYDE128_BLOCK_SIZE - 1] &= 0x7F; - state->B[CLYDE128_BLOCK_SIZE - 1] |= 0x40; - } - memcpy(state->B + CLYDE128_BLOCK_SIZE, npub, CLYDE128_BLOCK_SIZE); - clyde128_encrypt(k, state->W, state->W + 8, state->W + 4); - shadow384(state); -} - -/** - * \brief Absorbs associated data into the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_512_absorb - (shadow512_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW512_RATE) { - lw_xor_block(state->B, ad, SHADOW512_RATE); - shadow512(state); - ad += SHADOW512_RATE; - adlen -= SHADOW512_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Absorbs associated data into the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes, must be non-zero. - */ -static void spook_128_384_absorb - (shadow384_state_t *state, - const unsigned char *ad, unsigned long long adlen) -{ - while (adlen >= SHADOW384_RATE) { - lw_xor_block(state->B, ad, SHADOW384_RATE); - shadow384(state); - ad += SHADOW384_RATE; - adlen -= SHADOW384_RATE; - } - if (adlen > 0) { - unsigned temp = (unsigned)adlen; - lw_xor_block(state->B, ad, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_512_encrypt - (shadow512_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (mlen >= SHADOW512_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - mlen -= SHADOW512_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Encrypts the plaintext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Number of bytes of plaintext to be encrypted. - */ -static void spook_128_384_encrypt - (shadow384_state_t *state, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (mlen >= SHADOW384_RATE) { - lw_xor_block_2_dest(c, state->B, m, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - mlen -= SHADOW384_RATE; - } - if (mlen > 0) { - unsigned temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state->B, m, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-512 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_512_decrypt - (shadow512_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW512_RATE] ^= 0x01; - while (clen >= SHADOW512_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW512_RATE); - shadow512(state); - c += SHADOW512_RATE; - m += SHADOW512_RATE; - clen -= SHADOW512_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW512_RATE] ^= 0x02; - shadow512(state); - } -} - -/** - * \brief Decrypts the ciphertext with the Shadow-384 sponge state. - * - * \param state The sponge state. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param clen Number of bytes of ciphertext to be decrypted. - */ -static void spook_128_384_decrypt - (shadow384_state_t *state, unsigned char *m, - const unsigned char *c, unsigned long long clen) -{ - state->B[SHADOW384_RATE] ^= 0x01; - while (clen >= SHADOW384_RATE) { - lw_xor_block_swap(m, state->B, c, SHADOW384_RATE); - shadow384(state); - c += SHADOW384_RATE; - m += SHADOW384_RATE; - clen -= SHADOW384_RATE; - } - if (clen > 0) { - unsigned temp = (unsigned)clen; - lw_xor_block_swap(m, state->B, c, temp); - state->B[temp] ^= 0x01; - state->B[SHADOW384_RATE] ^= 0x02; - shadow384(state); - } -} - -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_SU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_512_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow512_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-512 sponge state */ - spook_128_512_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_512_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_512_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} - -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - if (mlen > 0) - spook_128_384_encrypt(&state, c, m, mlen); - - /* Compute the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_encrypt(k, state.W + 4, state.W, state.W); - memcpy(c + mlen, state.B, SPOOK_TAG_SIZE); - return 0; -} - -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - shadow384_state_t state; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SPOOK_TAG_SIZE) - return -1; - *mlen = clen - SPOOK_TAG_SIZE; - - /* Initialize the Shadow-384 sponge state */ - spook_128_384_init(&state, k, SPOOK_MU_KEY_SIZE, npub); - - /* Process the associated data */ - if (adlen > 0) - spook_128_384_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SPOOK_TAG_SIZE; - if (clen > 0) - spook_128_384_decrypt(&state, m, c, clen); - - /* Check the authentication tag */ - state.B[CLYDE128_BLOCK_SIZE * 2 - 1] |= 0x80; - clyde128_decrypt(k, state.W + 4, state.W + 4, c + clen); - return aead_check_tag - (m, clen, state.B, state.B + CLYDE128_BLOCK_SIZE, SPOOK_TAG_SIZE); -} diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.h deleted file mode 100644 index 68b6a25..0000000 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys-avr/spook.h +++ /dev/null @@ -1,344 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SPOOK_H -#define LWCRYPTO_SPOOK_H - -#include "aead-common.h" - -/** - * \file spook.h - * \brief Spook authenticated encryption algorithm. - * - * Spook is a family of authenticated encryption algorithms that are - * built around a tweakable block cipher and a permutation. If the - * tweakable block cipher is implemented as a masked block cipher, - * then Spook provides protection against power analysis side channels. - * - * There are four members in the Spook family: - * - * \li Spook-128-512-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 512-bit permutation. This is the primary - * member of the family. - * \li Spook-128-384-su with a 128-bit key, a 128-bit nonce, and a 128-bit tag. - * Internally the algorithm uses a 384-bit permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 512-bit - * permutation. - * \li Spook-128-512-mu with a 128-bit key, a 128-bit public tweak, a 128-bit - * nonce, and a 128-bit tag. Internally the algorithm uses a 384-bit - * permutation. - * - * In this library, the "mu" (multi-user) variants combine the 128-bit key - * and the 128-bit public tweak into a single 256-bit key value. - * Applications can either view this as a cipher with a 256-bit key, - * or they can split the key value into secret and public halves. - * Even with the use of 256-bit keys, Spook only has 128-bit security. - * - * References: https://www.spook.dev/ - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for the single-user version of Spook. - */ -#define SPOOK_SU_KEY_SIZE 16 - -/** - * \brief Size of the key for the multi-user version of Spook. - */ -#define SPOOK_MU_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all Spook family members. - */ -#define SPOOK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for all Spook family members. - */ -#define SPOOK_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the Spook-128-512-su cipher. - */ -extern aead_cipher_t const spook_128_512_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-su cipher. - */ -extern aead_cipher_t const spook_128_384_su_cipher; - -/** - * \brief Meta-information block for the Spook-128-512-mu cipher. - */ -extern aead_cipher_t const spook_128_512_mu_cipher; - -/** - * \brief Meta-information block for the Spook-128-384-mu cipher. - */ -extern aead_cipher_t const spook_128_384_mu_cipher; - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_su_aead_decrypt() - */ -int spook_128_512_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_su_aead_encrypt() - */ -int spook_128_512_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-su. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_su_aead_decrypt() - */ -int spook_128_384_su_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-su. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_su_aead_encrypt() - */ -int spook_128_384_su_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-512-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_512_mu_aead_decrypt() - */ -int spook_128_512_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-512-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_512_mu_aead_encrypt() - */ -int spook_128_512_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with Spook-128-384-mu. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa spook_128_384_mu_aead_decrypt() - */ -int spook_128_384_mu_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Spook-128-384-mu. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa spook_128_384_mu_aead_encrypt() - */ -int spook_128_384_mu_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h +++ b/spook/Implementations/crypto_aead/spook128su512v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/api.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/encrypt.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/encrypt.c deleted file mode 100644 index 2f166ad..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "subterranean.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return subterranean_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return subterranean_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.c deleted file mode 100644 index 1cb64e2..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.c +++ /dev/null @@ -1,441 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-subterranean.h" -#include - -void subterranean_round(subterranean_state_t *state) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8; - uint32_t t0, t1; - - /* Load the state up into local variables */ - x0 = state->x[0]; - x1 = state->x[1]; - x2 = state->x[2]; - x3 = state->x[3]; - x4 = state->x[4]; - x5 = state->x[5]; - x6 = state->x[6]; - x7 = state->x[7]; - x8 = state->x[8]; - - /* Step chi: s[i] = s[i] ^ (~(s[i+1) & s[i+2]) */ - #define CHI(a, b) \ - do { \ - t0 = ((a) >> 1) | ((b) << 31); \ - t1 = ((a) >> 2) | ((b) << 30); \ - (a) ^= (~t0) & t1; \ - } while (0) - x8 ^= (x0 << 1); - CHI(x0, x1); CHI(x1, x2); - CHI(x2, x3); CHI(x3, x4); - CHI(x4, x5); CHI(x5, x6); - CHI(x6, x7); CHI(x7, x8); - x8 ^= (~(x8 >> 1)) & (x8 >> 2); - - /* Step itoa: invert s[0] */ - x0 ^= 1U; - - /* Step theta: s[i] = s[i] ^ s[i + 3] ^ s[i + 8] */ - #define THETA(a, b) \ - do { \ - t0 = ((a) >> 3) | ((b) << 29); \ - t1 = ((a) >> 8) | ((b) << 24); \ - (a) ^= t0 ^ t1; \ - } while (0) - x8 = (x8 & 1U) ^ (x0 << 1); - THETA(x0, x1); THETA(x1, x2); - THETA(x2, x3); THETA(x3, x4); - THETA(x4, x5); THETA(x5, x6); - THETA(x6, x7); THETA(x7, x8); - x8 ^= (x8 >> 3) ^ (x8 >> 8); - - /* Step pi: permute the bits with the rule s[i] = s[(i * 12) % 257]. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) - #define BUP(x, from, to) \ - (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) - #define BDN(x, from, to) \ - (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) - state->x[0] = BCP(x0, 0) ^ BDN(x0, 12, 1) ^ BDN(x0, 24, 2) ^ - BDN(x1, 4, 3) ^ BDN(x1, 16, 4) ^ BDN(x1, 28, 5) ^ - BDN(x2, 8, 6) ^ BDN(x2, 20, 7) ^ BUP(x3, 0, 8) ^ - BDN(x3, 12, 9) ^ BDN(x3, 24, 10) ^ BUP(x4, 4, 11) ^ - BDN(x4, 16, 12) ^ BDN(x4, 28, 13) ^ BUP(x5, 8, 14) ^ - BDN(x5, 20, 15) ^ BUP(x6, 0, 16) ^ BUP(x6, 12, 17) ^ - BDN(x6, 24, 18) ^ BUP(x7, 4, 19) ^ BUP(x7, 16, 20) ^ - BDN(x7, 28, 21) ^ BUP(x0, 7, 22) ^ BUP(x0, 19, 23) ^ - BDN(x0, 31, 24) ^ BUP(x1, 11, 25) ^ BUP(x1, 23, 26) ^ - BUP(x2, 3, 27) ^ BUP(x2, 15, 28) ^ BUP(x2, 27, 29) ^ - BUP(x3, 7, 30) ^ BUP(x3, 19, 31); - state->x[1] = BDN(x3, 31, 0) ^ BDN(x4, 11, 1) ^ BDN(x4, 23, 2) ^ - BCP(x5, 3) ^ BDN(x5, 15, 4) ^ BDN(x5, 27, 5) ^ - BDN(x6, 7, 6) ^ BDN(x6, 19, 7) ^ BDN(x6, 31, 8) ^ - BDN(x7, 11, 9) ^ BDN(x7, 23, 10) ^ BUP(x0, 2, 11) ^ - BDN(x0, 14, 12) ^ BDN(x0, 26, 13) ^ BUP(x1, 6, 14) ^ - BDN(x1, 18, 15) ^ BDN(x1, 30, 16) ^ BUP(x2, 10, 17) ^ - BDN(x2, 22, 18) ^ BUP(x3, 2, 19) ^ BUP(x3, 14, 20) ^ - BDN(x3, 26, 21) ^ BUP(x4, 6, 22) ^ BUP(x4, 18, 23) ^ - BDN(x4, 30, 24) ^ BUP(x5, 10, 25) ^ BUP(x5, 22, 26) ^ - BUP(x6, 2, 27) ^ BUP(x6, 14, 28) ^ BUP(x6, 26, 29) ^ - BUP(x7, 6, 30) ^ BUP(x7, 18, 31); - state->x[2] = BDN(x7, 30, 0) ^ BDN(x0, 9, 1) ^ BDN(x0, 21, 2) ^ - BUP(x1, 1, 3) ^ BDN(x1, 13, 4) ^ BDN(x1, 25, 5) ^ - BUP(x2, 5, 6) ^ BDN(x2, 17, 7) ^ BDN(x2, 29, 8) ^ - BCP(x3, 9) ^ BDN(x3, 21, 10) ^ BUP(x4, 1, 11) ^ - BDN(x4, 13, 12) ^ BDN(x4, 25, 13) ^ BUP(x5, 5, 14) ^ - BDN(x5, 17, 15) ^ BDN(x5, 29, 16) ^ BUP(x6, 9, 17) ^ - BDN(x6, 21, 18) ^ BUP(x7, 1, 19) ^ BUP(x7, 13, 20) ^ - BDN(x7, 25, 21) ^ BUP(x0, 4, 22) ^ BUP(x0, 16, 23) ^ - BDN(x0, 28, 24) ^ BUP(x1, 8, 25) ^ BUP(x1, 20, 26) ^ - BUP(x2, 0, 27) ^ BUP(x2, 12, 28) ^ BUP(x2, 24, 29) ^ - BUP(x3, 4, 30) ^ BUP(x3, 16, 31); - state->x[3] = BDN(x3, 28, 0) ^ BDN(x4, 8, 1) ^ BDN(x4, 20, 2) ^ - BUP(x5, 0, 3) ^ BDN(x5, 12, 4) ^ BDN(x5, 24, 5) ^ - BUP(x6, 4, 6) ^ BDN(x6, 16, 7) ^ BDN(x6, 28, 8) ^ - BUP(x7, 8, 9) ^ BDN(x7, 20, 10) ^ BUP(x8, 0, 11) ^ - BUP(x0, 11, 12) ^ BDN(x0, 23, 13) ^ BUP(x1, 3, 14) ^ - BCP(x1, 15) ^ BDN(x1, 27, 16) ^ BUP(x2, 7, 17) ^ - BDN(x2, 19, 18) ^ BDN(x2, 31, 19) ^ BUP(x3, 11, 20) ^ - BDN(x3, 23, 21) ^ BUP(x4, 3, 22) ^ BUP(x4, 15, 23) ^ - BDN(x4, 27, 24) ^ BUP(x5, 7, 25) ^ BUP(x5, 19, 26) ^ - BDN(x5, 31, 27) ^ BUP(x6, 11, 28) ^ BUP(x6, 23, 29) ^ - BUP(x7, 3, 30) ^ BUP(x7, 15, 31); - state->x[4] = BDN(x7, 27, 0) ^ BDN(x0, 6, 1) ^ BDN(x0, 18, 2) ^ - BDN(x0, 30, 3) ^ BDN(x1, 10, 4) ^ BDN(x1, 22, 5) ^ - BUP(x2, 2, 6) ^ BDN(x2, 14, 7) ^ BDN(x2, 26, 8) ^ - BUP(x3, 6, 9) ^ BDN(x3, 18, 10) ^ BDN(x3, 30, 11) ^ - BUP(x4, 10, 12) ^ BDN(x4, 22, 13) ^ BUP(x5, 2, 14) ^ - BUP(x5, 14, 15) ^ BDN(x5, 26, 16) ^ BUP(x6, 6, 17) ^ - BCP(x6, 18) ^ BDN(x6, 30, 19) ^ BUP(x7, 10, 20) ^ - BDN(x7, 22, 21) ^ BUP(x0, 1, 22) ^ BUP(x0, 13, 23) ^ - BDN(x0, 25, 24) ^ BUP(x1, 5, 25) ^ BUP(x1, 17, 26) ^ - BDN(x1, 29, 27) ^ BUP(x2, 9, 28) ^ BUP(x2, 21, 29) ^ - BUP(x3, 1, 30) ^ BUP(x3, 13, 31); - state->x[5] = BDN(x3, 25, 0) ^ BDN(x4, 5, 1) ^ BDN(x4, 17, 2) ^ - BDN(x4, 29, 3) ^ BDN(x5, 9, 4) ^ BDN(x5, 21, 5) ^ - BUP(x6, 1, 6) ^ BDN(x6, 13, 7) ^ BDN(x6, 25, 8) ^ - BUP(x7, 5, 9) ^ BDN(x7, 17, 10) ^ BDN(x7, 29, 11) ^ - BUP(x0, 8, 12) ^ BDN(x0, 20, 13) ^ BUP(x1, 0, 14) ^ - BUP(x1, 12, 15) ^ BDN(x1, 24, 16) ^ BUP(x2, 4, 17) ^ - BUP(x2, 16, 18) ^ BDN(x2, 28, 19) ^ BUP(x3, 8, 20) ^ - BUP(x3, 20, 21) ^ BUP(x4, 0, 22) ^ BUP(x4, 12, 23) ^ - BCP(x4, 24) ^ BUP(x5, 4, 25) ^ BUP(x5, 16, 26) ^ - BDN(x5, 28, 27) ^ BUP(x6, 8, 28) ^ BUP(x6, 20, 29) ^ - BUP(x7, 0, 30) ^ BUP(x7, 12, 31); - state->x[6] = BDN(x7, 24, 0) ^ BDN(x0, 3, 1) ^ BDN(x0, 15, 2) ^ - BDN(x0, 27, 3) ^ BDN(x1, 7, 4) ^ BDN(x1, 19, 5) ^ - BDN(x1, 31, 6) ^ BDN(x2, 11, 7) ^ BDN(x2, 23, 8) ^ - BUP(x3, 3, 9) ^ BDN(x3, 15, 10) ^ BDN(x3, 27, 11) ^ - BUP(x4, 7, 12) ^ BDN(x4, 19, 13) ^ BDN(x4, 31, 14) ^ - BUP(x5, 11, 15) ^ BDN(x5, 23, 16) ^ BUP(x6, 3, 17) ^ - BUP(x6, 15, 18) ^ BDN(x6, 27, 19) ^ BUP(x7, 7, 20) ^ - BUP(x7, 19, 21) ^ BDN(x7, 31, 22) ^ BUP(x0, 10, 23) ^ - BUP(x0, 22, 24) ^ BUP(x1, 2, 25) ^ BUP(x1, 14, 26) ^ - BUP(x1, 26, 27) ^ BUP(x2, 6, 28) ^ BUP(x2, 18, 29) ^ - BCP(x2, 30) ^ BUP(x3, 10, 31); - state->x[7] = BDN(x3, 22, 0) ^ BDN(x4, 2, 1) ^ BDN(x4, 14, 2) ^ - BDN(x4, 26, 3) ^ BDN(x5, 6, 4) ^ BDN(x5, 18, 5) ^ - BDN(x5, 30, 6) ^ BDN(x6, 10, 7) ^ BDN(x6, 22, 8) ^ - BUP(x7, 2, 9) ^ BDN(x7, 14, 10) ^ BDN(x7, 26, 11) ^ - BUP(x0, 5, 12) ^ BDN(x0, 17, 13) ^ BDN(x0, 29, 14) ^ - BUP(x1, 9, 15) ^ BDN(x1, 21, 16) ^ BUP(x2, 1, 17) ^ - BUP(x2, 13, 18) ^ BDN(x2, 25, 19) ^ BUP(x3, 5, 20) ^ - BUP(x3, 17, 21) ^ BDN(x3, 29, 22) ^ BUP(x4, 9, 23) ^ - BUP(x4, 21, 24) ^ BUP(x5, 1, 25) ^ BUP(x5, 13, 26) ^ - BUP(x5, 25, 27) ^ BUP(x6, 5, 28) ^ BUP(x6, 17, 29) ^ - BUP(x6, 29, 30) ^ BUP(x7, 9, 31); - state->x[8] = BDN(x7, 21, 0); -} - -void subterranean_blank(subterranean_state_t *state) -{ - unsigned round; - for (round = 0; round < 8; ++round) { - subterranean_round(state); - state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ - } -} - -void subterranean_duplex_0(subterranean_state_t *state) -{ - subterranean_round(state); - state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ -} - -void subterranean_duplex_1(subterranean_state_t *state, unsigned char data) -{ - uint32_t x = data; - - /* Perform a single Subterranean round before absorbing the bits */ - subterranean_round(state); - - /* Rearrange the bits and absorb them into the state */ - state->x[0] ^= (x << 1) & 0x00000002U; - state->x[1] ^= x & 0x00000008U; - state->x[2] ^= 0x00000001U; /* 9th padding bit is always 1 */ - state->x[4] ^= ((x << 6) & 0x00000100U) ^ ((x << 1) & 0x00000040U); - state->x[5] ^= (x << 15) & 0x00010000U; - state->x[6] ^= (x >> 1) & 0x00000020U; - state->x[7] ^= ((x << 21) & 0x02000000U) ^ ((x << 3) & 0x00000400U); -} - -void subterranean_duplex_word(subterranean_state_t *state, uint32_t x) -{ - uint32_t y; - - /* Perform a single Subterranean round before absorbing the bits */ - subterranean_round(state); - - /* To absorb the word into the state, we first rearrange the source - * bits to be in the right target bit positions. Then we mask and - * XOR them into the relevant words of the state. - * - * Some of the source bits end up in the same target bit but a different - * word so we have to permute the input word twice to get all the source - * bits into the locations we want for masking and XOR'ing. - * - * Permutations generated with "http://programming.sirrida.de/calcperm.php". - */ - - /* P1 = [1 16 8 3 25 * * 10 0 21 * 24 2 31 15 6 * 11 9 19 * * 29 * 4 * 30 12 * 22 17 5] */ - y = (x & 0x00080008U) - | ((x & 0x00004001U) << 1) - | ((x & 0x00000080U) << 3) - | ((x & 0x04000000U) << 4) - | leftRotate6(x & 0x80000004U) - | ((x & 0x00400000U) << 7) - | leftRotate12(x & 0x01000200U) - | ((x & 0x00000800U) << 13) - | ((x & 0x00000002U) << 15) - | ((x & 0x08000000U) >> 15) - | ((x & 0x00002000U) << 18) - | ((x & 0x40000000U) >> 13) - | ((x & 0x00000010U) << 21) - | ((x & 0x00001000U) >> 10) - | ((x & 0x00048000U) >> 9) - | ((x & 0x00000100U) >> 8) - | ((x & 0x20000000U) >> 7) - | ((x & 0x00020000U) >> 6); - - /* P2 = [* * * * * 6 5 * * * 31 * * * * * 17 * * * 0 9 * 15 * 30 * * 1 * * *] */ - x = ((x & 0x00010020U) << 1) - | leftRotate5(x & 0x12000000U) - | ((x & 0x00100000U) >> 20) - | ((x & 0x00200000U) >> 12) - | ((x & 0x00000400U) << 21) - | ((x & 0x00800000U) >> 8) - | ((x & 0x00000040U) >> 1); - - /* Integrate the rearranged bits into the state */ - state->x[0] ^= (y & 0x40428816U); - state->x[1] ^= (y & 0x00000008U); - state->x[2] ^= (y & 0x80000041U); - state->x[3] ^= (x & 0x00008000U); - state->x[4] ^= (y & 0x00001300U) ^ (x & 0x00000041U); - state->x[5] ^= (y & 0x21010020U) ^ (x & 0x40000200U); - state->x[6] ^= (y & 0x00280000U) ^ (x & 0x80000020U); - state->x[7] ^= (y & 0x02000400U) ^ (x & 0x00020002U); -} - -void subterranean_duplex_n - (subterranean_state_t *state, const unsigned char *data, unsigned len) -{ - switch (len) { - case 0: - subterranean_duplex_0(state); - break; - case 1: - subterranean_duplex_1(state, data[0]); - break; - case 2: - /* Load 16 bits and add the padding bit to the 17th bit */ - subterranean_duplex_word - (state, ((uint32_t)(data[0]) | - (((uint32_t)(data[1])) << 8) | - 0x10000U)); - break; - case 3: - /* Load 24 bits and add the padding bit to the 25th bit */ - subterranean_duplex_word - (state, ((uint32_t)(data[0]) | - (((uint32_t)(data[1])) << 8) | - (((uint32_t)(data[2])) << 16) | - 0x01000000U)); - break; - default: - /* Load 32 bits and add the padding bit to the 33rd bit */ - subterranean_duplex_word(state, le_load_word32(data)); - state->x[8] ^= 0x00000001U; - break; - } -} - -uint32_t subterranean_extract(subterranean_state_t *state) -{ - uint32_t x, y; - - /* We need to extract 64 bits from the state, and then XOR the two - * halves together to get the result. - * - * Extract words from the state and permute the bits into the target - * bit order. Then mask off the unnecessary bits and combine. - * - * Permutations generated with "http://programming.sirrida.de/calcperm.php". - */ - - /* P0 = [* 0 12 * 24 * * * 4 * * 17 * * * 14 16 30 * * * * 29 7 * * * * * * 26 *] */ - x = state->x[0]; - x = (x & 0x00010000U) - | ((x & 0x00000800U) << 6) - | ((x & 0x00400000U) << 7) - | ((x & 0x00000004U) << 10) - | ((x & 0x00020000U) << 13) - | ((x & 0x00800000U) >> 16) - | ((x & 0x00000010U) << 20) - | ((x & 0x40000100U) >> 4) - | ((x & 0x00008002U) >> 1); - y = x & 0x65035091U; - - /* P1 = [28 * 10 3 * * * * * * * * 9 * 19 * * * * * * * * * * * * * 6 * * *] */ - x = state->x[1]; - x = (x & 0x00000008U) - | ((x & 0x00004000U) << 5) - | ((x & 0x00000004U) << 8) - | ((x & 0x10000000U) >> 22) - | ((x & 0x00000001U) << 28) - | ((x & 0x00001000U) >> 3); - y ^= x & 0x10080648U; - - /* P2 = [8 * * 25 22 * 15 * * 11 * * * * * * * 1 * * * * * * 21 * * * 31 * * 13] */ - x = state->x[2]; - x = ((x & 0x00000200U) << 2) - | ((x & 0x10000000U) << 3) - | ((x & 0x00000001U) << 8) - | ((x & 0x00000040U) << 9) - | ((x & 0x80000000U) >> 18) - | ((x & 0x00020000U) >> 16) - | ((x & 0x00000010U) << 18) - | ((x & 0x00000008U) << 22) - | ((x & 0x01000000U) >> 3); - y ^= x & 0x8260a902U; - - /* P3 = [* * * * * * * * * * * * * * * 23 * * * * * 27 * * 18 2 * 5 * * * *] */ - x = state->x[3]; - x = ((x & 0x00200000U) << 6) - | ((x & 0x00008000U) << 8) - | ((x & 0x02000000U) >> 23) - | ((x & 0x08000000U) >> 22) - | ((x & 0x01000000U) >> 6); - y ^= x & 0x08840024U; - - /* P4 = [20 20 * * * * 5 * 2 18 * * 27 * * * * * 23 * * * * * * * * * * * * *] */ - x = state->x[4]; - y ^= (x << 20) & 0x00100000U; /* Handle duplicated bit 20 separately */ - x = ((x & 0x00040000U) << 5) - | ((x & 0x00000200U) << 9) - | ((x & 0x00001000U) << 15) - | ((x & 0x00000002U) << 19) - | ((x & 0x00000100U) >> 6) - | ((x & 0x00000040U) >> 1); - y ^= x & 0x08940024U; - - /* P5 = [* * 13 * * 31 * * * 21 * * * * * * 1 * * * * * * * 11 * * 15 * 22 25 *] */ - x = state->x[5]; - x = ((x & 0x00000004U) << 11) - | ((x & 0x00000200U) << 12) - | ((x & 0x00010000U) >> 15) - | ((x & 0x01000000U) >> 13) - | ((x & 0x08000000U) >> 12) - | ((x & 0x20000000U) >> 7) - | ((x & 0x00000020U) << 26) - | ((x & 0x40000000U) >> 5); - y ^= x & 0x8260a802U; - - /* P6 = [* 8 * * * 6 * * * * * * * * * * * * * 19 * 9 * * * * * * * * 3 10] */ - x = state->x[6]; - x = (x & 0x00080000U) - | ((x & 0x00000020U) << 1) - | ((x & 0x40000000U) >> 27) - | ((x & 0x00000002U) << 7) - | ((x & 0x80000000U) >> 21) - | ((x & 0x00200000U) >> 12); - y ^= x & 0x00080748U; - - /* P7 = [* 28 * 26 * * * * * * 7 29 * * * * 30 16 14 * * * 17 * * 4 * * * 24 * 12] */ - x = state->x[7]; - x = ((x & 0x02000000U) >> 21) - | ((x & 0x80000000U) >> 19) - | ((x & 0x00010000U) << 14) - | ((x & 0x00000800U) << 18) - | ((x & 0x00000008U) << 23) - | leftRotate27(x & 0x20400002U) - | ((x & 0x00040000U) >> 4) - | ((x & 0x00000400U) >> 3) - | ((x & 0x00020000U) >> 1); - y ^= x & 0x75035090U; - - /* Word 8 has a single bit - XOR it directly into the result and return */ - return y ^ state->x[8]; -} - -void subterranean_absorb - (subterranean_state_t *state, const unsigned char *data, - unsigned long long len) -{ - while (len >= 4) { - subterranean_duplex_4(state, data); - data += 4; - len -= 4; - } - subterranean_duplex_n(state, data, (unsigned)len); -} - -void subterranean_squeeze - (subterranean_state_t *state, unsigned char *data, unsigned len) -{ - uint32_t word; - while (len > 4) { - word = subterranean_extract(state); - subterranean_duplex_0(state); - le_store_word32(data, word); - data += 4; - len -= 4; - } - if (len == 4) { - word = subterranean_extract(state); - le_store_word32(data, word); - } else if (len == 1) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - } else if (len == 2) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - data[1] = (unsigned char)(word >> 8); - } else if (len == 3) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - data[1] = (unsigned char)(word >> 8); - data[2] = (unsigned char)(word >> 16); - } -} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.h deleted file mode 100644 index 71cebb2..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-subterranean.h +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SUBTERRANEAN_H -#define LW_INTERNAL_SUBTERRANEAN_H - -#include "internal-util.h" - -/** - * \file internal-subterranean.h - * \brief Internal implementation of the Subterranean block operation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Representation of the 257-bit state of Subterranean. - * - * The 257-bit state is represented as nine 32-bit words with only a single - * bit in the last word. - */ -typedef struct -{ - uint32_t x[9]; /**< State words */ - -} subterranean_state_t; - -/** - * \brief Performs a single Subterranean round. - * - * \param state Subterranean state to be transformed. - */ -void subterranean_round(subterranean_state_t *state); - -/** - * \brief Performs 8 Subterranean rounds with no absorption or squeezing - * of data; i.e. data input and output is "blanked". - * - * \param state Subterranean state to be transformed. - */ -void subterranean_blank(subterranean_state_t *state); - -/** - * \brief Performs a single Subterranean round and absorbs 0 bytes. - * - * \param state Subterranean state to be transformed. - */ -void subterranean_duplex_0(subterranean_state_t *state); - -/** - * \brief Performs a single Subterranean round and absorbs one byte. - * - * \param state Subterranean state to be transformed. - * \param data The single byte to be absorbed. - */ -void subterranean_duplex_1(subterranean_state_t *state, unsigned char data); - -/** - * \brief Absorbs a 32-bit word into the Subterranean state. - * - * \param state Subterranean state to be transformed. - * \param x The word to absorb into the state. - */ -void subterranean_duplex_word(subterranean_state_t *state, uint32_t x); - -/** - * \brief Performs a single Subterranean round and absorbs four bytes. - * - * \param state Subterranean state to be transformed. - * \param data Points to the four data bytes to be absorbed. - */ -#define subterranean_duplex_4(state, data) \ - do { \ - subterranean_duplex_word((state), le_load_word32((data))); \ - (state)->x[8] ^= 1; \ - } while (0) - -/** - * \brief Performs a single Subterranean round and absorbs between - * zero and four bytes. - * - * \param state Subterranean state to be transformed. - * \param data Points to the data bytes to be absorbed. - * \param len Length of the data to be absorbed. - */ -void subterranean_duplex_n - (subterranean_state_t *state, const unsigned char *data, unsigned len); - -/** - * \brief Extracts 32 bits of output from the Subterranean state. - * - * \param state Subterranean state to extract the output from. - * - * \return Returns the 32-bit word that was extracted. - */ -uint32_t subterranean_extract(subterranean_state_t *state); - -/** - * \brief Absorbs an arbitrary amount of data, four bytes at a time. - * - * \param state Subterranean state to be transformed. - * \param data Points to the bytes to be absorbed. - * \param len Number of bytes to absorb. - */ -void subterranean_absorb - (subterranean_state_t *state, const unsigned char *data, - unsigned long long len); - -/** - * \brief Squeezes an arbitrary amount of data out of a Subterranean state. - * - * \param state Subterranean state to extract the output from. - * \param data Points to the data buffer to receive the output. - * \param len Number of bytes to be extracted. - */ -void subterranean_squeeze - (subterranean_state_t *state, unsigned char *data, unsigned len); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-util.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.c b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.c deleted file mode 100644 index 1bc9fc4..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.c +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "subterranean.h" -#include "internal-subterranean.h" -#include - -aead_cipher_t const subterranean_cipher = { - "Subterranean", - SUBTERRANEAN_KEY_SIZE, - SUBTERRANEAN_NONCE_SIZE, - SUBTERRANEAN_TAG_SIZE, - AEAD_FLAG_NONE, - subterranean_aead_encrypt, - subterranean_aead_decrypt -}; - -aead_hash_algorithm_t const subterranean_hash_algorithm = { - "Subterranean-Hash", - sizeof(subterranean_hash_state_t), - SUBTERRANEAN_HASH_SIZE, - AEAD_FLAG_NONE, - subterranean_hash, - (aead_hash_init_t)subterranean_hash_init, - (aead_hash_update_t)subterranean_hash_update, - (aead_hash_finalize_t)subterranean_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -int subterranean_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - subterranean_state_t state; - uint32_t x1, x2; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SUBTERRANEAN_TAG_SIZE; - - /* Initialize the state and absorb the key and nonce */ - memset(&state, 0, sizeof(state)); - subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); - subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); - subterranean_blank(&state); - - /* Absorb the associated data into the state */ - subterranean_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= 4) { - x1 = le_load_word32(m); - x2 = subterranean_extract(&state) ^ x1; - subterranean_duplex_word(&state, x1); - state.x[8] ^= 1; /* padding for 32-bit blocks */ - le_store_word32(c, x2); - c += 4; - m += 4; - mlen -= 4; - } - switch ((unsigned char)mlen) { - default: - subterranean_duplex_0(&state); - break; - case 1: - x2 = subterranean_extract(&state) ^ m[0]; - subterranean_duplex_n(&state, m, 1); - c[0] = (unsigned char)x2; - break; - case 2: - x2 = subterranean_extract(&state) ^ m[0] ^ (((uint32_t)(m[1])) << 8); - subterranean_duplex_n(&state, m, 2); - c[0] = (unsigned char)x2; - c[1] = (unsigned char)(x2 >> 8); - break; - case 3: - x2 = subterranean_extract(&state) ^ - m[0] ^ (((uint32_t)(m[1])) << 8) ^ (((uint32_t)(m[2])) << 16); - subterranean_duplex_n(&state, m, 3); - c[0] = (unsigned char)x2; - c[1] = (unsigned char)(x2 >> 8); - c[2] = (unsigned char)(x2 >> 16); - break; - } - - /* Generate the authentication tag */ - subterranean_blank(&state); - subterranean_squeeze(&state, c + mlen, SUBTERRANEAN_TAG_SIZE); - return 0; -} - -int subterranean_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - subterranean_state_t state; - unsigned char *mtemp = m; - unsigned char tag[SUBTERRANEAN_TAG_SIZE]; - uint32_t x; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SUBTERRANEAN_TAG_SIZE) - return -1; - *mlen = clen - SUBTERRANEAN_TAG_SIZE; - - /* Initialize the state and absorb the key and nonce */ - memset(&state, 0, sizeof(state)); - subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); - subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); - subterranean_blank(&state); - - /* Absorb the associated data into the state */ - subterranean_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SUBTERRANEAN_TAG_SIZE; - while (clen >= 4) { - x = le_load_word32(c); - x ^= subterranean_extract(&state); - subterranean_duplex_word(&state, x); - state.x[8] ^= 1; /* padding for 32-bit blocks */ - le_store_word32(m, x); - c += 4; - m += 4; - clen -= 4; - } - switch ((unsigned char)clen) { - default: - subterranean_duplex_0(&state); - break; - case 1: - m[0] = (unsigned char)(subterranean_extract(&state) ^ c[0]); - subterranean_duplex_1(&state, m[0]); - break; - case 2: - x = subterranean_extract(&state) ^ c[0] ^ (((uint32_t)(c[1])) << 8); - m[0] = (unsigned char)x; - m[1] = (unsigned char)(x >> 8); - subterranean_duplex_word(&state, (x & 0xFFFFU) | 0x10000U); - break; - case 3: - x = subterranean_extract(&state) ^ - c[0] ^ (((uint32_t)(c[1])) << 8) ^ (((uint32_t)(c[2])) << 16); - m[0] = (unsigned char)x; - m[1] = (unsigned char)(x >> 8); - m[2] = (unsigned char)(x >> 16); - subterranean_duplex_word(&state, (x & 0x00FFFFFFU) | 0x01000000U); - break; - } - - /* Check the authentication tag */ - subterranean_blank(&state); - subterranean_squeeze(&state, tag, sizeof(tag)); - return aead_check_tag(mtemp, *mlen, tag, c + clen, SUBTERRANEAN_TAG_SIZE); -} - -int subterranean_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - subterranean_state_t state; - memset(&state, 0, sizeof(state)); - while (inlen > 0) { - subterranean_duplex_1(&state, *in++); - subterranean_duplex_0(&state); - --inlen; - } - subterranean_duplex_0(&state); - subterranean_duplex_0(&state); - subterranean_blank(&state); - subterranean_squeeze(&state, out, SUBTERRANEAN_HASH_SIZE); - return 0; -} - -void subterranean_hash_init(subterranean_hash_state_t *state) -{ - memset(state, 0, sizeof(subterranean_hash_state_t)); -} - -void subterranean_hash_update - (subterranean_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - subterranean_state_t *st = (subterranean_state_t *)state; - while (inlen > 0) { - subterranean_duplex_1(st, *in++); - subterranean_duplex_0(st); - --inlen; - } -} - -void subterranean_hash_finalize - (subterranean_hash_state_t *state, unsigned char *out) -{ - subterranean_state_t *st = (subterranean_state_t *)state; - subterranean_duplex_0(st); - subterranean_duplex_0(st); - subterranean_blank(st); - subterranean_squeeze(st, out, SUBTERRANEAN_HASH_SIZE); -} diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.h deleted file mode 100644 index 148e5e8..0000000 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys-avr/subterranean.h +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUBTERRANEAN_H -#define LWCRYPTO_SUBTERRANEAN_H - -#include "aead-common.h" - -/** - * \file subterranean.h - * \brief Subterranean authenticated encryption algorithm. - * - * Subterranean (technically "Subterranean 2.0") is a family of - * algorithms built around the 257-bit Subterranean permutation: - * - * \li Subterranean is an authenticated encryption algorithm with a 128-bit - * key, a 128-bit nonce, and a 128-bit tag. - * \li Subterranean-Hash is a hash algorithm with a 256-bit output. - * - * The Subterranean permutation is intended for hardware implementation. - * It is not structured for efficient software implementation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Subterranean. - */ -#define SUBTERRANEAN_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Subterranean. - */ -#define SUBTERRANEAN_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Subterranean. - */ -#define SUBTERRANEAN_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for Subterranean-Hash. - */ -#define SUBTERRANEAN_HASH_SIZE 32 - -/** - * \brief Meta-information block for the Subterranean cipher. - */ -extern aead_cipher_t const subterranean_cipher; - -/** - * \brief Meta-information block for the SUBTERRANEAN hash algorithm. - */ -extern aead_hash_algorithm_t const subterranean_hash_algorithm; - -/** - * \brief State information for the Subterreaan incremental hash mode. - */ -typedef union -{ - unsigned char state[40]; /**< Current hash state */ - unsigned long long align; /**< For alignment of this structure */ - -} subterranean_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Subterranean. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa subterranean_aead_decrypt() - */ -int subterranean_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Subterranean. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa subterranean_aead_encrypt() - */ -int subterranean_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Subterranean. - * - * \param out Buffer to receive the hash output which must be at least - * SUBTERRANEAN_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - * - * \sa subterranean_hash_init() - */ -int subterranean_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a Subterranean hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa subterranean_hash_update(), subterranean_hash_finalize(), - * subterranean_hash() - */ -void subterranean_hash_init(subterranean_hash_state_t *state); - -/** - * \brief Updates a Subterranean state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa subterranean_hash_init(), subterranean_hash_finalize() - */ -void subterranean_hash_update - (subterranean_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from a Subterranean hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa subterranean_hash_init(), subterranean_hash_update() - */ -void subterranean_hash_finalize - (subterranean_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h +++ b/subterranean/Implementations/crypto_aead/subterraneanv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/api.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.c deleted file mode 100644 index 1cb64e2..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.c +++ /dev/null @@ -1,441 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-subterranean.h" -#include - -void subterranean_round(subterranean_state_t *state) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8; - uint32_t t0, t1; - - /* Load the state up into local variables */ - x0 = state->x[0]; - x1 = state->x[1]; - x2 = state->x[2]; - x3 = state->x[3]; - x4 = state->x[4]; - x5 = state->x[5]; - x6 = state->x[6]; - x7 = state->x[7]; - x8 = state->x[8]; - - /* Step chi: s[i] = s[i] ^ (~(s[i+1) & s[i+2]) */ - #define CHI(a, b) \ - do { \ - t0 = ((a) >> 1) | ((b) << 31); \ - t1 = ((a) >> 2) | ((b) << 30); \ - (a) ^= (~t0) & t1; \ - } while (0) - x8 ^= (x0 << 1); - CHI(x0, x1); CHI(x1, x2); - CHI(x2, x3); CHI(x3, x4); - CHI(x4, x5); CHI(x5, x6); - CHI(x6, x7); CHI(x7, x8); - x8 ^= (~(x8 >> 1)) & (x8 >> 2); - - /* Step itoa: invert s[0] */ - x0 ^= 1U; - - /* Step theta: s[i] = s[i] ^ s[i + 3] ^ s[i + 8] */ - #define THETA(a, b) \ - do { \ - t0 = ((a) >> 3) | ((b) << 29); \ - t1 = ((a) >> 8) | ((b) << 24); \ - (a) ^= t0 ^ t1; \ - } while (0) - x8 = (x8 & 1U) ^ (x0 << 1); - THETA(x0, x1); THETA(x1, x2); - THETA(x2, x3); THETA(x3, x4); - THETA(x4, x5); THETA(x5, x6); - THETA(x6, x7); THETA(x7, x8); - x8 ^= (x8 >> 3) ^ (x8 >> 8); - - /* Step pi: permute the bits with the rule s[i] = s[(i * 12) % 257]. - * BCP = bit copy, BUP = move bit up, BDN = move bit down */ - #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) - #define BUP(x, from, to) \ - (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) - #define BDN(x, from, to) \ - (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) - state->x[0] = BCP(x0, 0) ^ BDN(x0, 12, 1) ^ BDN(x0, 24, 2) ^ - BDN(x1, 4, 3) ^ BDN(x1, 16, 4) ^ BDN(x1, 28, 5) ^ - BDN(x2, 8, 6) ^ BDN(x2, 20, 7) ^ BUP(x3, 0, 8) ^ - BDN(x3, 12, 9) ^ BDN(x3, 24, 10) ^ BUP(x4, 4, 11) ^ - BDN(x4, 16, 12) ^ BDN(x4, 28, 13) ^ BUP(x5, 8, 14) ^ - BDN(x5, 20, 15) ^ BUP(x6, 0, 16) ^ BUP(x6, 12, 17) ^ - BDN(x6, 24, 18) ^ BUP(x7, 4, 19) ^ BUP(x7, 16, 20) ^ - BDN(x7, 28, 21) ^ BUP(x0, 7, 22) ^ BUP(x0, 19, 23) ^ - BDN(x0, 31, 24) ^ BUP(x1, 11, 25) ^ BUP(x1, 23, 26) ^ - BUP(x2, 3, 27) ^ BUP(x2, 15, 28) ^ BUP(x2, 27, 29) ^ - BUP(x3, 7, 30) ^ BUP(x3, 19, 31); - state->x[1] = BDN(x3, 31, 0) ^ BDN(x4, 11, 1) ^ BDN(x4, 23, 2) ^ - BCP(x5, 3) ^ BDN(x5, 15, 4) ^ BDN(x5, 27, 5) ^ - BDN(x6, 7, 6) ^ BDN(x6, 19, 7) ^ BDN(x6, 31, 8) ^ - BDN(x7, 11, 9) ^ BDN(x7, 23, 10) ^ BUP(x0, 2, 11) ^ - BDN(x0, 14, 12) ^ BDN(x0, 26, 13) ^ BUP(x1, 6, 14) ^ - BDN(x1, 18, 15) ^ BDN(x1, 30, 16) ^ BUP(x2, 10, 17) ^ - BDN(x2, 22, 18) ^ BUP(x3, 2, 19) ^ BUP(x3, 14, 20) ^ - BDN(x3, 26, 21) ^ BUP(x4, 6, 22) ^ BUP(x4, 18, 23) ^ - BDN(x4, 30, 24) ^ BUP(x5, 10, 25) ^ BUP(x5, 22, 26) ^ - BUP(x6, 2, 27) ^ BUP(x6, 14, 28) ^ BUP(x6, 26, 29) ^ - BUP(x7, 6, 30) ^ BUP(x7, 18, 31); - state->x[2] = BDN(x7, 30, 0) ^ BDN(x0, 9, 1) ^ BDN(x0, 21, 2) ^ - BUP(x1, 1, 3) ^ BDN(x1, 13, 4) ^ BDN(x1, 25, 5) ^ - BUP(x2, 5, 6) ^ BDN(x2, 17, 7) ^ BDN(x2, 29, 8) ^ - BCP(x3, 9) ^ BDN(x3, 21, 10) ^ BUP(x4, 1, 11) ^ - BDN(x4, 13, 12) ^ BDN(x4, 25, 13) ^ BUP(x5, 5, 14) ^ - BDN(x5, 17, 15) ^ BDN(x5, 29, 16) ^ BUP(x6, 9, 17) ^ - BDN(x6, 21, 18) ^ BUP(x7, 1, 19) ^ BUP(x7, 13, 20) ^ - BDN(x7, 25, 21) ^ BUP(x0, 4, 22) ^ BUP(x0, 16, 23) ^ - BDN(x0, 28, 24) ^ BUP(x1, 8, 25) ^ BUP(x1, 20, 26) ^ - BUP(x2, 0, 27) ^ BUP(x2, 12, 28) ^ BUP(x2, 24, 29) ^ - BUP(x3, 4, 30) ^ BUP(x3, 16, 31); - state->x[3] = BDN(x3, 28, 0) ^ BDN(x4, 8, 1) ^ BDN(x4, 20, 2) ^ - BUP(x5, 0, 3) ^ BDN(x5, 12, 4) ^ BDN(x5, 24, 5) ^ - BUP(x6, 4, 6) ^ BDN(x6, 16, 7) ^ BDN(x6, 28, 8) ^ - BUP(x7, 8, 9) ^ BDN(x7, 20, 10) ^ BUP(x8, 0, 11) ^ - BUP(x0, 11, 12) ^ BDN(x0, 23, 13) ^ BUP(x1, 3, 14) ^ - BCP(x1, 15) ^ BDN(x1, 27, 16) ^ BUP(x2, 7, 17) ^ - BDN(x2, 19, 18) ^ BDN(x2, 31, 19) ^ BUP(x3, 11, 20) ^ - BDN(x3, 23, 21) ^ BUP(x4, 3, 22) ^ BUP(x4, 15, 23) ^ - BDN(x4, 27, 24) ^ BUP(x5, 7, 25) ^ BUP(x5, 19, 26) ^ - BDN(x5, 31, 27) ^ BUP(x6, 11, 28) ^ BUP(x6, 23, 29) ^ - BUP(x7, 3, 30) ^ BUP(x7, 15, 31); - state->x[4] = BDN(x7, 27, 0) ^ BDN(x0, 6, 1) ^ BDN(x0, 18, 2) ^ - BDN(x0, 30, 3) ^ BDN(x1, 10, 4) ^ BDN(x1, 22, 5) ^ - BUP(x2, 2, 6) ^ BDN(x2, 14, 7) ^ BDN(x2, 26, 8) ^ - BUP(x3, 6, 9) ^ BDN(x3, 18, 10) ^ BDN(x3, 30, 11) ^ - BUP(x4, 10, 12) ^ BDN(x4, 22, 13) ^ BUP(x5, 2, 14) ^ - BUP(x5, 14, 15) ^ BDN(x5, 26, 16) ^ BUP(x6, 6, 17) ^ - BCP(x6, 18) ^ BDN(x6, 30, 19) ^ BUP(x7, 10, 20) ^ - BDN(x7, 22, 21) ^ BUP(x0, 1, 22) ^ BUP(x0, 13, 23) ^ - BDN(x0, 25, 24) ^ BUP(x1, 5, 25) ^ BUP(x1, 17, 26) ^ - BDN(x1, 29, 27) ^ BUP(x2, 9, 28) ^ BUP(x2, 21, 29) ^ - BUP(x3, 1, 30) ^ BUP(x3, 13, 31); - state->x[5] = BDN(x3, 25, 0) ^ BDN(x4, 5, 1) ^ BDN(x4, 17, 2) ^ - BDN(x4, 29, 3) ^ BDN(x5, 9, 4) ^ BDN(x5, 21, 5) ^ - BUP(x6, 1, 6) ^ BDN(x6, 13, 7) ^ BDN(x6, 25, 8) ^ - BUP(x7, 5, 9) ^ BDN(x7, 17, 10) ^ BDN(x7, 29, 11) ^ - BUP(x0, 8, 12) ^ BDN(x0, 20, 13) ^ BUP(x1, 0, 14) ^ - BUP(x1, 12, 15) ^ BDN(x1, 24, 16) ^ BUP(x2, 4, 17) ^ - BUP(x2, 16, 18) ^ BDN(x2, 28, 19) ^ BUP(x3, 8, 20) ^ - BUP(x3, 20, 21) ^ BUP(x4, 0, 22) ^ BUP(x4, 12, 23) ^ - BCP(x4, 24) ^ BUP(x5, 4, 25) ^ BUP(x5, 16, 26) ^ - BDN(x5, 28, 27) ^ BUP(x6, 8, 28) ^ BUP(x6, 20, 29) ^ - BUP(x7, 0, 30) ^ BUP(x7, 12, 31); - state->x[6] = BDN(x7, 24, 0) ^ BDN(x0, 3, 1) ^ BDN(x0, 15, 2) ^ - BDN(x0, 27, 3) ^ BDN(x1, 7, 4) ^ BDN(x1, 19, 5) ^ - BDN(x1, 31, 6) ^ BDN(x2, 11, 7) ^ BDN(x2, 23, 8) ^ - BUP(x3, 3, 9) ^ BDN(x3, 15, 10) ^ BDN(x3, 27, 11) ^ - BUP(x4, 7, 12) ^ BDN(x4, 19, 13) ^ BDN(x4, 31, 14) ^ - BUP(x5, 11, 15) ^ BDN(x5, 23, 16) ^ BUP(x6, 3, 17) ^ - BUP(x6, 15, 18) ^ BDN(x6, 27, 19) ^ BUP(x7, 7, 20) ^ - BUP(x7, 19, 21) ^ BDN(x7, 31, 22) ^ BUP(x0, 10, 23) ^ - BUP(x0, 22, 24) ^ BUP(x1, 2, 25) ^ BUP(x1, 14, 26) ^ - BUP(x1, 26, 27) ^ BUP(x2, 6, 28) ^ BUP(x2, 18, 29) ^ - BCP(x2, 30) ^ BUP(x3, 10, 31); - state->x[7] = BDN(x3, 22, 0) ^ BDN(x4, 2, 1) ^ BDN(x4, 14, 2) ^ - BDN(x4, 26, 3) ^ BDN(x5, 6, 4) ^ BDN(x5, 18, 5) ^ - BDN(x5, 30, 6) ^ BDN(x6, 10, 7) ^ BDN(x6, 22, 8) ^ - BUP(x7, 2, 9) ^ BDN(x7, 14, 10) ^ BDN(x7, 26, 11) ^ - BUP(x0, 5, 12) ^ BDN(x0, 17, 13) ^ BDN(x0, 29, 14) ^ - BUP(x1, 9, 15) ^ BDN(x1, 21, 16) ^ BUP(x2, 1, 17) ^ - BUP(x2, 13, 18) ^ BDN(x2, 25, 19) ^ BUP(x3, 5, 20) ^ - BUP(x3, 17, 21) ^ BDN(x3, 29, 22) ^ BUP(x4, 9, 23) ^ - BUP(x4, 21, 24) ^ BUP(x5, 1, 25) ^ BUP(x5, 13, 26) ^ - BUP(x5, 25, 27) ^ BUP(x6, 5, 28) ^ BUP(x6, 17, 29) ^ - BUP(x6, 29, 30) ^ BUP(x7, 9, 31); - state->x[8] = BDN(x7, 21, 0); -} - -void subterranean_blank(subterranean_state_t *state) -{ - unsigned round; - for (round = 0; round < 8; ++round) { - subterranean_round(state); - state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ - } -} - -void subterranean_duplex_0(subterranean_state_t *state) -{ - subterranean_round(state); - state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ -} - -void subterranean_duplex_1(subterranean_state_t *state, unsigned char data) -{ - uint32_t x = data; - - /* Perform a single Subterranean round before absorbing the bits */ - subterranean_round(state); - - /* Rearrange the bits and absorb them into the state */ - state->x[0] ^= (x << 1) & 0x00000002U; - state->x[1] ^= x & 0x00000008U; - state->x[2] ^= 0x00000001U; /* 9th padding bit is always 1 */ - state->x[4] ^= ((x << 6) & 0x00000100U) ^ ((x << 1) & 0x00000040U); - state->x[5] ^= (x << 15) & 0x00010000U; - state->x[6] ^= (x >> 1) & 0x00000020U; - state->x[7] ^= ((x << 21) & 0x02000000U) ^ ((x << 3) & 0x00000400U); -} - -void subterranean_duplex_word(subterranean_state_t *state, uint32_t x) -{ - uint32_t y; - - /* Perform a single Subterranean round before absorbing the bits */ - subterranean_round(state); - - /* To absorb the word into the state, we first rearrange the source - * bits to be in the right target bit positions. Then we mask and - * XOR them into the relevant words of the state. - * - * Some of the source bits end up in the same target bit but a different - * word so we have to permute the input word twice to get all the source - * bits into the locations we want for masking and XOR'ing. - * - * Permutations generated with "http://programming.sirrida.de/calcperm.php". - */ - - /* P1 = [1 16 8 3 25 * * 10 0 21 * 24 2 31 15 6 * 11 9 19 * * 29 * 4 * 30 12 * 22 17 5] */ - y = (x & 0x00080008U) - | ((x & 0x00004001U) << 1) - | ((x & 0x00000080U) << 3) - | ((x & 0x04000000U) << 4) - | leftRotate6(x & 0x80000004U) - | ((x & 0x00400000U) << 7) - | leftRotate12(x & 0x01000200U) - | ((x & 0x00000800U) << 13) - | ((x & 0x00000002U) << 15) - | ((x & 0x08000000U) >> 15) - | ((x & 0x00002000U) << 18) - | ((x & 0x40000000U) >> 13) - | ((x & 0x00000010U) << 21) - | ((x & 0x00001000U) >> 10) - | ((x & 0x00048000U) >> 9) - | ((x & 0x00000100U) >> 8) - | ((x & 0x20000000U) >> 7) - | ((x & 0x00020000U) >> 6); - - /* P2 = [* * * * * 6 5 * * * 31 * * * * * 17 * * * 0 9 * 15 * 30 * * 1 * * *] */ - x = ((x & 0x00010020U) << 1) - | leftRotate5(x & 0x12000000U) - | ((x & 0x00100000U) >> 20) - | ((x & 0x00200000U) >> 12) - | ((x & 0x00000400U) << 21) - | ((x & 0x00800000U) >> 8) - | ((x & 0x00000040U) >> 1); - - /* Integrate the rearranged bits into the state */ - state->x[0] ^= (y & 0x40428816U); - state->x[1] ^= (y & 0x00000008U); - state->x[2] ^= (y & 0x80000041U); - state->x[3] ^= (x & 0x00008000U); - state->x[4] ^= (y & 0x00001300U) ^ (x & 0x00000041U); - state->x[5] ^= (y & 0x21010020U) ^ (x & 0x40000200U); - state->x[6] ^= (y & 0x00280000U) ^ (x & 0x80000020U); - state->x[7] ^= (y & 0x02000400U) ^ (x & 0x00020002U); -} - -void subterranean_duplex_n - (subterranean_state_t *state, const unsigned char *data, unsigned len) -{ - switch (len) { - case 0: - subterranean_duplex_0(state); - break; - case 1: - subterranean_duplex_1(state, data[0]); - break; - case 2: - /* Load 16 bits and add the padding bit to the 17th bit */ - subterranean_duplex_word - (state, ((uint32_t)(data[0]) | - (((uint32_t)(data[1])) << 8) | - 0x10000U)); - break; - case 3: - /* Load 24 bits and add the padding bit to the 25th bit */ - subterranean_duplex_word - (state, ((uint32_t)(data[0]) | - (((uint32_t)(data[1])) << 8) | - (((uint32_t)(data[2])) << 16) | - 0x01000000U)); - break; - default: - /* Load 32 bits and add the padding bit to the 33rd bit */ - subterranean_duplex_word(state, le_load_word32(data)); - state->x[8] ^= 0x00000001U; - break; - } -} - -uint32_t subterranean_extract(subterranean_state_t *state) -{ - uint32_t x, y; - - /* We need to extract 64 bits from the state, and then XOR the two - * halves together to get the result. - * - * Extract words from the state and permute the bits into the target - * bit order. Then mask off the unnecessary bits and combine. - * - * Permutations generated with "http://programming.sirrida.de/calcperm.php". - */ - - /* P0 = [* 0 12 * 24 * * * 4 * * 17 * * * 14 16 30 * * * * 29 7 * * * * * * 26 *] */ - x = state->x[0]; - x = (x & 0x00010000U) - | ((x & 0x00000800U) << 6) - | ((x & 0x00400000U) << 7) - | ((x & 0x00000004U) << 10) - | ((x & 0x00020000U) << 13) - | ((x & 0x00800000U) >> 16) - | ((x & 0x00000010U) << 20) - | ((x & 0x40000100U) >> 4) - | ((x & 0x00008002U) >> 1); - y = x & 0x65035091U; - - /* P1 = [28 * 10 3 * * * * * * * * 9 * 19 * * * * * * * * * * * * * 6 * * *] */ - x = state->x[1]; - x = (x & 0x00000008U) - | ((x & 0x00004000U) << 5) - | ((x & 0x00000004U) << 8) - | ((x & 0x10000000U) >> 22) - | ((x & 0x00000001U) << 28) - | ((x & 0x00001000U) >> 3); - y ^= x & 0x10080648U; - - /* P2 = [8 * * 25 22 * 15 * * 11 * * * * * * * 1 * * * * * * 21 * * * 31 * * 13] */ - x = state->x[2]; - x = ((x & 0x00000200U) << 2) - | ((x & 0x10000000U) << 3) - | ((x & 0x00000001U) << 8) - | ((x & 0x00000040U) << 9) - | ((x & 0x80000000U) >> 18) - | ((x & 0x00020000U) >> 16) - | ((x & 0x00000010U) << 18) - | ((x & 0x00000008U) << 22) - | ((x & 0x01000000U) >> 3); - y ^= x & 0x8260a902U; - - /* P3 = [* * * * * * * * * * * * * * * 23 * * * * * 27 * * 18 2 * 5 * * * *] */ - x = state->x[3]; - x = ((x & 0x00200000U) << 6) - | ((x & 0x00008000U) << 8) - | ((x & 0x02000000U) >> 23) - | ((x & 0x08000000U) >> 22) - | ((x & 0x01000000U) >> 6); - y ^= x & 0x08840024U; - - /* P4 = [20 20 * * * * 5 * 2 18 * * 27 * * * * * 23 * * * * * * * * * * * * *] */ - x = state->x[4]; - y ^= (x << 20) & 0x00100000U; /* Handle duplicated bit 20 separately */ - x = ((x & 0x00040000U) << 5) - | ((x & 0x00000200U) << 9) - | ((x & 0x00001000U) << 15) - | ((x & 0x00000002U) << 19) - | ((x & 0x00000100U) >> 6) - | ((x & 0x00000040U) >> 1); - y ^= x & 0x08940024U; - - /* P5 = [* * 13 * * 31 * * * 21 * * * * * * 1 * * * * * * * 11 * * 15 * 22 25 *] */ - x = state->x[5]; - x = ((x & 0x00000004U) << 11) - | ((x & 0x00000200U) << 12) - | ((x & 0x00010000U) >> 15) - | ((x & 0x01000000U) >> 13) - | ((x & 0x08000000U) >> 12) - | ((x & 0x20000000U) >> 7) - | ((x & 0x00000020U) << 26) - | ((x & 0x40000000U) >> 5); - y ^= x & 0x8260a802U; - - /* P6 = [* 8 * * * 6 * * * * * * * * * * * * * 19 * 9 * * * * * * * * 3 10] */ - x = state->x[6]; - x = (x & 0x00080000U) - | ((x & 0x00000020U) << 1) - | ((x & 0x40000000U) >> 27) - | ((x & 0x00000002U) << 7) - | ((x & 0x80000000U) >> 21) - | ((x & 0x00200000U) >> 12); - y ^= x & 0x00080748U; - - /* P7 = [* 28 * 26 * * * * * * 7 29 * * * * 30 16 14 * * * 17 * * 4 * * * 24 * 12] */ - x = state->x[7]; - x = ((x & 0x02000000U) >> 21) - | ((x & 0x80000000U) >> 19) - | ((x & 0x00010000U) << 14) - | ((x & 0x00000800U) << 18) - | ((x & 0x00000008U) << 23) - | leftRotate27(x & 0x20400002U) - | ((x & 0x00040000U) >> 4) - | ((x & 0x00000400U) >> 3) - | ((x & 0x00020000U) >> 1); - y ^= x & 0x75035090U; - - /* Word 8 has a single bit - XOR it directly into the result and return */ - return y ^ state->x[8]; -} - -void subterranean_absorb - (subterranean_state_t *state, const unsigned char *data, - unsigned long long len) -{ - while (len >= 4) { - subterranean_duplex_4(state, data); - data += 4; - len -= 4; - } - subterranean_duplex_n(state, data, (unsigned)len); -} - -void subterranean_squeeze - (subterranean_state_t *state, unsigned char *data, unsigned len) -{ - uint32_t word; - while (len > 4) { - word = subterranean_extract(state); - subterranean_duplex_0(state); - le_store_word32(data, word); - data += 4; - len -= 4; - } - if (len == 4) { - word = subterranean_extract(state); - le_store_word32(data, word); - } else if (len == 1) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - } else if (len == 2) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - data[1] = (unsigned char)(word >> 8); - } else if (len == 3) { - word = subterranean_extract(state); - data[0] = (unsigned char)word; - data[1] = (unsigned char)(word >> 8); - data[2] = (unsigned char)(word >> 16); - } -} diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.h deleted file mode 100644 index 71cebb2..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-subterranean.h +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_SUBTERRANEAN_H -#define LW_INTERNAL_SUBTERRANEAN_H - -#include "internal-util.h" - -/** - * \file internal-subterranean.h - * \brief Internal implementation of the Subterranean block operation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Representation of the 257-bit state of Subterranean. - * - * The 257-bit state is represented as nine 32-bit words with only a single - * bit in the last word. - */ -typedef struct -{ - uint32_t x[9]; /**< State words */ - -} subterranean_state_t; - -/** - * \brief Performs a single Subterranean round. - * - * \param state Subterranean state to be transformed. - */ -void subterranean_round(subterranean_state_t *state); - -/** - * \brief Performs 8 Subterranean rounds with no absorption or squeezing - * of data; i.e. data input and output is "blanked". - * - * \param state Subterranean state to be transformed. - */ -void subterranean_blank(subterranean_state_t *state); - -/** - * \brief Performs a single Subterranean round and absorbs 0 bytes. - * - * \param state Subterranean state to be transformed. - */ -void subterranean_duplex_0(subterranean_state_t *state); - -/** - * \brief Performs a single Subterranean round and absorbs one byte. - * - * \param state Subterranean state to be transformed. - * \param data The single byte to be absorbed. - */ -void subterranean_duplex_1(subterranean_state_t *state, unsigned char data); - -/** - * \brief Absorbs a 32-bit word into the Subterranean state. - * - * \param state Subterranean state to be transformed. - * \param x The word to absorb into the state. - */ -void subterranean_duplex_word(subterranean_state_t *state, uint32_t x); - -/** - * \brief Performs a single Subterranean round and absorbs four bytes. - * - * \param state Subterranean state to be transformed. - * \param data Points to the four data bytes to be absorbed. - */ -#define subterranean_duplex_4(state, data) \ - do { \ - subterranean_duplex_word((state), le_load_word32((data))); \ - (state)->x[8] ^= 1; \ - } while (0) - -/** - * \brief Performs a single Subterranean round and absorbs between - * zero and four bytes. - * - * \param state Subterranean state to be transformed. - * \param data Points to the data bytes to be absorbed. - * \param len Length of the data to be absorbed. - */ -void subterranean_duplex_n - (subterranean_state_t *state, const unsigned char *data, unsigned len); - -/** - * \brief Extracts 32 bits of output from the Subterranean state. - * - * \param state Subterranean state to extract the output from. - * - * \return Returns the 32-bit word that was extracted. - */ -uint32_t subterranean_extract(subterranean_state_t *state); - -/** - * \brief Absorbs an arbitrary amount of data, four bytes at a time. - * - * \param state Subterranean state to be transformed. - * \param data Points to the bytes to be absorbed. - * \param len Number of bytes to absorb. - */ -void subterranean_absorb - (subterranean_state_t *state, const unsigned char *data, - unsigned long long len); - -/** - * \brief Squeezes an arbitrary amount of data out of a Subterranean state. - * - * \param state Subterranean state to extract the output from. - * \param data Points to the data buffer to receive the output. - * \param len Number of bytes to be extracted. - */ -void subterranean_squeeze - (subterranean_state_t *state, unsigned char *data, unsigned len); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-util.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.c deleted file mode 100644 index 1bc9fc4..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.c +++ /dev/null @@ -1,228 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "subterranean.h" -#include "internal-subterranean.h" -#include - -aead_cipher_t const subterranean_cipher = { - "Subterranean", - SUBTERRANEAN_KEY_SIZE, - SUBTERRANEAN_NONCE_SIZE, - SUBTERRANEAN_TAG_SIZE, - AEAD_FLAG_NONE, - subterranean_aead_encrypt, - subterranean_aead_decrypt -}; - -aead_hash_algorithm_t const subterranean_hash_algorithm = { - "Subterranean-Hash", - sizeof(subterranean_hash_state_t), - SUBTERRANEAN_HASH_SIZE, - AEAD_FLAG_NONE, - subterranean_hash, - (aead_hash_init_t)subterranean_hash_init, - (aead_hash_update_t)subterranean_hash_update, - (aead_hash_finalize_t)subterranean_hash_finalize, - (aead_xof_absorb_t)0, - (aead_xof_squeeze_t)0 -}; - -int subterranean_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - subterranean_state_t state; - uint32_t x1, x2; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + SUBTERRANEAN_TAG_SIZE; - - /* Initialize the state and absorb the key and nonce */ - memset(&state, 0, sizeof(state)); - subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); - subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); - subterranean_blank(&state); - - /* Absorb the associated data into the state */ - subterranean_absorb(&state, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - while (mlen >= 4) { - x1 = le_load_word32(m); - x2 = subterranean_extract(&state) ^ x1; - subterranean_duplex_word(&state, x1); - state.x[8] ^= 1; /* padding for 32-bit blocks */ - le_store_word32(c, x2); - c += 4; - m += 4; - mlen -= 4; - } - switch ((unsigned char)mlen) { - default: - subterranean_duplex_0(&state); - break; - case 1: - x2 = subterranean_extract(&state) ^ m[0]; - subterranean_duplex_n(&state, m, 1); - c[0] = (unsigned char)x2; - break; - case 2: - x2 = subterranean_extract(&state) ^ m[0] ^ (((uint32_t)(m[1])) << 8); - subterranean_duplex_n(&state, m, 2); - c[0] = (unsigned char)x2; - c[1] = (unsigned char)(x2 >> 8); - break; - case 3: - x2 = subterranean_extract(&state) ^ - m[0] ^ (((uint32_t)(m[1])) << 8) ^ (((uint32_t)(m[2])) << 16); - subterranean_duplex_n(&state, m, 3); - c[0] = (unsigned char)x2; - c[1] = (unsigned char)(x2 >> 8); - c[2] = (unsigned char)(x2 >> 16); - break; - } - - /* Generate the authentication tag */ - subterranean_blank(&state); - subterranean_squeeze(&state, c + mlen, SUBTERRANEAN_TAG_SIZE); - return 0; -} - -int subterranean_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - subterranean_state_t state; - unsigned char *mtemp = m; - unsigned char tag[SUBTERRANEAN_TAG_SIZE]; - uint32_t x; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < SUBTERRANEAN_TAG_SIZE) - return -1; - *mlen = clen - SUBTERRANEAN_TAG_SIZE; - - /* Initialize the state and absorb the key and nonce */ - memset(&state, 0, sizeof(state)); - subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); - subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); - subterranean_blank(&state); - - /* Absorb the associated data into the state */ - subterranean_absorb(&state, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - clen -= SUBTERRANEAN_TAG_SIZE; - while (clen >= 4) { - x = le_load_word32(c); - x ^= subterranean_extract(&state); - subterranean_duplex_word(&state, x); - state.x[8] ^= 1; /* padding for 32-bit blocks */ - le_store_word32(m, x); - c += 4; - m += 4; - clen -= 4; - } - switch ((unsigned char)clen) { - default: - subterranean_duplex_0(&state); - break; - case 1: - m[0] = (unsigned char)(subterranean_extract(&state) ^ c[0]); - subterranean_duplex_1(&state, m[0]); - break; - case 2: - x = subterranean_extract(&state) ^ c[0] ^ (((uint32_t)(c[1])) << 8); - m[0] = (unsigned char)x; - m[1] = (unsigned char)(x >> 8); - subterranean_duplex_word(&state, (x & 0xFFFFU) | 0x10000U); - break; - case 3: - x = subterranean_extract(&state) ^ - c[0] ^ (((uint32_t)(c[1])) << 8) ^ (((uint32_t)(c[2])) << 16); - m[0] = (unsigned char)x; - m[1] = (unsigned char)(x >> 8); - m[2] = (unsigned char)(x >> 16); - subterranean_duplex_word(&state, (x & 0x00FFFFFFU) | 0x01000000U); - break; - } - - /* Check the authentication tag */ - subterranean_blank(&state); - subterranean_squeeze(&state, tag, sizeof(tag)); - return aead_check_tag(mtemp, *mlen, tag, c + clen, SUBTERRANEAN_TAG_SIZE); -} - -int subterranean_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - subterranean_state_t state; - memset(&state, 0, sizeof(state)); - while (inlen > 0) { - subterranean_duplex_1(&state, *in++); - subterranean_duplex_0(&state); - --inlen; - } - subterranean_duplex_0(&state); - subterranean_duplex_0(&state); - subterranean_blank(&state); - subterranean_squeeze(&state, out, SUBTERRANEAN_HASH_SIZE); - return 0; -} - -void subterranean_hash_init(subterranean_hash_state_t *state) -{ - memset(state, 0, sizeof(subterranean_hash_state_t)); -} - -void subterranean_hash_update - (subterranean_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - subterranean_state_t *st = (subterranean_state_t *)state; - while (inlen > 0) { - subterranean_duplex_1(st, *in++); - subterranean_duplex_0(st); - --inlen; - } -} - -void subterranean_hash_finalize - (subterranean_hash_state_t *state, unsigned char *out) -{ - subterranean_state_t *st = (subterranean_state_t *)state; - subterranean_duplex_0(st); - subterranean_duplex_0(st); - subterranean_blank(st); - subterranean_squeeze(st, out, SUBTERRANEAN_HASH_SIZE); -} diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.h deleted file mode 100644 index 148e5e8..0000000 --- a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/subterranean.h +++ /dev/null @@ -1,200 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUBTERRANEAN_H -#define LWCRYPTO_SUBTERRANEAN_H - -#include "aead-common.h" - -/** - * \file subterranean.h - * \brief Subterranean authenticated encryption algorithm. - * - * Subterranean (technically "Subterranean 2.0") is a family of - * algorithms built around the 257-bit Subterranean permutation: - * - * \li Subterranean is an authenticated encryption algorithm with a 128-bit - * key, a 128-bit nonce, and a 128-bit tag. - * \li Subterranean-Hash is a hash algorithm with a 256-bit output. - * - * The Subterranean permutation is intended for hardware implementation. - * It is not structured for efficient software implementation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Subterranean. - */ -#define SUBTERRANEAN_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Subterranean. - */ -#define SUBTERRANEAN_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Subterranean. - */ -#define SUBTERRANEAN_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for Subterranean-Hash. - */ -#define SUBTERRANEAN_HASH_SIZE 32 - -/** - * \brief Meta-information block for the Subterranean cipher. - */ -extern aead_cipher_t const subterranean_cipher; - -/** - * \brief Meta-information block for the SUBTERRANEAN hash algorithm. - */ -extern aead_hash_algorithm_t const subterranean_hash_algorithm; - -/** - * \brief State information for the Subterreaan incremental hash mode. - */ -typedef union -{ - unsigned char state[40]; /**< Current hash state */ - unsigned long long align; /**< For alignment of this structure */ - -} subterranean_hash_state_t; - -/** - * \brief Encrypts and authenticates a packet with Subterranean. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa subterranean_aead_decrypt() - */ -int subterranean_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Subterranean. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa subterranean_aead_encrypt() - */ -int subterranean_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Subterranean. - * - * \param out Buffer to receive the hash output which must be at least - * SUBTERRANEAN_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - * - * \sa subterranean_hash_init() - */ -int subterranean_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a Subterranean hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa subterranean_hash_update(), subterranean_hash_finalize(), - * subterranean_hash() - */ -void subterranean_hash_init(subterranean_hash_state_t *state); - -/** - * \brief Updates a Subterranean state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - * - * \sa subterranean_hash_init(), subterranean_hash_finalize() - */ -void subterranean_hash_update - (subterranean_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Returns the final hash value from a Subterranean hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the 32-byte hash value. - * - * \sa subterranean_hash_init(), subterranean_hash_update() - */ -void subterranean_hash_finalize - (subterranean_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/aead-common.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/aead-common.c similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/aead-common.c rename to subterranean/Implementations/crypto_hash/subterraneanv1/rhys/aead-common.c diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/aead-common.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/aead-common.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/aead-common.h rename to subterranean/Implementations/crypto_hash/subterraneanv1/rhys/aead-common.h diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/api.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/hash.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/hash.c similarity index 100% rename from subterranean/Implementations/crypto_hash/subterraneanv1/rhys-avr/hash.c rename to subterranean/Implementations/crypto_hash/subterraneanv1/rhys/hash.c diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.c new file mode 100644 index 0000000..1cb64e2 --- /dev/null +++ b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.c @@ -0,0 +1,441 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-subterranean.h" +#include + +void subterranean_round(subterranean_state_t *state) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8; + uint32_t t0, t1; + + /* Load the state up into local variables */ + x0 = state->x[0]; + x1 = state->x[1]; + x2 = state->x[2]; + x3 = state->x[3]; + x4 = state->x[4]; + x5 = state->x[5]; + x6 = state->x[6]; + x7 = state->x[7]; + x8 = state->x[8]; + + /* Step chi: s[i] = s[i] ^ (~(s[i+1) & s[i+2]) */ + #define CHI(a, b) \ + do { \ + t0 = ((a) >> 1) | ((b) << 31); \ + t1 = ((a) >> 2) | ((b) << 30); \ + (a) ^= (~t0) & t1; \ + } while (0) + x8 ^= (x0 << 1); + CHI(x0, x1); CHI(x1, x2); + CHI(x2, x3); CHI(x3, x4); + CHI(x4, x5); CHI(x5, x6); + CHI(x6, x7); CHI(x7, x8); + x8 ^= (~(x8 >> 1)) & (x8 >> 2); + + /* Step itoa: invert s[0] */ + x0 ^= 1U; + + /* Step theta: s[i] = s[i] ^ s[i + 3] ^ s[i + 8] */ + #define THETA(a, b) \ + do { \ + t0 = ((a) >> 3) | ((b) << 29); \ + t1 = ((a) >> 8) | ((b) << 24); \ + (a) ^= t0 ^ t1; \ + } while (0) + x8 = (x8 & 1U) ^ (x0 << 1); + THETA(x0, x1); THETA(x1, x2); + THETA(x2, x3); THETA(x3, x4); + THETA(x4, x5); THETA(x5, x6); + THETA(x6, x7); THETA(x7, x8); + x8 ^= (x8 >> 3) ^ (x8 >> 8); + + /* Step pi: permute the bits with the rule s[i] = s[(i * 12) % 257]. + * BCP = bit copy, BUP = move bit up, BDN = move bit down */ + #define BCP(x, bit) ((x) & (((uint32_t)1) << (bit))) + #define BUP(x, from, to) \ + (((x) << ((to) - (from))) & (((uint32_t)1) << (to))) + #define BDN(x, from, to) \ + (((x) >> ((from) - (to))) & (((uint32_t)1) << (to))) + state->x[0] = BCP(x0, 0) ^ BDN(x0, 12, 1) ^ BDN(x0, 24, 2) ^ + BDN(x1, 4, 3) ^ BDN(x1, 16, 4) ^ BDN(x1, 28, 5) ^ + BDN(x2, 8, 6) ^ BDN(x2, 20, 7) ^ BUP(x3, 0, 8) ^ + BDN(x3, 12, 9) ^ BDN(x3, 24, 10) ^ BUP(x4, 4, 11) ^ + BDN(x4, 16, 12) ^ BDN(x4, 28, 13) ^ BUP(x5, 8, 14) ^ + BDN(x5, 20, 15) ^ BUP(x6, 0, 16) ^ BUP(x6, 12, 17) ^ + BDN(x6, 24, 18) ^ BUP(x7, 4, 19) ^ BUP(x7, 16, 20) ^ + BDN(x7, 28, 21) ^ BUP(x0, 7, 22) ^ BUP(x0, 19, 23) ^ + BDN(x0, 31, 24) ^ BUP(x1, 11, 25) ^ BUP(x1, 23, 26) ^ + BUP(x2, 3, 27) ^ BUP(x2, 15, 28) ^ BUP(x2, 27, 29) ^ + BUP(x3, 7, 30) ^ BUP(x3, 19, 31); + state->x[1] = BDN(x3, 31, 0) ^ BDN(x4, 11, 1) ^ BDN(x4, 23, 2) ^ + BCP(x5, 3) ^ BDN(x5, 15, 4) ^ BDN(x5, 27, 5) ^ + BDN(x6, 7, 6) ^ BDN(x6, 19, 7) ^ BDN(x6, 31, 8) ^ + BDN(x7, 11, 9) ^ BDN(x7, 23, 10) ^ BUP(x0, 2, 11) ^ + BDN(x0, 14, 12) ^ BDN(x0, 26, 13) ^ BUP(x1, 6, 14) ^ + BDN(x1, 18, 15) ^ BDN(x1, 30, 16) ^ BUP(x2, 10, 17) ^ + BDN(x2, 22, 18) ^ BUP(x3, 2, 19) ^ BUP(x3, 14, 20) ^ + BDN(x3, 26, 21) ^ BUP(x4, 6, 22) ^ BUP(x4, 18, 23) ^ + BDN(x4, 30, 24) ^ BUP(x5, 10, 25) ^ BUP(x5, 22, 26) ^ + BUP(x6, 2, 27) ^ BUP(x6, 14, 28) ^ BUP(x6, 26, 29) ^ + BUP(x7, 6, 30) ^ BUP(x7, 18, 31); + state->x[2] = BDN(x7, 30, 0) ^ BDN(x0, 9, 1) ^ BDN(x0, 21, 2) ^ + BUP(x1, 1, 3) ^ BDN(x1, 13, 4) ^ BDN(x1, 25, 5) ^ + BUP(x2, 5, 6) ^ BDN(x2, 17, 7) ^ BDN(x2, 29, 8) ^ + BCP(x3, 9) ^ BDN(x3, 21, 10) ^ BUP(x4, 1, 11) ^ + BDN(x4, 13, 12) ^ BDN(x4, 25, 13) ^ BUP(x5, 5, 14) ^ + BDN(x5, 17, 15) ^ BDN(x5, 29, 16) ^ BUP(x6, 9, 17) ^ + BDN(x6, 21, 18) ^ BUP(x7, 1, 19) ^ BUP(x7, 13, 20) ^ + BDN(x7, 25, 21) ^ BUP(x0, 4, 22) ^ BUP(x0, 16, 23) ^ + BDN(x0, 28, 24) ^ BUP(x1, 8, 25) ^ BUP(x1, 20, 26) ^ + BUP(x2, 0, 27) ^ BUP(x2, 12, 28) ^ BUP(x2, 24, 29) ^ + BUP(x3, 4, 30) ^ BUP(x3, 16, 31); + state->x[3] = BDN(x3, 28, 0) ^ BDN(x4, 8, 1) ^ BDN(x4, 20, 2) ^ + BUP(x5, 0, 3) ^ BDN(x5, 12, 4) ^ BDN(x5, 24, 5) ^ + BUP(x6, 4, 6) ^ BDN(x6, 16, 7) ^ BDN(x6, 28, 8) ^ + BUP(x7, 8, 9) ^ BDN(x7, 20, 10) ^ BUP(x8, 0, 11) ^ + BUP(x0, 11, 12) ^ BDN(x0, 23, 13) ^ BUP(x1, 3, 14) ^ + BCP(x1, 15) ^ BDN(x1, 27, 16) ^ BUP(x2, 7, 17) ^ + BDN(x2, 19, 18) ^ BDN(x2, 31, 19) ^ BUP(x3, 11, 20) ^ + BDN(x3, 23, 21) ^ BUP(x4, 3, 22) ^ BUP(x4, 15, 23) ^ + BDN(x4, 27, 24) ^ BUP(x5, 7, 25) ^ BUP(x5, 19, 26) ^ + BDN(x5, 31, 27) ^ BUP(x6, 11, 28) ^ BUP(x6, 23, 29) ^ + BUP(x7, 3, 30) ^ BUP(x7, 15, 31); + state->x[4] = BDN(x7, 27, 0) ^ BDN(x0, 6, 1) ^ BDN(x0, 18, 2) ^ + BDN(x0, 30, 3) ^ BDN(x1, 10, 4) ^ BDN(x1, 22, 5) ^ + BUP(x2, 2, 6) ^ BDN(x2, 14, 7) ^ BDN(x2, 26, 8) ^ + BUP(x3, 6, 9) ^ BDN(x3, 18, 10) ^ BDN(x3, 30, 11) ^ + BUP(x4, 10, 12) ^ BDN(x4, 22, 13) ^ BUP(x5, 2, 14) ^ + BUP(x5, 14, 15) ^ BDN(x5, 26, 16) ^ BUP(x6, 6, 17) ^ + BCP(x6, 18) ^ BDN(x6, 30, 19) ^ BUP(x7, 10, 20) ^ + BDN(x7, 22, 21) ^ BUP(x0, 1, 22) ^ BUP(x0, 13, 23) ^ + BDN(x0, 25, 24) ^ BUP(x1, 5, 25) ^ BUP(x1, 17, 26) ^ + BDN(x1, 29, 27) ^ BUP(x2, 9, 28) ^ BUP(x2, 21, 29) ^ + BUP(x3, 1, 30) ^ BUP(x3, 13, 31); + state->x[5] = BDN(x3, 25, 0) ^ BDN(x4, 5, 1) ^ BDN(x4, 17, 2) ^ + BDN(x4, 29, 3) ^ BDN(x5, 9, 4) ^ BDN(x5, 21, 5) ^ + BUP(x6, 1, 6) ^ BDN(x6, 13, 7) ^ BDN(x6, 25, 8) ^ + BUP(x7, 5, 9) ^ BDN(x7, 17, 10) ^ BDN(x7, 29, 11) ^ + BUP(x0, 8, 12) ^ BDN(x0, 20, 13) ^ BUP(x1, 0, 14) ^ + BUP(x1, 12, 15) ^ BDN(x1, 24, 16) ^ BUP(x2, 4, 17) ^ + BUP(x2, 16, 18) ^ BDN(x2, 28, 19) ^ BUP(x3, 8, 20) ^ + BUP(x3, 20, 21) ^ BUP(x4, 0, 22) ^ BUP(x4, 12, 23) ^ + BCP(x4, 24) ^ BUP(x5, 4, 25) ^ BUP(x5, 16, 26) ^ + BDN(x5, 28, 27) ^ BUP(x6, 8, 28) ^ BUP(x6, 20, 29) ^ + BUP(x7, 0, 30) ^ BUP(x7, 12, 31); + state->x[6] = BDN(x7, 24, 0) ^ BDN(x0, 3, 1) ^ BDN(x0, 15, 2) ^ + BDN(x0, 27, 3) ^ BDN(x1, 7, 4) ^ BDN(x1, 19, 5) ^ + BDN(x1, 31, 6) ^ BDN(x2, 11, 7) ^ BDN(x2, 23, 8) ^ + BUP(x3, 3, 9) ^ BDN(x3, 15, 10) ^ BDN(x3, 27, 11) ^ + BUP(x4, 7, 12) ^ BDN(x4, 19, 13) ^ BDN(x4, 31, 14) ^ + BUP(x5, 11, 15) ^ BDN(x5, 23, 16) ^ BUP(x6, 3, 17) ^ + BUP(x6, 15, 18) ^ BDN(x6, 27, 19) ^ BUP(x7, 7, 20) ^ + BUP(x7, 19, 21) ^ BDN(x7, 31, 22) ^ BUP(x0, 10, 23) ^ + BUP(x0, 22, 24) ^ BUP(x1, 2, 25) ^ BUP(x1, 14, 26) ^ + BUP(x1, 26, 27) ^ BUP(x2, 6, 28) ^ BUP(x2, 18, 29) ^ + BCP(x2, 30) ^ BUP(x3, 10, 31); + state->x[7] = BDN(x3, 22, 0) ^ BDN(x4, 2, 1) ^ BDN(x4, 14, 2) ^ + BDN(x4, 26, 3) ^ BDN(x5, 6, 4) ^ BDN(x5, 18, 5) ^ + BDN(x5, 30, 6) ^ BDN(x6, 10, 7) ^ BDN(x6, 22, 8) ^ + BUP(x7, 2, 9) ^ BDN(x7, 14, 10) ^ BDN(x7, 26, 11) ^ + BUP(x0, 5, 12) ^ BDN(x0, 17, 13) ^ BDN(x0, 29, 14) ^ + BUP(x1, 9, 15) ^ BDN(x1, 21, 16) ^ BUP(x2, 1, 17) ^ + BUP(x2, 13, 18) ^ BDN(x2, 25, 19) ^ BUP(x3, 5, 20) ^ + BUP(x3, 17, 21) ^ BDN(x3, 29, 22) ^ BUP(x4, 9, 23) ^ + BUP(x4, 21, 24) ^ BUP(x5, 1, 25) ^ BUP(x5, 13, 26) ^ + BUP(x5, 25, 27) ^ BUP(x6, 5, 28) ^ BUP(x6, 17, 29) ^ + BUP(x6, 29, 30) ^ BUP(x7, 9, 31); + state->x[8] = BDN(x7, 21, 0); +} + +void subterranean_blank(subterranean_state_t *state) +{ + unsigned round; + for (round = 0; round < 8; ++round) { + subterranean_round(state); + state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ + } +} + +void subterranean_duplex_0(subterranean_state_t *state) +{ + subterranean_round(state); + state->x[0] ^= 0x02; /* padding for an empty block is in state bit 1 */ +} + +void subterranean_duplex_1(subterranean_state_t *state, unsigned char data) +{ + uint32_t x = data; + + /* Perform a single Subterranean round before absorbing the bits */ + subterranean_round(state); + + /* Rearrange the bits and absorb them into the state */ + state->x[0] ^= (x << 1) & 0x00000002U; + state->x[1] ^= x & 0x00000008U; + state->x[2] ^= 0x00000001U; /* 9th padding bit is always 1 */ + state->x[4] ^= ((x << 6) & 0x00000100U) ^ ((x << 1) & 0x00000040U); + state->x[5] ^= (x << 15) & 0x00010000U; + state->x[6] ^= (x >> 1) & 0x00000020U; + state->x[7] ^= ((x << 21) & 0x02000000U) ^ ((x << 3) & 0x00000400U); +} + +void subterranean_duplex_word(subterranean_state_t *state, uint32_t x) +{ + uint32_t y; + + /* Perform a single Subterranean round before absorbing the bits */ + subterranean_round(state); + + /* To absorb the word into the state, we first rearrange the source + * bits to be in the right target bit positions. Then we mask and + * XOR them into the relevant words of the state. + * + * Some of the source bits end up in the same target bit but a different + * word so we have to permute the input word twice to get all the source + * bits into the locations we want for masking and XOR'ing. + * + * Permutations generated with "http://programming.sirrida.de/calcperm.php". + */ + + /* P1 = [1 16 8 3 25 * * 10 0 21 * 24 2 31 15 6 * 11 9 19 * * 29 * 4 * 30 12 * 22 17 5] */ + y = (x & 0x00080008U) + | ((x & 0x00004001U) << 1) + | ((x & 0x00000080U) << 3) + | ((x & 0x04000000U) << 4) + | leftRotate6(x & 0x80000004U) + | ((x & 0x00400000U) << 7) + | leftRotate12(x & 0x01000200U) + | ((x & 0x00000800U) << 13) + | ((x & 0x00000002U) << 15) + | ((x & 0x08000000U) >> 15) + | ((x & 0x00002000U) << 18) + | ((x & 0x40000000U) >> 13) + | ((x & 0x00000010U) << 21) + | ((x & 0x00001000U) >> 10) + | ((x & 0x00048000U) >> 9) + | ((x & 0x00000100U) >> 8) + | ((x & 0x20000000U) >> 7) + | ((x & 0x00020000U) >> 6); + + /* P2 = [* * * * * 6 5 * * * 31 * * * * * 17 * * * 0 9 * 15 * 30 * * 1 * * *] */ + x = ((x & 0x00010020U) << 1) + | leftRotate5(x & 0x12000000U) + | ((x & 0x00100000U) >> 20) + | ((x & 0x00200000U) >> 12) + | ((x & 0x00000400U) << 21) + | ((x & 0x00800000U) >> 8) + | ((x & 0x00000040U) >> 1); + + /* Integrate the rearranged bits into the state */ + state->x[0] ^= (y & 0x40428816U); + state->x[1] ^= (y & 0x00000008U); + state->x[2] ^= (y & 0x80000041U); + state->x[3] ^= (x & 0x00008000U); + state->x[4] ^= (y & 0x00001300U) ^ (x & 0x00000041U); + state->x[5] ^= (y & 0x21010020U) ^ (x & 0x40000200U); + state->x[6] ^= (y & 0x00280000U) ^ (x & 0x80000020U); + state->x[7] ^= (y & 0x02000400U) ^ (x & 0x00020002U); +} + +void subterranean_duplex_n + (subterranean_state_t *state, const unsigned char *data, unsigned len) +{ + switch (len) { + case 0: + subterranean_duplex_0(state); + break; + case 1: + subterranean_duplex_1(state, data[0]); + break; + case 2: + /* Load 16 bits and add the padding bit to the 17th bit */ + subterranean_duplex_word + (state, ((uint32_t)(data[0]) | + (((uint32_t)(data[1])) << 8) | + 0x10000U)); + break; + case 3: + /* Load 24 bits and add the padding bit to the 25th bit */ + subterranean_duplex_word + (state, ((uint32_t)(data[0]) | + (((uint32_t)(data[1])) << 8) | + (((uint32_t)(data[2])) << 16) | + 0x01000000U)); + break; + default: + /* Load 32 bits and add the padding bit to the 33rd bit */ + subterranean_duplex_word(state, le_load_word32(data)); + state->x[8] ^= 0x00000001U; + break; + } +} + +uint32_t subterranean_extract(subterranean_state_t *state) +{ + uint32_t x, y; + + /* We need to extract 64 bits from the state, and then XOR the two + * halves together to get the result. + * + * Extract words from the state and permute the bits into the target + * bit order. Then mask off the unnecessary bits and combine. + * + * Permutations generated with "http://programming.sirrida.de/calcperm.php". + */ + + /* P0 = [* 0 12 * 24 * * * 4 * * 17 * * * 14 16 30 * * * * 29 7 * * * * * * 26 *] */ + x = state->x[0]; + x = (x & 0x00010000U) + | ((x & 0x00000800U) << 6) + | ((x & 0x00400000U) << 7) + | ((x & 0x00000004U) << 10) + | ((x & 0x00020000U) << 13) + | ((x & 0x00800000U) >> 16) + | ((x & 0x00000010U) << 20) + | ((x & 0x40000100U) >> 4) + | ((x & 0x00008002U) >> 1); + y = x & 0x65035091U; + + /* P1 = [28 * 10 3 * * * * * * * * 9 * 19 * * * * * * * * * * * * * 6 * * *] */ + x = state->x[1]; + x = (x & 0x00000008U) + | ((x & 0x00004000U) << 5) + | ((x & 0x00000004U) << 8) + | ((x & 0x10000000U) >> 22) + | ((x & 0x00000001U) << 28) + | ((x & 0x00001000U) >> 3); + y ^= x & 0x10080648U; + + /* P2 = [8 * * 25 22 * 15 * * 11 * * * * * * * 1 * * * * * * 21 * * * 31 * * 13] */ + x = state->x[2]; + x = ((x & 0x00000200U) << 2) + | ((x & 0x10000000U) << 3) + | ((x & 0x00000001U) << 8) + | ((x & 0x00000040U) << 9) + | ((x & 0x80000000U) >> 18) + | ((x & 0x00020000U) >> 16) + | ((x & 0x00000010U) << 18) + | ((x & 0x00000008U) << 22) + | ((x & 0x01000000U) >> 3); + y ^= x & 0x8260a902U; + + /* P3 = [* * * * * * * * * * * * * * * 23 * * * * * 27 * * 18 2 * 5 * * * *] */ + x = state->x[3]; + x = ((x & 0x00200000U) << 6) + | ((x & 0x00008000U) << 8) + | ((x & 0x02000000U) >> 23) + | ((x & 0x08000000U) >> 22) + | ((x & 0x01000000U) >> 6); + y ^= x & 0x08840024U; + + /* P4 = [20 20 * * * * 5 * 2 18 * * 27 * * * * * 23 * * * * * * * * * * * * *] */ + x = state->x[4]; + y ^= (x << 20) & 0x00100000U; /* Handle duplicated bit 20 separately */ + x = ((x & 0x00040000U) << 5) + | ((x & 0x00000200U) << 9) + | ((x & 0x00001000U) << 15) + | ((x & 0x00000002U) << 19) + | ((x & 0x00000100U) >> 6) + | ((x & 0x00000040U) >> 1); + y ^= x & 0x08940024U; + + /* P5 = [* * 13 * * 31 * * * 21 * * * * * * 1 * * * * * * * 11 * * 15 * 22 25 *] */ + x = state->x[5]; + x = ((x & 0x00000004U) << 11) + | ((x & 0x00000200U) << 12) + | ((x & 0x00010000U) >> 15) + | ((x & 0x01000000U) >> 13) + | ((x & 0x08000000U) >> 12) + | ((x & 0x20000000U) >> 7) + | ((x & 0x00000020U) << 26) + | ((x & 0x40000000U) >> 5); + y ^= x & 0x8260a802U; + + /* P6 = [* 8 * * * 6 * * * * * * * * * * * * * 19 * 9 * * * * * * * * 3 10] */ + x = state->x[6]; + x = (x & 0x00080000U) + | ((x & 0x00000020U) << 1) + | ((x & 0x40000000U) >> 27) + | ((x & 0x00000002U) << 7) + | ((x & 0x80000000U) >> 21) + | ((x & 0x00200000U) >> 12); + y ^= x & 0x00080748U; + + /* P7 = [* 28 * 26 * * * * * * 7 29 * * * * 30 16 14 * * * 17 * * 4 * * * 24 * 12] */ + x = state->x[7]; + x = ((x & 0x02000000U) >> 21) + | ((x & 0x80000000U) >> 19) + | ((x & 0x00010000U) << 14) + | ((x & 0x00000800U) << 18) + | ((x & 0x00000008U) << 23) + | leftRotate27(x & 0x20400002U) + | ((x & 0x00040000U) >> 4) + | ((x & 0x00000400U) >> 3) + | ((x & 0x00020000U) >> 1); + y ^= x & 0x75035090U; + + /* Word 8 has a single bit - XOR it directly into the result and return */ + return y ^ state->x[8]; +} + +void subterranean_absorb + (subterranean_state_t *state, const unsigned char *data, + unsigned long long len) +{ + while (len >= 4) { + subterranean_duplex_4(state, data); + data += 4; + len -= 4; + } + subterranean_duplex_n(state, data, (unsigned)len); +} + +void subterranean_squeeze + (subterranean_state_t *state, unsigned char *data, unsigned len) +{ + uint32_t word; + while (len > 4) { + word = subterranean_extract(state); + subterranean_duplex_0(state); + le_store_word32(data, word); + data += 4; + len -= 4; + } + if (len == 4) { + word = subterranean_extract(state); + le_store_word32(data, word); + } else if (len == 1) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + } else if (len == 2) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + data[1] = (unsigned char)(word >> 8); + } else if (len == 3) { + word = subterranean_extract(state); + data[0] = (unsigned char)word; + data[1] = (unsigned char)(word >> 8); + data[2] = (unsigned char)(word >> 16); + } +} diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.h new file mode 100644 index 0000000..71cebb2 --- /dev/null +++ b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-subterranean.h @@ -0,0 +1,144 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_SUBTERRANEAN_H +#define LW_INTERNAL_SUBTERRANEAN_H + +#include "internal-util.h" + +/** + * \file internal-subterranean.h + * \brief Internal implementation of the Subterranean block operation. + */ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * \brief Representation of the 257-bit state of Subterranean. + * + * The 257-bit state is represented as nine 32-bit words with only a single + * bit in the last word. + */ +typedef struct +{ + uint32_t x[9]; /**< State words */ + +} subterranean_state_t; + +/** + * \brief Performs a single Subterranean round. + * + * \param state Subterranean state to be transformed. + */ +void subterranean_round(subterranean_state_t *state); + +/** + * \brief Performs 8 Subterranean rounds with no absorption or squeezing + * of data; i.e. data input and output is "blanked". + * + * \param state Subterranean state to be transformed. + */ +void subterranean_blank(subterranean_state_t *state); + +/** + * \brief Performs a single Subterranean round and absorbs 0 bytes. + * + * \param state Subterranean state to be transformed. + */ +void subterranean_duplex_0(subterranean_state_t *state); + +/** + * \brief Performs a single Subterranean round and absorbs one byte. + * + * \param state Subterranean state to be transformed. + * \param data The single byte to be absorbed. + */ +void subterranean_duplex_1(subterranean_state_t *state, unsigned char data); + +/** + * \brief Absorbs a 32-bit word into the Subterranean state. + * + * \param state Subterranean state to be transformed. + * \param x The word to absorb into the state. + */ +void subterranean_duplex_word(subterranean_state_t *state, uint32_t x); + +/** + * \brief Performs a single Subterranean round and absorbs four bytes. + * + * \param state Subterranean state to be transformed. + * \param data Points to the four data bytes to be absorbed. + */ +#define subterranean_duplex_4(state, data) \ + do { \ + subterranean_duplex_word((state), le_load_word32((data))); \ + (state)->x[8] ^= 1; \ + } while (0) + +/** + * \brief Performs a single Subterranean round and absorbs between + * zero and four bytes. + * + * \param state Subterranean state to be transformed. + * \param data Points to the data bytes to be absorbed. + * \param len Length of the data to be absorbed. + */ +void subterranean_duplex_n + (subterranean_state_t *state, const unsigned char *data, unsigned len); + +/** + * \brief Extracts 32 bits of output from the Subterranean state. + * + * \param state Subterranean state to extract the output from. + * + * \return Returns the 32-bit word that was extracted. + */ +uint32_t subterranean_extract(subterranean_state_t *state); + +/** + * \brief Absorbs an arbitrary amount of data, four bytes at a time. + * + * \param state Subterranean state to be transformed. + * \param data Points to the bytes to be absorbed. + * \param len Number of bytes to absorb. + */ +void subterranean_absorb + (subterranean_state_t *state, const unsigned char *data, + unsigned long long len); + +/** + * \brief Squeezes an arbitrary amount of data out of a Subterranean state. + * + * \param state Subterranean state to extract the output from. + * \param data Points to the data buffer to receive the output. + * \param len Number of bytes to be extracted. + */ +void subterranean_squeeze + (subterranean_state_t *state, unsigned char *data, unsigned len); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-util.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-util.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb128t288n104v1/rhys-avr/internal-util.h rename to subterranean/Implementations/crypto_hash/subterraneanv1/rhys/internal-util.h diff --git a/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.c b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.c new file mode 100644 index 0000000..1bc9fc4 --- /dev/null +++ b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.c @@ -0,0 +1,228 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "subterranean.h" +#include "internal-subterranean.h" +#include + +aead_cipher_t const subterranean_cipher = { + "Subterranean", + SUBTERRANEAN_KEY_SIZE, + SUBTERRANEAN_NONCE_SIZE, + SUBTERRANEAN_TAG_SIZE, + AEAD_FLAG_NONE, + subterranean_aead_encrypt, + subterranean_aead_decrypt +}; + +aead_hash_algorithm_t const subterranean_hash_algorithm = { + "Subterranean-Hash", + sizeof(subterranean_hash_state_t), + SUBTERRANEAN_HASH_SIZE, + AEAD_FLAG_NONE, + subterranean_hash, + (aead_hash_init_t)subterranean_hash_init, + (aead_hash_update_t)subterranean_hash_update, + (aead_hash_finalize_t)subterranean_hash_finalize, + (aead_xof_absorb_t)0, + (aead_xof_squeeze_t)0 +}; + +int subterranean_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + subterranean_state_t state; + uint32_t x1, x2; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + SUBTERRANEAN_TAG_SIZE; + + /* Initialize the state and absorb the key and nonce */ + memset(&state, 0, sizeof(state)); + subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); + subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); + subterranean_blank(&state); + + /* Absorb the associated data into the state */ + subterranean_absorb(&state, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + while (mlen >= 4) { + x1 = le_load_word32(m); + x2 = subterranean_extract(&state) ^ x1; + subterranean_duplex_word(&state, x1); + state.x[8] ^= 1; /* padding for 32-bit blocks */ + le_store_word32(c, x2); + c += 4; + m += 4; + mlen -= 4; + } + switch ((unsigned char)mlen) { + default: + subterranean_duplex_0(&state); + break; + case 1: + x2 = subterranean_extract(&state) ^ m[0]; + subterranean_duplex_n(&state, m, 1); + c[0] = (unsigned char)x2; + break; + case 2: + x2 = subterranean_extract(&state) ^ m[0] ^ (((uint32_t)(m[1])) << 8); + subterranean_duplex_n(&state, m, 2); + c[0] = (unsigned char)x2; + c[1] = (unsigned char)(x2 >> 8); + break; + case 3: + x2 = subterranean_extract(&state) ^ + m[0] ^ (((uint32_t)(m[1])) << 8) ^ (((uint32_t)(m[2])) << 16); + subterranean_duplex_n(&state, m, 3); + c[0] = (unsigned char)x2; + c[1] = (unsigned char)(x2 >> 8); + c[2] = (unsigned char)(x2 >> 16); + break; + } + + /* Generate the authentication tag */ + subterranean_blank(&state); + subterranean_squeeze(&state, c + mlen, SUBTERRANEAN_TAG_SIZE); + return 0; +} + +int subterranean_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + subterranean_state_t state; + unsigned char *mtemp = m; + unsigned char tag[SUBTERRANEAN_TAG_SIZE]; + uint32_t x; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < SUBTERRANEAN_TAG_SIZE) + return -1; + *mlen = clen - SUBTERRANEAN_TAG_SIZE; + + /* Initialize the state and absorb the key and nonce */ + memset(&state, 0, sizeof(state)); + subterranean_absorb(&state, k, SUBTERRANEAN_KEY_SIZE); + subterranean_absorb(&state, npub, SUBTERRANEAN_NONCE_SIZE); + subterranean_blank(&state); + + /* Absorb the associated data into the state */ + subterranean_absorb(&state, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + clen -= SUBTERRANEAN_TAG_SIZE; + while (clen >= 4) { + x = le_load_word32(c); + x ^= subterranean_extract(&state); + subterranean_duplex_word(&state, x); + state.x[8] ^= 1; /* padding for 32-bit blocks */ + le_store_word32(m, x); + c += 4; + m += 4; + clen -= 4; + } + switch ((unsigned char)clen) { + default: + subterranean_duplex_0(&state); + break; + case 1: + m[0] = (unsigned char)(subterranean_extract(&state) ^ c[0]); + subterranean_duplex_1(&state, m[0]); + break; + case 2: + x = subterranean_extract(&state) ^ c[0] ^ (((uint32_t)(c[1])) << 8); + m[0] = (unsigned char)x; + m[1] = (unsigned char)(x >> 8); + subterranean_duplex_word(&state, (x & 0xFFFFU) | 0x10000U); + break; + case 3: + x = subterranean_extract(&state) ^ + c[0] ^ (((uint32_t)(c[1])) << 8) ^ (((uint32_t)(c[2])) << 16); + m[0] = (unsigned char)x; + m[1] = (unsigned char)(x >> 8); + m[2] = (unsigned char)(x >> 16); + subterranean_duplex_word(&state, (x & 0x00FFFFFFU) | 0x01000000U); + break; + } + + /* Check the authentication tag */ + subterranean_blank(&state); + subterranean_squeeze(&state, tag, sizeof(tag)); + return aead_check_tag(mtemp, *mlen, tag, c + clen, SUBTERRANEAN_TAG_SIZE); +} + +int subterranean_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + subterranean_state_t state; + memset(&state, 0, sizeof(state)); + while (inlen > 0) { + subterranean_duplex_1(&state, *in++); + subterranean_duplex_0(&state); + --inlen; + } + subterranean_duplex_0(&state); + subterranean_duplex_0(&state); + subterranean_blank(&state); + subterranean_squeeze(&state, out, SUBTERRANEAN_HASH_SIZE); + return 0; +} + +void subterranean_hash_init(subterranean_hash_state_t *state) +{ + memset(state, 0, sizeof(subterranean_hash_state_t)); +} + +void subterranean_hash_update + (subterranean_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + subterranean_state_t *st = (subterranean_state_t *)state; + while (inlen > 0) { + subterranean_duplex_1(st, *in++); + subterranean_duplex_0(st); + --inlen; + } +} + +void subterranean_hash_finalize + (subterranean_hash_state_t *state, unsigned char *out) +{ + subterranean_state_t *st = (subterranean_state_t *)state; + subterranean_duplex_0(st); + subterranean_duplex_0(st); + subterranean_blank(st); + subterranean_squeeze(st, out, SUBTERRANEAN_HASH_SIZE); +} diff --git a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.h b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.h similarity index 65% rename from ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.h rename to subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.h index 4497927..148e5e8 100644 --- a/ace/Implementations/crypto_hash/acehash256v1/rhys-avr/ace.h +++ b/subterranean/Implementations/crypto_hash/subterraneanv1/rhys/subterranean.h @@ -20,22 +20,24 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_ACE_H -#define LWCRYPTO_ACE_H +#ifndef LWCRYPTO_SUBTERRANEAN_H +#define LWCRYPTO_SUBTERRANEAN_H #include "aead-common.h" /** - * \file ace.h - * \brief ACE authenticated encryption algorithm. + * \file subterranean.h + * \brief Subterranean authenticated encryption algorithm. * - * ACE is an authenticated encryption algorithm with a 128-bit key, - * a 128-bit nonce, and a 128-bit tag. It uses a duplex construction - * on top of a 320-bit permutation. The permutation is a generalised - * version of sLiSCP-light, extended from 256 bits to 320 bits. - * ACE also has a companion hash algorithm with a 256-bit output. + * Subterranean (technically "Subterranean 2.0") is a family of + * algorithms built around the 257-bit Subterranean permutation: * - * References: https://uwaterloo.ca/communications-security-lab/lwc/ace + * \li Subterranean is an authenticated encryption algorithm with a 128-bit + * key, a 128-bit nonce, and a 128-bit tag. + * \li Subterranean-Hash is a hash algorithm with a 256-bit output. + * + * The Subterranean permutation is intended for hardware implementation. + * It is not structured for efficient software implementation. */ #ifdef __cplusplus @@ -43,50 +45,47 @@ extern "C" { #endif /** - * \brief Size of the key for ACE. + * \brief Size of the key for Subterranean. */ -#define ACE_KEY_SIZE 16 +#define SUBTERRANEAN_KEY_SIZE 16 /** - * \brief Size of the authentication tag for ACE. + * \brief Size of the authentication tag for Subterranean. */ -#define ACE_TAG_SIZE 16 +#define SUBTERRANEAN_TAG_SIZE 16 /** - * \brief Size of the nonce for ACE. + * \brief Size of the nonce for Subterranean. */ -#define ACE_NONCE_SIZE 16 +#define SUBTERRANEAN_NONCE_SIZE 16 /** - * \brief Size of the hash output for ACE-HASH. + * \brief Size of the hash output for Subterranean-Hash. */ -#define ACE_HASH_SIZE 32 +#define SUBTERRANEAN_HASH_SIZE 32 /** - * \brief Meta-information block for the ACE cipher. + * \brief Meta-information block for the Subterranean cipher. */ -extern aead_cipher_t const ace_cipher; +extern aead_cipher_t const subterranean_cipher; /** - * \brief Meta-information block for the ACE-HASH hash algorithm. + * \brief Meta-information block for the SUBTERRANEAN hash algorithm. */ -extern aead_hash_algorithm_t const ace_hash_algorithm; +extern aead_hash_algorithm_t const subterranean_hash_algorithm; /** - * \brief State information for the ACE-HASH incremental hash mode. + * \brief State information for the Subterreaan incremental hash mode. */ typedef union { - struct { - unsigned char state[40]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ + unsigned char state[40]; /**< Current hash state */ + unsigned long long align; /**< For alignment of this structure */ -} ace_hash_state_t; +} subterranean_hash_state_t; /** - * \brief Encrypts and authenticates a packet with ACE. + * \brief Encrypts and authenticates a packet with Subterranean. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -104,9 +103,9 @@ typedef union * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa ace_aead_decrypt() + * \sa subterranean_aead_decrypt() */ -int ace_aead_encrypt +int subterranean_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -115,7 +114,7 @@ int ace_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with ACE. + * \brief Decrypts and authenticates a packet with Subterranean. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -134,9 +133,9 @@ int ace_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa ace_aead_encrypt() + * \sa subterranean_aead_encrypt() */ -int ace_aead_decrypt +int subterranean_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -145,50 +144,54 @@ int ace_aead_decrypt const unsigned char *k); /** - * \brief Hashes a block of input data with ACE-HASH to generate a hash value. + * \brief Hashes a block of input data with Subterranean. * * \param out Buffer to receive the hash output which must be at least - * ACE_HASH_SIZE bytes in length. + * SUBTERRANEAN_HASH_SIZE bytes in length. * \param in Points to the input data to be hashed. * \param inlen Length of the input data in bytes. * * \return Returns zero on success or -1 if there was an error in the * parameters. + * + * \sa subterranean_hash_init() */ -int ace_hash +int subterranean_hash (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Initializes the state for an ACE-HASH hashing operation. + * \brief Initializes the state for a Subterranean hashing operation. * * \param state Hash state to be initialized. * - * \sa ace_hash_update(), ace_hash_finalize(), ace_hash() + * \sa subterranean_hash_update(), subterranean_hash_finalize(), + * subterranean_hash() */ -void ace_hash_init(ace_hash_state_t *state); +void subterranean_hash_init(subterranean_hash_state_t *state); /** - * \brief Updates the ACE-HASH state with more input data. + * \brief Updates a Subterranean state with more input data. * * \param state Hash state to be updated. * \param in Points to the input data to be incorporated into the state. * \param inlen Length of the input data to be incorporated into the state. * - * \sa ace_hash_init(), ace_hash_finalize() + * \sa subterranean_hash_init(), subterranean_hash_finalize() */ -void ace_hash_update - (ace_hash_state_t *state, const unsigned char *in, +void subterranean_hash_update + (subterranean_hash_state_t *state, const unsigned char *in, unsigned long long inlen); /** - * \brief Returns the final hash value from an ACE-HASH hashing operation. + * \brief Returns the final hash value from a Subterranean hashing operation. * * \param state Hash state to be finalized. * \param out Points to the output buffer to receive the 32-byte hash value. * - * \sa ace_hash_init(), ace_hash_update() + * \sa subterranean_hash_init(), subterranean_hash_update() */ -void ace_hash_finalize(ace_hash_state_t *state, unsigned char *out); +void subterranean_hash_finalize + (subterranean_hash_state_t *state, unsigned char *out); #ifdef __cplusplus } diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/api.h deleted file mode 100644 index 4bd426b..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 0 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/encrypt.c deleted file mode 100644 index 50af7fb..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sundae-gift.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_0_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_0_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-avr.S deleted file mode 100644 index 641613a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-avr.S +++ /dev/null @@ -1,2104 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-full-avr.S deleted file mode 100644 index ff11875..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-full-avr.S +++ /dev/null @@ -1,5037 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 18 - ld r13,X+ - ld r12,X+ - ld r11,X+ - ld r10,X+ - ld r5,X+ - ld r4,X+ - ld r3,X+ - ld r2,X+ - ld r9,X+ - ld r8,X+ - ld r7,X+ - ld r6,X+ - ld r29,X+ - ld r28,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - ldi r24,4 -33: - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r29 - ror r28 - ror r0 - lsr r29 - ror r28 - ror r0 - or r29,r0 - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r28 - mov r28,r4 - mov r4,r0 - mov r0,r29 - mov r29,r5 - mov r5,r0 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - mov r0,r6 - mov r6,r10 - mov r10,r0 - mov r0,r7 - mov r7,r11 - mov r11,r0 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r28,Z+2 - ldd r29,Z+3 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - st Z,r29 - std Z+1,r23 - std Z+2,r28 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+4,r29 - std Z+5,r23 - std Z+6,r28 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r28,Z+10 - ldd r29,Z+11 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+8,r29 - std Z+9,r23 - std Z+10,r28 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+12,r29 - std Z+13,r23 - std Z+14,r28 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+16,r29 - std Z+17,r23 - std Z+18,r28 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+20,r29 - std Z+21,r23 - std Z+22,r28 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+24,r29 - std Z+25,r23 - std Z+26,r28 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+28,r29 - std Z+29,r23 - std Z+30,r28 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - adiw r30,40 - movw r26,r30 - subi r26,80 - sbc r27,r1 - ldi r24,6 -1274: - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r2 - eor r19,r3 - andi r18,51 - andi r19,51 - eor r2,r18 - eor r3,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - movw r18,r22 - movw r20,r28 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - andi r28,204 - andi r29,204 - or r28,r21 - or r29,r18 - or r22,r19 - or r23,r20 - movw r18,r28 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r28 - eor r19,r29 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r28 - std Z+5,r29 - std Z+6,r22 - std Z+7,r23 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - swap r3 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - swap r5 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r29 - adc r29,r1 - lsl r29 - adc r29,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r28 - std Z+15,r29 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - ldi r25,85 - and r2,r25 - and r3,r25 - and r4,r25 - and r5,r25 - or r2,r19 - or r3,r20 - or r4,r21 - or r5,r18 - std Z+16,r4 - std Z+17,r5 - std Z+18,r2 - std Z+19,r3 - movw r18,r22 - movw r20,r28 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - andi r28,170 - andi r29,170 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - or r22,r18 - or r23,r19 - or r28,r20 - or r29,r21 - std Z+20,r29 - std Z+21,r22 - std Z+22,r23 - std Z+23,r28 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r14,r18 - movw r16,r20 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - eor r14,r18 - eor r15,r19 - eor r16,r20 - eor r17,r21 - ldi r25,8 - and r14,r25 - and r15,r25 - andi r16,8 - andi r17,8 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - ldi r17,15 - and r2,r17 - and r3,r17 - and r4,r17 - and r5,r17 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - std Z+24,r2 - std Z+25,r3 - std Z+26,r4 - std Z+27,r5 - movw r18,r28 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r2,r22 - movw r4,r28 - ldi r16,1 - and r2,r16 - and r3,r16 - and r4,r16 - and r5,r16 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - or r2,r18 - or r3,r19 - movw r18,r28 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r2,r18 - or r3,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r4,r18 - or r5,r19 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r4,r22 - or r5,r23 - std Z+28,r2 - std Z+29,r3 - std Z+30,r4 - std Z+31,r5 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - mov r0,r1 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - or r5,r0 - std Z+32,r3 - std Z+33,r2 - std Z+34,r4 - std Z+35,r5 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r28 - mov r28,r29 - mov r29,r0 - lsl r28 - rol r29 - adc r28,r1 - lsl r28 - rol r29 - adc r28,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r28 - std Z+39,r29 - dec r24 - breq 1733f - adiw r30,40 - rjmp 1274b -1733: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - subi r26,192 - sbci r27,254 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,160 - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rjmp 768f -30: - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r1 - lsr r22 - ror r0 - lsr r22 - ror r0 - or r22,r0 - mov r0,r1 - lsr r23 - ror r0 - lsr r23 - ror r0 - or r23,r0 - mov r0,r1 - lsr r2 - ror r0 - lsr r2 - ror r0 - or r2,r0 - mov r0,r1 - lsr r3 - ror r0 - lsr r3 - ror r0 - or r3,r0 - swap r4 - swap r5 - swap r6 - swap r7 - lsl r8 - adc r8,r1 - lsl r8 - adc r8,r1 - lsl r9 - adc r9,r1 - lsl r9 - adc r9,r1 - lsl r10 - adc r10,r1 - lsl r10 - adc r10,r1 - lsl r11 - adc r11,r1 - lsl r11 - adc r11,r1 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,119 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,17 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -768: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-small-avr.S deleted file mode 100644 index 77ef9fd..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-small-avr.S +++ /dev/null @@ -1,6053 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -33: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -678: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - cpse r16,r1 - rjmp 678b - rjmp 1175f -830: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -1175: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-tiny-avr.S deleted file mode 100644 index e7a03f1..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-gift128b-tiny-avr.S +++ /dev/null @@ -1,6766 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z,r22 - std Z+1,r23 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.c deleted file mode 100644 index d192b8e..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sundae-gift.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const sundae_gift_0_cipher = { - "SUNDAE-GIFT-0", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_0_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_0_aead_encrypt, - sundae_gift_0_aead_decrypt -}; - -aead_cipher_t const sundae_gift_64_cipher = { - "SUNDAE-GIFT-64", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_64_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_64_aead_encrypt, - sundae_gift_64_aead_decrypt -}; - -aead_cipher_t const sundae_gift_96_cipher = { - "SUNDAE-GIFT-96", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_96_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_96_aead_encrypt, - sundae_gift_96_aead_decrypt -}; - -aead_cipher_t const sundae_gift_128_cipher = { - "SUNDAE-GIFT-128", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_128_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_128_aead_encrypt, - sundae_gift_128_aead_decrypt -}; - -/* Multiply a block value by 2 in the special byte field */ -STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) -{ - unsigned char B0 = B[0]; - unsigned index; - for (index = 0; index < 15; ++index) - B[index] = B[index + 1]; - B[15] = B0; - B[10] ^= B0; - B[12] ^= B0; - B[14] ^= B0; -} - -/* Compute a MAC over the concatenation of two data buffers */ -static void sundae_gift_aead_mac - (const gift128b_key_schedule_t *ks, unsigned char V[16], - const unsigned char *data1, unsigned data1len, - const unsigned char *data2, unsigned long data2len) -{ - unsigned len; - - /* Nothing to do if the input is empty */ - if (!data1len && !data2len) - return; - - /* Format the first block. We assume that data1len <= 16 - * as it is will be the nonce if it is non-zero in length */ - lw_xor_block(V, data1, data1len); - len = 16 - data1len; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V + data1len, data2, len); - data2 += len; - data2len -= len; - len += data1len; - - /* Process as many full blocks as we can, except the last */ - while (data2len > 0) { - gift128b_encrypt(ks, V, V); - len = 16; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V, data2, len); - data2 += len; - data2len -= len; - } - - /* Pad and process the last block */ - if (len < 16) { - V[len] ^= 0x80; - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } else { - sundae_gift_multiply(V); - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } -} - -static int sundae_gift_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char P[16]; - - /* Compute the length of the output ciphertext */ - *clen = mlen + SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (mlen > 0) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, T, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); - - /* Encrypt the plaintext to produce the ciphertext. We need to be - * careful how we manage the data because we could be doing in-place - * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext - * is the tag rather than the last 16 bytes in other algorithms. - * We need to swap the plaintext for the current block with the - * ciphertext or tag from the previous block */ - memcpy(V, T, 16); - while (mlen >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(P, V, m, 16); - memcpy(c, T, 16); - memcpy(T, P, 16); - c += 16; - m += 16; - mlen -= 16; - } - if (mlen > 0) { - unsigned leftover = (unsigned)mlen; - gift128b_encrypt(&ks, V, V); - lw_xor_block(V, m, leftover); - memcpy(c, T, 16); - memcpy(c + 16, V, leftover); - } else { - memcpy(c, T, 16); - } - return 0; -} - -static int sundae_gift_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char *mtemp; - unsigned long len; - - /* Bail out if the ciphertext is too short */ - if (clen < SUNDAE_GIFT_TAG_SIZE) - return -1; - len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Decrypt the ciphertext to produce the plaintext, using the - * tag as the initialization vector for the decryption process */ - memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); - c += SUNDAE_GIFT_TAG_SIZE; - mtemp = m; - memcpy(V, T, 16); - while (len >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, 16); - c += 16; - mtemp += 16; - len -= 16; - } - if (len > 0) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, (unsigned)len); - } - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (clen > SUNDAE_GIFT_TAG_SIZE) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, V, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, T, V, 16); -} - -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} - -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.h deleted file mode 100644 index 9040dd5..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys-avr/sundae-gift.h +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUNDAE_GIFT_H -#define LWCRYPTO_SUNDAE_GIFT_H - -#include "aead-common.h" - -/** - * \file sundae-gift.h - * \brief SUNDAE-GIFT encryption algorithm family. - * - * The SUNDAE-GIFT family consists of several related algorithms: - * - * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. - * This is the primary member of the family. - * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. - * - * SUNDAE-GIFT is resistant against nonce reuse as long as the combination - * of the associated data and plaintext is unique. - * - * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), - * then two packets with the same associated data and plaintext will encrypt - * to the same ciphertext. This will leak that the same plaintext has been - * sent for a second time but will not reveal the plaintext itself. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-0. - */ -#define SUNDAE_GIFT_0_NONCE_SIZE 0 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-64. - */ -#define SUNDAE_GIFT_64_NONCE_SIZE 8 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-96. - */ -#define SUNDAE_GIFT_96_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-128. - */ -#define SUNDAE_GIFT_128_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. - */ -extern aead_cipher_t const sundae_gift_0_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. - */ -extern aead_cipher_t const sundae_gift_64_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. - */ -extern aead_cipher_t const sundae_gift_96_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. - */ -extern aead_cipher_t const sundae_gift_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_0_aead_decrypt() - */ -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_0_aead_encrypt() - */ -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_64_aead_decrypt() - */ -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_64_aead_encrypt() - */ -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_96_aead_decrypt() - */ -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_96_aead_encrypt() - */ -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_128_aead_decrypt() - */ -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_128_aead_encrypt() - */ -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128-config.h similarity index 51% rename from ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.h rename to sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128-config.h index d3fa3ca..62131ba 100644 --- a/ascon/Implementations/crypto_hash/asconxofv12/rhys-avr/internal-ascon.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128-config.h @@ -20,45 +20,61 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H -#include "internal-util.h" +/** + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. + */ /** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. + * \brief Select the full variant of GIFT-128. * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. */ - -#ifdef __cplusplus -extern "C" { -#endif +#define GIFT128_VARIANT_FULL 0 /** - * \brief Structure of the internal state of the ASCON permutation. + * \brief Select the small variant of GIFT-128. + * + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. + * + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. */ -typedef union -{ - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ - -} ascon_state_t; +#define GIFT128_VARIANT_SMALL 1 /** - * \brief Permutes the ASCON state. + * \brief Select the tiny variant of GIFT-128. * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. - * - * The input and output \a state will be in big-endian byte order. + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); +#define GIFT128_VARIANT_TINY 2 -#ifdef __cplusplus -} +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 #endif #endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-full-avr.S new file mode 100644 index 0000000..ff11875 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-full-avr.S @@ -0,0 +1,5037 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 18 + ld r13,X+ + ld r12,X+ + ld r11,X+ + ld r10,X+ + ld r5,X+ + ld r4,X+ + ld r3,X+ + ld r2,X+ + ld r9,X+ + ld r8,X+ + ld r7,X+ + ld r6,X+ + ld r29,X+ + ld r28,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + ldi r24,4 +33: + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r29 + ror r28 + ror r0 + lsr r29 + ror r28 + ror r0 + or r29,r0 + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r28 + mov r28,r4 + mov r4,r0 + mov r0,r29 + mov r29,r5 + mov r5,r0 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + mov r0,r6 + mov r6,r10 + mov r10,r0 + mov r0,r7 + mov r7,r11 + mov r11,r0 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r28,Z+2 + ldd r29,Z+3 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + st Z,r29 + std Z+1,r23 + std Z+2,r28 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+4,r29 + std Z+5,r23 + std Z+6,r28 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r28,Z+10 + ldd r29,Z+11 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+8,r29 + std Z+9,r23 + std Z+10,r28 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+12,r29 + std Z+13,r23 + std Z+14,r28 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+16,r29 + std Z+17,r23 + std Z+18,r28 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+20,r29 + std Z+21,r23 + std Z+22,r28 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+24,r29 + std Z+25,r23 + std Z+26,r28 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+28,r29 + std Z+29,r23 + std Z+30,r28 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + adiw r30,40 + movw r26,r30 + subi r26,80 + sbc r27,r1 + ldi r24,6 +1274: + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r2 + eor r19,r3 + andi r18,51 + andi r19,51 + eor r2,r18 + eor r3,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + movw r18,r22 + movw r20,r28 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + andi r28,204 + andi r29,204 + or r28,r21 + or r29,r18 + or r22,r19 + or r23,r20 + movw r18,r28 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r28 + eor r19,r29 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r28 + std Z+5,r29 + std Z+6,r22 + std Z+7,r23 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + swap r3 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + swap r5 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r29 + adc r29,r1 + lsl r29 + adc r29,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r28 + std Z+15,r29 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + ldi r25,85 + and r2,r25 + and r3,r25 + and r4,r25 + and r5,r25 + or r2,r19 + or r3,r20 + or r4,r21 + or r5,r18 + std Z+16,r4 + std Z+17,r5 + std Z+18,r2 + std Z+19,r3 + movw r18,r22 + movw r20,r28 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + andi r28,170 + andi r29,170 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + or r22,r18 + or r23,r19 + or r28,r20 + or r29,r21 + std Z+20,r29 + std Z+21,r22 + std Z+22,r23 + std Z+23,r28 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r14,r18 + movw r16,r20 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + eor r14,r18 + eor r15,r19 + eor r16,r20 + eor r17,r21 + ldi r25,8 + and r14,r25 + and r15,r25 + andi r16,8 + andi r17,8 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + ldi r17,15 + and r2,r17 + and r3,r17 + and r4,r17 + and r5,r17 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + std Z+24,r2 + std Z+25,r3 + std Z+26,r4 + std Z+27,r5 + movw r18,r28 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r2,r22 + movw r4,r28 + ldi r16,1 + and r2,r16 + and r3,r16 + and r4,r16 + and r5,r16 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + or r2,r18 + or r3,r19 + movw r18,r28 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r2,r18 + or r3,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r4,r18 + or r5,r19 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r4,r22 + or r5,r23 + std Z+28,r2 + std Z+29,r3 + std Z+30,r4 + std Z+31,r5 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + mov r0,r1 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + or r5,r0 + std Z+32,r3 + std Z+33,r2 + std Z+34,r4 + std Z+35,r5 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r28 + mov r28,r29 + mov r29,r0 + lsl r28 + rol r29 + adc r28,r1 + lsl r28 + rol r29 + adc r28,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r28 + std Z+39,r29 + dec r24 + breq 1733f + adiw r30,40 + rjmp 1274b +1733: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + subi r26,192 + sbci r27,254 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,160 + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rjmp 768f +30: + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r1 + lsr r22 + ror r0 + lsr r22 + ror r0 + or r22,r0 + mov r0,r1 + lsr r23 + ror r0 + lsr r23 + ror r0 + or r23,r0 + mov r0,r1 + lsr r2 + ror r0 + lsr r2 + ror r0 + or r2,r0 + mov r0,r1 + lsr r3 + ror r0 + lsr r3 + ror r0 + or r3,r0 + swap r4 + swap r5 + swap r6 + swap r7 + lsl r8 + adc r8,r1 + lsl r8 + adc r8,r1 + lsl r9 + adc r9,r1 + lsl r9 + adc r9,r1 + lsl r10 + adc r10,r1 + lsl r10 + adc r10,r1 + lsl r11 + adc r11,r1 + lsl r11 + adc r11,r1 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,119 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,17 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +768: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-small-avr.S new file mode 100644 index 0000000..77ef9fd --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-small-avr.S @@ -0,0 +1,6053 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +33: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +678: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + cpse r16,r1 + rjmp 678b + rjmp 1175f +830: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +1175: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-tiny-avr.S new file mode 100644 index 0000000..e7a03f1 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-gift128b-tiny-avr.S @@ -0,0 +1,6766 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z,r22 + std Z+1,r23 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +114: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + cpse r16,r1 + rjmp 114b + rjmp 611f +266: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +611: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c index 984a4db..d192b8e 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift0v1/rhys/sundae-gift.c @@ -140,8 +140,7 @@ static int sundae_gift_aead_encrypt *clen = mlen + SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Format and encrypt the initial domain separation block */ if (adlen > 0) @@ -205,8 +204,7 @@ static int sundae_gift_aead_decrypt len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Decrypt the ciphertext to produce the plaintext, using the * tag as the initialization vector for the decryption process */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/encrypt.c deleted file mode 100644 index b177c18..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sundae-gift.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-avr.S deleted file mode 100644 index 641613a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-avr.S +++ /dev/null @@ -1,2104 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-full-avr.S deleted file mode 100644 index ff11875..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-full-avr.S +++ /dev/null @@ -1,5037 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 18 - ld r13,X+ - ld r12,X+ - ld r11,X+ - ld r10,X+ - ld r5,X+ - ld r4,X+ - ld r3,X+ - ld r2,X+ - ld r9,X+ - ld r8,X+ - ld r7,X+ - ld r6,X+ - ld r29,X+ - ld r28,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - ldi r24,4 -33: - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r29 - ror r28 - ror r0 - lsr r29 - ror r28 - ror r0 - or r29,r0 - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r28 - mov r28,r4 - mov r4,r0 - mov r0,r29 - mov r29,r5 - mov r5,r0 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - mov r0,r6 - mov r6,r10 - mov r10,r0 - mov r0,r7 - mov r7,r11 - mov r11,r0 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r28,Z+2 - ldd r29,Z+3 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - st Z,r29 - std Z+1,r23 - std Z+2,r28 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+4,r29 - std Z+5,r23 - std Z+6,r28 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r28,Z+10 - ldd r29,Z+11 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+8,r29 - std Z+9,r23 - std Z+10,r28 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+12,r29 - std Z+13,r23 - std Z+14,r28 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+16,r29 - std Z+17,r23 - std Z+18,r28 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+20,r29 - std Z+21,r23 - std Z+22,r28 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+24,r29 - std Z+25,r23 - std Z+26,r28 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+28,r29 - std Z+29,r23 - std Z+30,r28 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - adiw r30,40 - movw r26,r30 - subi r26,80 - sbc r27,r1 - ldi r24,6 -1274: - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r2 - eor r19,r3 - andi r18,51 - andi r19,51 - eor r2,r18 - eor r3,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - movw r18,r22 - movw r20,r28 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - andi r28,204 - andi r29,204 - or r28,r21 - or r29,r18 - or r22,r19 - or r23,r20 - movw r18,r28 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r28 - eor r19,r29 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r28 - std Z+5,r29 - std Z+6,r22 - std Z+7,r23 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - swap r3 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - swap r5 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r29 - adc r29,r1 - lsl r29 - adc r29,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r28 - std Z+15,r29 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - ldi r25,85 - and r2,r25 - and r3,r25 - and r4,r25 - and r5,r25 - or r2,r19 - or r3,r20 - or r4,r21 - or r5,r18 - std Z+16,r4 - std Z+17,r5 - std Z+18,r2 - std Z+19,r3 - movw r18,r22 - movw r20,r28 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - andi r28,170 - andi r29,170 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - or r22,r18 - or r23,r19 - or r28,r20 - or r29,r21 - std Z+20,r29 - std Z+21,r22 - std Z+22,r23 - std Z+23,r28 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r14,r18 - movw r16,r20 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - eor r14,r18 - eor r15,r19 - eor r16,r20 - eor r17,r21 - ldi r25,8 - and r14,r25 - and r15,r25 - andi r16,8 - andi r17,8 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - ldi r17,15 - and r2,r17 - and r3,r17 - and r4,r17 - and r5,r17 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - std Z+24,r2 - std Z+25,r3 - std Z+26,r4 - std Z+27,r5 - movw r18,r28 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r2,r22 - movw r4,r28 - ldi r16,1 - and r2,r16 - and r3,r16 - and r4,r16 - and r5,r16 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - or r2,r18 - or r3,r19 - movw r18,r28 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r2,r18 - or r3,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r4,r18 - or r5,r19 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r4,r22 - or r5,r23 - std Z+28,r2 - std Z+29,r3 - std Z+30,r4 - std Z+31,r5 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - mov r0,r1 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - or r5,r0 - std Z+32,r3 - std Z+33,r2 - std Z+34,r4 - std Z+35,r5 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r28 - mov r28,r29 - mov r29,r0 - lsl r28 - rol r29 - adc r28,r1 - lsl r28 - rol r29 - adc r28,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r28 - std Z+39,r29 - dec r24 - breq 1733f - adiw r30,40 - rjmp 1274b -1733: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - subi r26,192 - sbci r27,254 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,160 - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rjmp 768f -30: - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r1 - lsr r22 - ror r0 - lsr r22 - ror r0 - or r22,r0 - mov r0,r1 - lsr r23 - ror r0 - lsr r23 - ror r0 - or r23,r0 - mov r0,r1 - lsr r2 - ror r0 - lsr r2 - ror r0 - or r2,r0 - mov r0,r1 - lsr r3 - ror r0 - lsr r3 - ror r0 - or r3,r0 - swap r4 - swap r5 - swap r6 - swap r7 - lsl r8 - adc r8,r1 - lsl r8 - adc r8,r1 - lsl r9 - adc r9,r1 - lsl r9 - adc r9,r1 - lsl r10 - adc r10,r1 - lsl r10 - adc r10,r1 - lsl r11 - adc r11,r1 - lsl r11 - adc r11,r1 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,119 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,17 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -768: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-small-avr.S deleted file mode 100644 index 77ef9fd..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-small-avr.S +++ /dev/null @@ -1,6053 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -33: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -678: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - cpse r16,r1 - rjmp 678b - rjmp 1175f -830: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -1175: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-tiny-avr.S deleted file mode 100644 index e7a03f1..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-gift128b-tiny-avr.S +++ /dev/null @@ -1,6766 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z,r22 - std Z+1,r23 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.c deleted file mode 100644 index d192b8e..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sundae-gift.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const sundae_gift_0_cipher = { - "SUNDAE-GIFT-0", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_0_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_0_aead_encrypt, - sundae_gift_0_aead_decrypt -}; - -aead_cipher_t const sundae_gift_64_cipher = { - "SUNDAE-GIFT-64", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_64_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_64_aead_encrypt, - sundae_gift_64_aead_decrypt -}; - -aead_cipher_t const sundae_gift_96_cipher = { - "SUNDAE-GIFT-96", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_96_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_96_aead_encrypt, - sundae_gift_96_aead_decrypt -}; - -aead_cipher_t const sundae_gift_128_cipher = { - "SUNDAE-GIFT-128", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_128_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_128_aead_encrypt, - sundae_gift_128_aead_decrypt -}; - -/* Multiply a block value by 2 in the special byte field */ -STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) -{ - unsigned char B0 = B[0]; - unsigned index; - for (index = 0; index < 15; ++index) - B[index] = B[index + 1]; - B[15] = B0; - B[10] ^= B0; - B[12] ^= B0; - B[14] ^= B0; -} - -/* Compute a MAC over the concatenation of two data buffers */ -static void sundae_gift_aead_mac - (const gift128b_key_schedule_t *ks, unsigned char V[16], - const unsigned char *data1, unsigned data1len, - const unsigned char *data2, unsigned long data2len) -{ - unsigned len; - - /* Nothing to do if the input is empty */ - if (!data1len && !data2len) - return; - - /* Format the first block. We assume that data1len <= 16 - * as it is will be the nonce if it is non-zero in length */ - lw_xor_block(V, data1, data1len); - len = 16 - data1len; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V + data1len, data2, len); - data2 += len; - data2len -= len; - len += data1len; - - /* Process as many full blocks as we can, except the last */ - while (data2len > 0) { - gift128b_encrypt(ks, V, V); - len = 16; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V, data2, len); - data2 += len; - data2len -= len; - } - - /* Pad and process the last block */ - if (len < 16) { - V[len] ^= 0x80; - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } else { - sundae_gift_multiply(V); - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } -} - -static int sundae_gift_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char P[16]; - - /* Compute the length of the output ciphertext */ - *clen = mlen + SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (mlen > 0) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, T, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); - - /* Encrypt the plaintext to produce the ciphertext. We need to be - * careful how we manage the data because we could be doing in-place - * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext - * is the tag rather than the last 16 bytes in other algorithms. - * We need to swap the plaintext for the current block with the - * ciphertext or tag from the previous block */ - memcpy(V, T, 16); - while (mlen >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(P, V, m, 16); - memcpy(c, T, 16); - memcpy(T, P, 16); - c += 16; - m += 16; - mlen -= 16; - } - if (mlen > 0) { - unsigned leftover = (unsigned)mlen; - gift128b_encrypt(&ks, V, V); - lw_xor_block(V, m, leftover); - memcpy(c, T, 16); - memcpy(c + 16, V, leftover); - } else { - memcpy(c, T, 16); - } - return 0; -} - -static int sundae_gift_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char *mtemp; - unsigned long len; - - /* Bail out if the ciphertext is too short */ - if (clen < SUNDAE_GIFT_TAG_SIZE) - return -1; - len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Decrypt the ciphertext to produce the plaintext, using the - * tag as the initialization vector for the decryption process */ - memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); - c += SUNDAE_GIFT_TAG_SIZE; - mtemp = m; - memcpy(V, T, 16); - while (len >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, 16); - c += 16; - mtemp += 16; - len -= 16; - } - if (len > 0) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, (unsigned)len); - } - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (clen > SUNDAE_GIFT_TAG_SIZE) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, V, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, T, V, 16); -} - -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} - -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.h deleted file mode 100644 index 9040dd5..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys-avr/sundae-gift.h +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUNDAE_GIFT_H -#define LWCRYPTO_SUNDAE_GIFT_H - -#include "aead-common.h" - -/** - * \file sundae-gift.h - * \brief SUNDAE-GIFT encryption algorithm family. - * - * The SUNDAE-GIFT family consists of several related algorithms: - * - * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. - * This is the primary member of the family. - * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. - * - * SUNDAE-GIFT is resistant against nonce reuse as long as the combination - * of the associated data and plaintext is unique. - * - * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), - * then two packets with the same associated data and plaintext will encrypt - * to the same ciphertext. This will leak that the same plaintext has been - * sent for a second time but will not reveal the plaintext itself. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-0. - */ -#define SUNDAE_GIFT_0_NONCE_SIZE 0 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-64. - */ -#define SUNDAE_GIFT_64_NONCE_SIZE 8 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-96. - */ -#define SUNDAE_GIFT_96_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-128. - */ -#define SUNDAE_GIFT_128_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. - */ -extern aead_cipher_t const sundae_gift_0_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. - */ -extern aead_cipher_t const sundae_gift_64_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. - */ -extern aead_cipher_t const sundae_gift_96_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. - */ -extern aead_cipher_t const sundae_gift_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_0_aead_decrypt() - */ -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_0_aead_encrypt() - */ -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_64_aead_decrypt() - */ -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_64_aead_encrypt() - */ -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_96_aead_decrypt() - */ -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_96_aead_encrypt() - */ -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_128_aead_decrypt() - */ -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_128_aead_encrypt() - */ -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128-config.h new file mode 100644 index 0000000..62131ba --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128-config.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H + +/** + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. + */ + +/** + * \brief Select the full variant of GIFT-128. + * + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. + */ +#define GIFT128_VARIANT_FULL 0 + +/** + * \brief Select the small variant of GIFT-128. + * + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. + * + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. + */ +#define GIFT128_VARIANT_SMALL 1 + +/** + * \brief Select the tiny variant of GIFT-128. + * + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. + */ +#define GIFT128_VARIANT_TINY 2 + +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-full-avr.S new file mode 100644 index 0000000..ff11875 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-full-avr.S @@ -0,0 +1,5037 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 18 + ld r13,X+ + ld r12,X+ + ld r11,X+ + ld r10,X+ + ld r5,X+ + ld r4,X+ + ld r3,X+ + ld r2,X+ + ld r9,X+ + ld r8,X+ + ld r7,X+ + ld r6,X+ + ld r29,X+ + ld r28,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + ldi r24,4 +33: + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r29 + ror r28 + ror r0 + lsr r29 + ror r28 + ror r0 + or r29,r0 + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r28 + mov r28,r4 + mov r4,r0 + mov r0,r29 + mov r29,r5 + mov r5,r0 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + mov r0,r6 + mov r6,r10 + mov r10,r0 + mov r0,r7 + mov r7,r11 + mov r11,r0 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r28,Z+2 + ldd r29,Z+3 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + st Z,r29 + std Z+1,r23 + std Z+2,r28 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+4,r29 + std Z+5,r23 + std Z+6,r28 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r28,Z+10 + ldd r29,Z+11 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+8,r29 + std Z+9,r23 + std Z+10,r28 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+12,r29 + std Z+13,r23 + std Z+14,r28 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+16,r29 + std Z+17,r23 + std Z+18,r28 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+20,r29 + std Z+21,r23 + std Z+22,r28 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+24,r29 + std Z+25,r23 + std Z+26,r28 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+28,r29 + std Z+29,r23 + std Z+30,r28 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + adiw r30,40 + movw r26,r30 + subi r26,80 + sbc r27,r1 + ldi r24,6 +1274: + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r2 + eor r19,r3 + andi r18,51 + andi r19,51 + eor r2,r18 + eor r3,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + movw r18,r22 + movw r20,r28 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + andi r28,204 + andi r29,204 + or r28,r21 + or r29,r18 + or r22,r19 + or r23,r20 + movw r18,r28 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r28 + eor r19,r29 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r28 + std Z+5,r29 + std Z+6,r22 + std Z+7,r23 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + swap r3 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + swap r5 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r29 + adc r29,r1 + lsl r29 + adc r29,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r28 + std Z+15,r29 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + ldi r25,85 + and r2,r25 + and r3,r25 + and r4,r25 + and r5,r25 + or r2,r19 + or r3,r20 + or r4,r21 + or r5,r18 + std Z+16,r4 + std Z+17,r5 + std Z+18,r2 + std Z+19,r3 + movw r18,r22 + movw r20,r28 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + andi r28,170 + andi r29,170 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + or r22,r18 + or r23,r19 + or r28,r20 + or r29,r21 + std Z+20,r29 + std Z+21,r22 + std Z+22,r23 + std Z+23,r28 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r14,r18 + movw r16,r20 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + eor r14,r18 + eor r15,r19 + eor r16,r20 + eor r17,r21 + ldi r25,8 + and r14,r25 + and r15,r25 + andi r16,8 + andi r17,8 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + ldi r17,15 + and r2,r17 + and r3,r17 + and r4,r17 + and r5,r17 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + std Z+24,r2 + std Z+25,r3 + std Z+26,r4 + std Z+27,r5 + movw r18,r28 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r2,r22 + movw r4,r28 + ldi r16,1 + and r2,r16 + and r3,r16 + and r4,r16 + and r5,r16 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + or r2,r18 + or r3,r19 + movw r18,r28 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r2,r18 + or r3,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r4,r18 + or r5,r19 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r4,r22 + or r5,r23 + std Z+28,r2 + std Z+29,r3 + std Z+30,r4 + std Z+31,r5 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + mov r0,r1 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + or r5,r0 + std Z+32,r3 + std Z+33,r2 + std Z+34,r4 + std Z+35,r5 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r28 + mov r28,r29 + mov r29,r0 + lsl r28 + rol r29 + adc r28,r1 + lsl r28 + rol r29 + adc r28,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r28 + std Z+39,r29 + dec r24 + breq 1733f + adiw r30,40 + rjmp 1274b +1733: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + subi r26,192 + sbci r27,254 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,160 + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rjmp 768f +30: + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r1 + lsr r22 + ror r0 + lsr r22 + ror r0 + or r22,r0 + mov r0,r1 + lsr r23 + ror r0 + lsr r23 + ror r0 + or r23,r0 + mov r0,r1 + lsr r2 + ror r0 + lsr r2 + ror r0 + or r2,r0 + mov r0,r1 + lsr r3 + ror r0 + lsr r3 + ror r0 + or r3,r0 + swap r4 + swap r5 + swap r6 + swap r7 + lsl r8 + adc r8,r1 + lsl r8 + adc r8,r1 + lsl r9 + adc r9,r1 + lsl r9 + adc r9,r1 + lsl r10 + adc r10,r1 + lsl r10 + adc r10,r1 + lsl r11 + adc r11,r1 + lsl r11 + adc r11,r1 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,119 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,17 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +768: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-small-avr.S new file mode 100644 index 0000000..77ef9fd --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-small-avr.S @@ -0,0 +1,6053 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +33: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +678: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + cpse r16,r1 + rjmp 678b + rjmp 1175f +830: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +1175: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-tiny-avr.S new file mode 100644 index 0000000..e7a03f1 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-gift128b-tiny-avr.S @@ -0,0 +1,6766 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z,r22 + std Z+1,r23 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +114: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + cpse r16,r1 + rjmp 114b + rjmp 611f +266: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +611: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c index 984a4db..d192b8e 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift128v1/rhys/sundae-gift.c @@ -140,8 +140,7 @@ static int sundae_gift_aead_encrypt *clen = mlen + SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Format and encrypt the initial domain separation block */ if (adlen > 0) @@ -205,8 +204,7 @@ static int sundae_gift_aead_decrypt len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Decrypt the ciphertext to produce the plaintext, using the * tag as the initialization vector for the decryption process */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/api.h deleted file mode 100644 index 6656888..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 8 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/encrypt.c deleted file mode 100644 index c6f2a7d..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sundae-gift.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_64_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_64_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-avr.S deleted file mode 100644 index 641613a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-avr.S +++ /dev/null @@ -1,2104 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-full-avr.S deleted file mode 100644 index ff11875..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-full-avr.S +++ /dev/null @@ -1,5037 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 18 - ld r13,X+ - ld r12,X+ - ld r11,X+ - ld r10,X+ - ld r5,X+ - ld r4,X+ - ld r3,X+ - ld r2,X+ - ld r9,X+ - ld r8,X+ - ld r7,X+ - ld r6,X+ - ld r29,X+ - ld r28,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - ldi r24,4 -33: - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r29 - ror r28 - ror r0 - lsr r29 - ror r28 - ror r0 - or r29,r0 - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r28 - mov r28,r4 - mov r4,r0 - mov r0,r29 - mov r29,r5 - mov r5,r0 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - mov r0,r6 - mov r6,r10 - mov r10,r0 - mov r0,r7 - mov r7,r11 - mov r11,r0 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r28,Z+2 - ldd r29,Z+3 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - st Z,r29 - std Z+1,r23 - std Z+2,r28 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+4,r29 - std Z+5,r23 - std Z+6,r28 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r28,Z+10 - ldd r29,Z+11 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+8,r29 - std Z+9,r23 - std Z+10,r28 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+12,r29 - std Z+13,r23 - std Z+14,r28 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+16,r29 - std Z+17,r23 - std Z+18,r28 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+20,r29 - std Z+21,r23 - std Z+22,r28 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+24,r29 - std Z+25,r23 - std Z+26,r28 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+28,r29 - std Z+29,r23 - std Z+30,r28 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - adiw r30,40 - movw r26,r30 - subi r26,80 - sbc r27,r1 - ldi r24,6 -1274: - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r2 - eor r19,r3 - andi r18,51 - andi r19,51 - eor r2,r18 - eor r3,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - movw r18,r22 - movw r20,r28 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - andi r28,204 - andi r29,204 - or r28,r21 - or r29,r18 - or r22,r19 - or r23,r20 - movw r18,r28 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r28 - eor r19,r29 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r28 - std Z+5,r29 - std Z+6,r22 - std Z+7,r23 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - swap r3 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - swap r5 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r29 - adc r29,r1 - lsl r29 - adc r29,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r28 - std Z+15,r29 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - ldi r25,85 - and r2,r25 - and r3,r25 - and r4,r25 - and r5,r25 - or r2,r19 - or r3,r20 - or r4,r21 - or r5,r18 - std Z+16,r4 - std Z+17,r5 - std Z+18,r2 - std Z+19,r3 - movw r18,r22 - movw r20,r28 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - andi r28,170 - andi r29,170 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - or r22,r18 - or r23,r19 - or r28,r20 - or r29,r21 - std Z+20,r29 - std Z+21,r22 - std Z+22,r23 - std Z+23,r28 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r14,r18 - movw r16,r20 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - eor r14,r18 - eor r15,r19 - eor r16,r20 - eor r17,r21 - ldi r25,8 - and r14,r25 - and r15,r25 - andi r16,8 - andi r17,8 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - ldi r17,15 - and r2,r17 - and r3,r17 - and r4,r17 - and r5,r17 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - std Z+24,r2 - std Z+25,r3 - std Z+26,r4 - std Z+27,r5 - movw r18,r28 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r2,r22 - movw r4,r28 - ldi r16,1 - and r2,r16 - and r3,r16 - and r4,r16 - and r5,r16 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - or r2,r18 - or r3,r19 - movw r18,r28 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r2,r18 - or r3,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r4,r18 - or r5,r19 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r4,r22 - or r5,r23 - std Z+28,r2 - std Z+29,r3 - std Z+30,r4 - std Z+31,r5 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - mov r0,r1 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - or r5,r0 - std Z+32,r3 - std Z+33,r2 - std Z+34,r4 - std Z+35,r5 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r28 - mov r28,r29 - mov r29,r0 - lsl r28 - rol r29 - adc r28,r1 - lsl r28 - rol r29 - adc r28,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r28 - std Z+39,r29 - dec r24 - breq 1733f - adiw r30,40 - rjmp 1274b -1733: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - subi r26,192 - sbci r27,254 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,160 - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rjmp 768f -30: - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r1 - lsr r22 - ror r0 - lsr r22 - ror r0 - or r22,r0 - mov r0,r1 - lsr r23 - ror r0 - lsr r23 - ror r0 - or r23,r0 - mov r0,r1 - lsr r2 - ror r0 - lsr r2 - ror r0 - or r2,r0 - mov r0,r1 - lsr r3 - ror r0 - lsr r3 - ror r0 - or r3,r0 - swap r4 - swap r5 - swap r6 - swap r7 - lsl r8 - adc r8,r1 - lsl r8 - adc r8,r1 - lsl r9 - adc r9,r1 - lsl r9 - adc r9,r1 - lsl r10 - adc r10,r1 - lsl r10 - adc r10,r1 - lsl r11 - adc r11,r1 - lsl r11 - adc r11,r1 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,119 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,17 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -768: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-small-avr.S deleted file mode 100644 index 77ef9fd..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-small-avr.S +++ /dev/null @@ -1,6053 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -33: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -678: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - cpse r16,r1 - rjmp 678b - rjmp 1175f -830: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -1175: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-tiny-avr.S deleted file mode 100644 index e7a03f1..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-gift128b-tiny-avr.S +++ /dev/null @@ -1,6766 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z,r22 - std Z+1,r23 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.c deleted file mode 100644 index d192b8e..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sundae-gift.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const sundae_gift_0_cipher = { - "SUNDAE-GIFT-0", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_0_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_0_aead_encrypt, - sundae_gift_0_aead_decrypt -}; - -aead_cipher_t const sundae_gift_64_cipher = { - "SUNDAE-GIFT-64", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_64_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_64_aead_encrypt, - sundae_gift_64_aead_decrypt -}; - -aead_cipher_t const sundae_gift_96_cipher = { - "SUNDAE-GIFT-96", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_96_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_96_aead_encrypt, - sundae_gift_96_aead_decrypt -}; - -aead_cipher_t const sundae_gift_128_cipher = { - "SUNDAE-GIFT-128", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_128_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_128_aead_encrypt, - sundae_gift_128_aead_decrypt -}; - -/* Multiply a block value by 2 in the special byte field */ -STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) -{ - unsigned char B0 = B[0]; - unsigned index; - for (index = 0; index < 15; ++index) - B[index] = B[index + 1]; - B[15] = B0; - B[10] ^= B0; - B[12] ^= B0; - B[14] ^= B0; -} - -/* Compute a MAC over the concatenation of two data buffers */ -static void sundae_gift_aead_mac - (const gift128b_key_schedule_t *ks, unsigned char V[16], - const unsigned char *data1, unsigned data1len, - const unsigned char *data2, unsigned long data2len) -{ - unsigned len; - - /* Nothing to do if the input is empty */ - if (!data1len && !data2len) - return; - - /* Format the first block. We assume that data1len <= 16 - * as it is will be the nonce if it is non-zero in length */ - lw_xor_block(V, data1, data1len); - len = 16 - data1len; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V + data1len, data2, len); - data2 += len; - data2len -= len; - len += data1len; - - /* Process as many full blocks as we can, except the last */ - while (data2len > 0) { - gift128b_encrypt(ks, V, V); - len = 16; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V, data2, len); - data2 += len; - data2len -= len; - } - - /* Pad and process the last block */ - if (len < 16) { - V[len] ^= 0x80; - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } else { - sundae_gift_multiply(V); - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } -} - -static int sundae_gift_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char P[16]; - - /* Compute the length of the output ciphertext */ - *clen = mlen + SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (mlen > 0) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, T, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); - - /* Encrypt the plaintext to produce the ciphertext. We need to be - * careful how we manage the data because we could be doing in-place - * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext - * is the tag rather than the last 16 bytes in other algorithms. - * We need to swap the plaintext for the current block with the - * ciphertext or tag from the previous block */ - memcpy(V, T, 16); - while (mlen >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(P, V, m, 16); - memcpy(c, T, 16); - memcpy(T, P, 16); - c += 16; - m += 16; - mlen -= 16; - } - if (mlen > 0) { - unsigned leftover = (unsigned)mlen; - gift128b_encrypt(&ks, V, V); - lw_xor_block(V, m, leftover); - memcpy(c, T, 16); - memcpy(c + 16, V, leftover); - } else { - memcpy(c, T, 16); - } - return 0; -} - -static int sundae_gift_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char *mtemp; - unsigned long len; - - /* Bail out if the ciphertext is too short */ - if (clen < SUNDAE_GIFT_TAG_SIZE) - return -1; - len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Decrypt the ciphertext to produce the plaintext, using the - * tag as the initialization vector for the decryption process */ - memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); - c += SUNDAE_GIFT_TAG_SIZE; - mtemp = m; - memcpy(V, T, 16); - while (len >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, 16); - c += 16; - mtemp += 16; - len -= 16; - } - if (len > 0) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, (unsigned)len); - } - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (clen > SUNDAE_GIFT_TAG_SIZE) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, V, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, T, V, 16); -} - -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} - -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.h deleted file mode 100644 index 9040dd5..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys-avr/sundae-gift.h +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUNDAE_GIFT_H -#define LWCRYPTO_SUNDAE_GIFT_H - -#include "aead-common.h" - -/** - * \file sundae-gift.h - * \brief SUNDAE-GIFT encryption algorithm family. - * - * The SUNDAE-GIFT family consists of several related algorithms: - * - * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. - * This is the primary member of the family. - * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. - * - * SUNDAE-GIFT is resistant against nonce reuse as long as the combination - * of the associated data and plaintext is unique. - * - * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), - * then two packets with the same associated data and plaintext will encrypt - * to the same ciphertext. This will leak that the same plaintext has been - * sent for a second time but will not reveal the plaintext itself. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-0. - */ -#define SUNDAE_GIFT_0_NONCE_SIZE 0 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-64. - */ -#define SUNDAE_GIFT_64_NONCE_SIZE 8 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-96. - */ -#define SUNDAE_GIFT_96_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-128. - */ -#define SUNDAE_GIFT_128_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. - */ -extern aead_cipher_t const sundae_gift_0_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. - */ -extern aead_cipher_t const sundae_gift_64_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. - */ -extern aead_cipher_t const sundae_gift_96_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. - */ -extern aead_cipher_t const sundae_gift_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_0_aead_decrypt() - */ -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_0_aead_encrypt() - */ -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_64_aead_decrypt() - */ -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_64_aead_encrypt() - */ -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_96_aead_decrypt() - */ -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_96_aead_encrypt() - */ -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_128_aead_decrypt() - */ -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_128_aead_encrypt() - */ -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128-config.h new file mode 100644 index 0000000..62131ba --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128-config.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H + +/** + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. + */ + +/** + * \brief Select the full variant of GIFT-128. + * + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. + */ +#define GIFT128_VARIANT_FULL 0 + +/** + * \brief Select the small variant of GIFT-128. + * + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. + * + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. + */ +#define GIFT128_VARIANT_SMALL 1 + +/** + * \brief Select the tiny variant of GIFT-128. + * + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. + */ +#define GIFT128_VARIANT_TINY 2 + +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-full-avr.S new file mode 100644 index 0000000..ff11875 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-full-avr.S @@ -0,0 +1,5037 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 18 + ld r13,X+ + ld r12,X+ + ld r11,X+ + ld r10,X+ + ld r5,X+ + ld r4,X+ + ld r3,X+ + ld r2,X+ + ld r9,X+ + ld r8,X+ + ld r7,X+ + ld r6,X+ + ld r29,X+ + ld r28,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + ldi r24,4 +33: + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r29 + ror r28 + ror r0 + lsr r29 + ror r28 + ror r0 + or r29,r0 + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r28 + mov r28,r4 + mov r4,r0 + mov r0,r29 + mov r29,r5 + mov r5,r0 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + mov r0,r6 + mov r6,r10 + mov r10,r0 + mov r0,r7 + mov r7,r11 + mov r11,r0 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r28,Z+2 + ldd r29,Z+3 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + st Z,r29 + std Z+1,r23 + std Z+2,r28 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+4,r29 + std Z+5,r23 + std Z+6,r28 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r28,Z+10 + ldd r29,Z+11 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+8,r29 + std Z+9,r23 + std Z+10,r28 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+12,r29 + std Z+13,r23 + std Z+14,r28 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+16,r29 + std Z+17,r23 + std Z+18,r28 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+20,r29 + std Z+21,r23 + std Z+22,r28 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+24,r29 + std Z+25,r23 + std Z+26,r28 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+28,r29 + std Z+29,r23 + std Z+30,r28 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + adiw r30,40 + movw r26,r30 + subi r26,80 + sbc r27,r1 + ldi r24,6 +1274: + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r2 + eor r19,r3 + andi r18,51 + andi r19,51 + eor r2,r18 + eor r3,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + movw r18,r22 + movw r20,r28 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + andi r28,204 + andi r29,204 + or r28,r21 + or r29,r18 + or r22,r19 + or r23,r20 + movw r18,r28 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r28 + eor r19,r29 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r28 + std Z+5,r29 + std Z+6,r22 + std Z+7,r23 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + swap r3 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + swap r5 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r29 + adc r29,r1 + lsl r29 + adc r29,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r28 + std Z+15,r29 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + ldi r25,85 + and r2,r25 + and r3,r25 + and r4,r25 + and r5,r25 + or r2,r19 + or r3,r20 + or r4,r21 + or r5,r18 + std Z+16,r4 + std Z+17,r5 + std Z+18,r2 + std Z+19,r3 + movw r18,r22 + movw r20,r28 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + andi r28,170 + andi r29,170 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + or r22,r18 + or r23,r19 + or r28,r20 + or r29,r21 + std Z+20,r29 + std Z+21,r22 + std Z+22,r23 + std Z+23,r28 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r14,r18 + movw r16,r20 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + eor r14,r18 + eor r15,r19 + eor r16,r20 + eor r17,r21 + ldi r25,8 + and r14,r25 + and r15,r25 + andi r16,8 + andi r17,8 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + ldi r17,15 + and r2,r17 + and r3,r17 + and r4,r17 + and r5,r17 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + std Z+24,r2 + std Z+25,r3 + std Z+26,r4 + std Z+27,r5 + movw r18,r28 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r2,r22 + movw r4,r28 + ldi r16,1 + and r2,r16 + and r3,r16 + and r4,r16 + and r5,r16 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + or r2,r18 + or r3,r19 + movw r18,r28 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r2,r18 + or r3,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r4,r18 + or r5,r19 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r4,r22 + or r5,r23 + std Z+28,r2 + std Z+29,r3 + std Z+30,r4 + std Z+31,r5 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + mov r0,r1 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + or r5,r0 + std Z+32,r3 + std Z+33,r2 + std Z+34,r4 + std Z+35,r5 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r28 + mov r28,r29 + mov r29,r0 + lsl r28 + rol r29 + adc r28,r1 + lsl r28 + rol r29 + adc r28,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r28 + std Z+39,r29 + dec r24 + breq 1733f + adiw r30,40 + rjmp 1274b +1733: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + subi r26,192 + sbci r27,254 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,160 + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rjmp 768f +30: + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r1 + lsr r22 + ror r0 + lsr r22 + ror r0 + or r22,r0 + mov r0,r1 + lsr r23 + ror r0 + lsr r23 + ror r0 + or r23,r0 + mov r0,r1 + lsr r2 + ror r0 + lsr r2 + ror r0 + or r2,r0 + mov r0,r1 + lsr r3 + ror r0 + lsr r3 + ror r0 + or r3,r0 + swap r4 + swap r5 + swap r6 + swap r7 + lsl r8 + adc r8,r1 + lsl r8 + adc r8,r1 + lsl r9 + adc r9,r1 + lsl r9 + adc r9,r1 + lsl r10 + adc r10,r1 + lsl r10 + adc r10,r1 + lsl r11 + adc r11,r1 + lsl r11 + adc r11,r1 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,119 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,17 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +768: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-small-avr.S new file mode 100644 index 0000000..77ef9fd --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-small-avr.S @@ -0,0 +1,6053 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +33: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +678: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + cpse r16,r1 + rjmp 678b + rjmp 1175f +830: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +1175: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-tiny-avr.S new file mode 100644 index 0000000..e7a03f1 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-gift128b-tiny-avr.S @@ -0,0 +1,6766 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z,r22 + std Z+1,r23 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +114: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + cpse r16,r1 + rjmp 114b + rjmp 611f +266: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +611: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c index 984a4db..d192b8e 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift64v1/rhys/sundae-gift.c @@ -140,8 +140,7 @@ static int sundae_gift_aead_encrypt *clen = mlen + SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Format and encrypt the initial domain separation block */ if (adlen > 0) @@ -205,8 +204,7 @@ static int sundae_gift_aead_decrypt len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Decrypt the ciphertext to produce the plaintext, using the * tag as the initialization vector for the decryption process */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/api.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/api.h deleted file mode 100644 index c3c0a27..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/encrypt.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/encrypt.c deleted file mode 100644 index a358142..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "sundae-gift.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_96_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return sundae_gift_96_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128-config.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128-config.h deleted file mode 100644 index 62131ba..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128-config.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_CONFIG_H -#define LW_INTERNAL_GIFT128_CONFIG_H - -/** - * \file internal-gift128-config.h - * \brief Configures the variant of GIFT-128 to use. - */ - -/** - * \brief Select the full variant of GIFT-128. - * - * The full variant requires 320 bytes for the key schedule and uses the - * fixslicing method to implement encryption and decryption. - */ -#define GIFT128_VARIANT_FULL 0 - -/** - * \brief Select the small variant of GIFT-128. - * - * The small variant requires 80 bytes for the key schedule. The rest - * of the key schedule is expanded on the fly during encryption. - * - * The fixslicing method is used to implement encryption and the slower - * bitslicing method is used to implement decryption. The small variant - * is suitable when memory is at a premium, decryption is not needed, - * but encryption performance is still important. - */ -#define GIFT128_VARIANT_SMALL 1 - -/** - * \brief Select the tiny variant of GIFT-128. - * - * The tiny variant requires 16 bytes for the key schedule and uses the - * bitslicing method to implement encryption and decryption. It is suitable - * for use when memory is very tight and performance is not critical. - */ -#define GIFT128_VARIANT_TINY 2 - -/** - * \def GIFT128_VARIANT - * \brief Selects the default variant of GIFT-128 to use on this platform. - */ -/** - * \def GIFT128_VARIANT_ASM - * \brief Defined to 1 if the GIFT-128 implementation has been replaced - * with an assembly code version. - */ -#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 1 -#endif -#if !defined(GIFT128_VARIANT) -#define GIFT128_VARIANT GIFT128_VARIANT_FULL -#endif -#if !defined(GIFT128_VARIANT_ASM) -#define GIFT128_VARIANT_ASM 0 -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.c deleted file mode 100644 index c6ac5ec..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.c +++ /dev/null @@ -1,1498 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-gift128.h" -#include "internal-util.h" - -#if !GIFT128_VARIANT_ASM - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC_fixsliced[40] = { - 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, - 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, - 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, - 0x03020180, 0x8000002b, 0x10080880, 0x60014000, 0x01400002, 0x02020080, - 0x80000021, 0x10000080, 0x0001c000, 0x51000002, 0x03010180, 0x8000002e, - 0x10088800, 0x60012000, 0x40500002, 0x01030080, 0x80000006, 0x10008808, - 0xc001a000, 0x14500002, 0x01020181, 0x8000001a -}; - -#endif - -#if GIFT128_VARIANT != GIFT128_VARIANT_FULL - -/* Round constants for GIFT-128 in the bitsliced representation */ -static uint8_t const GIFT128_RC[40] = { - 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, - 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, - 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, - 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, - 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A -}; - -#endif - -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) - -/* - * The permutation below was generated by the online permuation generator at - * "http://programming.sirrida.de/calcperm.php". - * - * All of the permutuations are essentially the same, except that each is - * rotated by 8 bits with respect to the next: - * - * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 - * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 - * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 - * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 - * - * The most efficient permutation from the online generator was P3, so we - * perform it as the core of the others, and then perform a final rotation. - * - * It is possible to do slightly better than "P3 then rotate" on desktop and - * server architectures for the other permutations. But the advantage isn't - * as evident on embedded platforms so we keep things simple. - */ -#define PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define PERM0(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate8(_x); \ - } while (0) -#define PERM1(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate16(_x); \ - } while (0) -#define PERM2(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = leftRotate24(_x); \ - } while (0) -#define PERM3(x) \ - do { \ - uint32_t _x = (x); \ - PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -#define INV_PERM3_INNER(x) \ - do { \ - bit_permute_step(x, 0x00550055, 9); \ - bit_permute_step(x, 0x00003333, 18); \ - bit_permute_step(x, 0x000f000f, 12); \ - bit_permute_step(x, 0x000000ff, 24); \ - } while (0) -#define INV_PERM0(x) \ - do { \ - uint32_t _x = rightRotate8(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM1(x) \ - do { \ - uint32_t _x = rightRotate16(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM2(x) \ - do { \ - uint32_t _x = rightRotate24(x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) -#define INV_PERM3(x) \ - do { \ - uint32_t _x = (x); \ - INV_PERM3_INNER(_x); \ - (x) = _x; \ - } while (0) - -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); - - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); - - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); -} - -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); - - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); - - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); -} - -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} - -#if GIFT128_VARIANT != GIFT128_VARIANT_TINY - -/** - * \brief Swaps bits within two words. - * - * \param a The first word. - * \param b The second word. - * \param mask Mask for the bits to shift. - * \param shift Shift amount in bits. - */ -#define gift128b_swap_move(a, b, mask, shift) \ - do { \ - uint32_t tmp = ((b) ^ ((a) >> (shift))) & (mask); \ - (b) ^= tmp; \ - (a) ^= tmp << (shift); \ - } while (0) - -/** - * \brief Derives the next 10 fixsliced keys in the key schedule. - * - * \param next Points to the buffer to receive the next 10 keys. - * \param prev Points to the buffer holding the previous 10 keys. - * - * The \a next and \a prev buffers are allowed to be the same. - */ -#define gift128b_derive_keys(next, prev) \ - do { \ - /* Key 0 */ \ - uint32_t s = (prev)[0]; \ - uint32_t t = (prev)[1]; \ - gift128b_swap_move(t, t, 0x00003333U, 16); \ - gift128b_swap_move(t, t, 0x55554444U, 1); \ - (next)[0] = t; \ - /* Key 1 */ \ - s = leftRotate8(s & 0x33333333U) | leftRotate16(s & 0xCCCCCCCCU); \ - gift128b_swap_move(s, s, 0x55551100U, 1); \ - (next)[1] = s; \ - /* Key 2 */ \ - s = (prev)[2]; \ - t = (prev)[3]; \ - (next)[2] = ((t >> 4) & 0x0F000F00U) | ((t & 0x0F000F00U) << 4) | \ - ((t >> 6) & 0x00030003U) | ((t & 0x003F003FU) << 2); \ - /* Key 3 */ \ - (next)[3] = ((s >> 6) & 0x03000300U) | ((s & 0x3F003F00U) << 2) | \ - ((s >> 5) & 0x00070007U) | ((s & 0x001F001FU) << 3); \ - /* Key 4 */ \ - s = (prev)[4]; \ - t = (prev)[5]; \ - (next)[4] = leftRotate8(t & 0xAAAAAAAAU) | \ - leftRotate16(t & 0x55555555U); \ - /* Key 5 */ \ - (next)[5] = leftRotate8(s & 0x55555555U) | \ - leftRotate12(s & 0xAAAAAAAAU); \ - /* Key 6 */ \ - s = (prev)[6]; \ - t = (prev)[7]; \ - (next)[6] = ((t >> 2) & 0x03030303U) | ((t & 0x03030303U) << 2) | \ - ((t >> 1) & 0x70707070U) | ((t & 0x10101010U) << 3); \ - /* Key 7 */ \ - (next)[7] = ((s >> 18) & 0x00003030U) | ((s & 0x01010101U) << 3) | \ - ((s >> 14) & 0x0000C0C0U) | ((s & 0x0000E0E0U) << 15) | \ - ((s >> 1) & 0x07070707U) | ((s & 0x00001010U) << 19); \ - /* Key 8 */ \ - s = (prev)[8]; \ - t = (prev)[9]; \ - (next)[8] = ((t >> 4) & 0x0FFF0000U) | ((t & 0x000F0000U) << 12) | \ - ((t >> 8) & 0x000000FFU) | ((t & 0x000000FFU) << 8); \ - /* Key 9 */ \ - (next)[9] = ((s >> 6) & 0x03FF0000U) | ((s & 0x003F0000U) << 10) | \ - ((s >> 4) & 0x00000FFFU) | ((s & 0x0000000FU) << 12); \ - } while (0) - -/** - * \brief Compute the round keys for GIFT-128 in the fixsliced representation. - * - * \param ks Points to the key schedule to initialize. - * \param k0 First key word. - * \param k1 Second key word. - * \param k2 Third key word. - * \param k3 Fourth key word. - */ -static void gift128b_compute_round_keys - (gift128b_key_schedule_t *ks, - uint32_t k0, uint32_t k1, uint32_t k2, uint32_t k3) -{ - unsigned index; - uint32_t temp; - - /* Set the regular key with k0 and k3 pre-swapped for the round function */ - ks->k[0] = k3; - ks->k[1] = k1; - ks->k[2] = k2; - ks->k[3] = k0; - - /* Pre-compute the keys for rounds 3..10 and permute into fixsliced form */ - for (index = 4; index < 20; index += 2) { - ks->k[index] = ks->k[index - 3]; - temp = ks->k[index - 4]; - temp = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - ks->k[index + 1] = temp; - } - for (index = 0; index < 20; index += 10) { - /* Keys 0 and 10 */ - temp = ks->k[index]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index] = temp; - - /* Keys 1 and 11 */ - temp = ks->k[index + 1]; - gift128b_swap_move(temp, temp, 0x00550055U, 9); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 1] = temp; - - /* Keys 2 and 12 */ - temp = ks->k[index + 2]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 2] = temp; - - /* Keys 3 and 13 */ - temp = ks->k[index + 3]; - gift128b_swap_move(temp, temp, 0x11111111U, 3); - gift128b_swap_move(temp, temp, 0x03030303U, 6); - gift128b_swap_move(temp, temp, 0x000F000FU, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 3] = temp; - - /* Keys 4 and 14 */ - temp = ks->k[index + 4]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 4] = temp; - - /* Keys 5 and 15 */ - temp = ks->k[index + 5]; - gift128b_swap_move(temp, temp, 0x0000AAAAU, 15); - gift128b_swap_move(temp, temp, 0x00003333U, 18); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 5] = temp; - - /* Keys 6 and 16 */ - temp = ks->k[index + 6]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 6] = temp; - - /* Keys 7 and 17 */ - temp = ks->k[index + 7]; - gift128b_swap_move(temp, temp, 0x0A0A0A0AU, 3); - gift128b_swap_move(temp, temp, 0x00CC00CCU, 6); - gift128b_swap_move(temp, temp, 0x0000F0F0U, 12); - gift128b_swap_move(temp, temp, 0x000000FFU, 24); - ks->k[index + 7] = temp; - - /* Keys 8, 9, 18, and 19 do not need any adjustment */ - } - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - /* Derive the fixsliced keys for the remaining rounds 11..40 */ - for (index = 20; index < 80; index += 10) { - gift128b_derive_keys(ks->k + index, ks->k + index - 20); - } -#endif -} - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - gift128b_compute_round_keys - (ks, be_load_word32(key), be_load_word32(key + 4), - be_load_word32(key + 8), be_load_word32(key + 12)); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission */ - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); -} - -/** - * \brief Performs the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_sbox(s0, s1, s2, s3) \ - do { \ - s1 ^= s0 & s2; \ - s0 ^= s1 & s3; \ - s2 ^= s0 | s1; \ - s3 ^= s2; \ - s1 ^= s3; \ - s3 ^= 0xFFFFFFFFU; \ - s2 ^= s0 & s1; \ - } while (0) - -/** - * \brief Performs the inverse of the GIFT-128 S-box on the bit-sliced state. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_sbox(s0, s1, s2, s3) \ - do { \ - s2 ^= s3 & s1; \ - s0 ^= 0xFFFFFFFFU; \ - s1 ^= s0; \ - s0 ^= s2; \ - s2 ^= s3 | s1; \ - s3 ^= s1 & s0; \ - s1 ^= s3 & s2; \ - } while (0) - -/** - * \brief Permutes the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 3) & 0x11111111U) | ((s2 & 0x77777777U) << 1); \ - s3 = ((s3 >> 1) & 0x77777777U) | ((s3 & 0x11111111U) << 3); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 4) & 0x0FFF0FFFU) | ((s0 & 0x000F000FU) << 12); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 12) & 0x000F000FU) | ((s2 & 0x0FFF0FFFU) << 4); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s3 = leftRotate16(s3); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 6) & 0x03030303U) | ((s0 & 0x3F3F3F3FU) << 2); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 2) & 0x3F3F3F3FU) | ((s2 & 0x03030303U) << 6); \ - } while (0); - -/** - * \brief Permutes the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = rightRotate8(s2); \ - s3 = leftRotate8(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 1st and 2nd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_1(s0, s1, s2, s3) \ - do { \ - s1 = ((s1 >> 2) & 0x33333333U) | ((s1 & 0x33333333U) << 2); \ - s2 = ((s2 >> 1) & 0x77777777U) | ((s2 & 0x11111111U) << 3); \ - s3 = ((s3 >> 3) & 0x11111111U) | ((s3 & 0x77777777U) << 1); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 2nd and 3rd mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_2(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 12) & 0x000F000FU) | ((s0 & 0x0FFF0FFFU) << 4); \ - s1 = ((s1 >> 8) & 0x00FF00FFU) | ((s1 & 0x00FF00FFU) << 8); \ - s2 = ((s2 >> 4) & 0x0FFF0FFFU) | ((s2 & 0x000F000FU) << 12); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 3rd and 4th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_3(s0, s1, s2, s3) \ - do { \ - gift128b_swap_move(s1, s1, 0x55555555U, 1); \ - gift128b_swap_move(s2, s2, 0x00005555U, 1); \ - s2 = leftRotate16(s2); \ - gift128b_swap_move(s3, s3, 0x55550000U, 1); \ - s3 = leftRotate16(s3); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 4th and 5th mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_4(s0, s1, s2, s3) \ - do { \ - s0 = ((s0 >> 2) & 0x3F3F3F3FU) | ((s0 & 0x03030303U) << 6); \ - s1 = ((s1 >> 4) & 0x0F0F0F0FU) | ((s1 & 0x0F0F0F0FU) << 4); \ - s2 = ((s2 >> 6) & 0x03030303U) | ((s2 & 0x3F3F3F3FU) << 2); \ - } while (0); - -/** - * \brief Inverts the GIFT-128 state between the 5th and 1st mini-rounds. - * - * \param s0 First word of the bit-sliced state. - * \param s1 Second word of the bit-sliced state. - * \param s2 Third word of the bit-sliced state. - * \param s3 Fourth word of the bit-sliced state. - */ -#define gift128b_inv_permute_state_5(s0, s1, s2, s3) \ - do { \ - s1 = leftRotate16(s1); \ - s2 = leftRotate8(s2); \ - s3 = rightRotate8(s3); \ - } while (0); - -/** - * \brief Performs five fixsliced encryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - * - * The permutation is restructured so that one of the words each round - * does not need to be permuted, with the others rotating left, up, right, - * and down to keep the bits in line with their non-moving counterparts. - * This reduces the number of shifts required significantly. - * - * At the end of five rounds, the bit ordering will return to the - * original position. We then repeat the process for the next 5 rounds. - */ -#define gift128b_encrypt_5_rounds(rk, rc) \ - do { \ - /* 1st round - S-box, rotate left, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_1(s0, s1, s2, s3); \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - \ - /* 2nd round - S-box, rotate up, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_2(s0, s1, s2, s3); \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_3(s0, s1, s2, s3); \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - \ - /* 4th round - S-box, rotate left and swap rows, add round key */ \ - gift128b_sbox(s3, s1, s2, s0); \ - gift128b_permute_state_4(s0, s1, s2, s3); \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - \ - /* 5th round - S-box, rotate up, add round key */ \ - gift128b_sbox(s0, s1, s2, s3); \ - gift128b_permute_state_5(s0, s1, s2, s3); \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - \ - /* Swap s0 and s3 in preparation for the next 1st round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - } while (0) - -/** - * \brief Performs five fixsliced decryption rounds for GIFT-128. - * - * \param rk Points to the 10 round keys for these rounds. - * \param rc Points to the round constants for these rounds. - * - * We perform all 40 rounds of the fixsliced GIFT-128 five at a time. - */ -#define gift128b_decrypt_5_rounds(rk, rc) \ - do { \ - /* Swap s0 and s3 in preparation for the next 5th round */ \ - s0 ^= s3; \ - s3 ^= s0; \ - s0 ^= s3; \ - \ - /* 5th round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[8]; \ - s2 ^= (rk)[9]; \ - s0 ^= (rc)[4]; \ - gift128b_inv_permute_state_5(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 4th round - S-box, rotate right and swap rows, add round key */ \ - s1 ^= (rk)[6]; \ - s2 ^= (rk)[7]; \ - s3 ^= (rc)[3]; \ - gift128b_inv_permute_state_4(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 3rd round - S-box, swap columns, add round key */ \ - s1 ^= (rk)[4]; \ - s2 ^= (rk)[5]; \ - s0 ^= (rc)[2]; \ - gift128b_inv_permute_state_3(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - \ - /* 2nd round - S-box, rotate down, add round key */ \ - s1 ^= (rk)[2]; \ - s2 ^= (rk)[3]; \ - s3 ^= (rc)[1]; \ - gift128b_inv_permute_state_2(s0, s1, s2, s3); \ - gift128b_inv_sbox(s0, s1, s2, s3); \ - \ - /* 1st round - S-box, rotate right, add round key */ \ - s1 ^= (rk)[0]; \ - s2 ^= (rk)[1]; \ - s0 ^= (rc)[0]; \ - gift128b_inv_permute_state_1(s0, s1, s2, s3); \ - gift128b_inv_sbox(s3, s1, s2, s0); \ - } while (0) - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) -{ - /* Mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = be_load_word32(key + 12); - ks->k[1] = be_load_word32(key + 4); - ks->k[2] = be_load_word32(key + 8); - ks->k[3] = be_load_word32(key); -} - -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) -{ - /* Use the little-endian key byte order from the HYENA submission - * and mirror the fixslicing word order of 3, 1, 2, 0 */ - ks->k[0] = le_load_word32(key); - ks->k[1] = le_load_word32(key + 8); - ks->k[2] = le_load_word32(key + 4); - ks->k[3] = le_load_word32(key + 12); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t k[20]; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_derive_keys(k, ks->k); - gift128b_derive_keys(k + 10, ks->k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_derive_keys(k, k); - gift128b_derive_keys(k + 10, k + 10); - gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into local variables */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_TINY */ - -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer */ - s0 = input[0]; - s1 = input[1]; - s2 = input[2]; - s3 = input[3]; - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer */ - output[0] = s0; - output[1] = s1; - output[2] = s2; - output[3] = s3; -} - -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* The key schedule is initialized with the key itself */ - w0 = ks->k[3]; - w1 = ks->k[1]; - w2 = ks->k[2]; - w3 = ks->k[0]; - - /* Perform all 40 rounds */ - for (round = 0; round < 40; ++round) { - /* SubCells - apply the S-box */ - s1 ^= s0 & s2; - s0 ^= s1 & s3; - s2 ^= s0 | s1; - s3 ^= s2; - s1 ^= s3; - s3 ^= 0xFFFFFFFFU; - s2 ^= s0 & s1; - temp = s0; - s0 = s3; - s3 = temp; - - /* PermBits - apply the 128-bit permutation */ - PERM0(s0); - PERM1(s1); - PERM2(s2); - PERM3(s3); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round]; - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if (((round + 1) % 5) == 0 && round < 39) - s0 ^= tweak; - - /* Rotate the key schedule */ - temp = w3; - w3 = w2; - w2 = w1; - w1 = w0; - w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - } - - /* Pack the state into the ciphertext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_TINY */ - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the plaintext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the ciphertext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - - /* Copy the ciphertext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); - s0 ^= tweak; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -/* The small variant uses fixslicing for encryption, but we need to change - * to bitslicing for decryption because of the difficulty of fast-forwarding - * the fixsliced key schedule to the end. So the tiny variant is used for - * decryption when the small variant is selected. Since the NIST AEAD modes - * for GIFT-128 only use the block encrypt operation, the inefficiencies - * in decryption don't matter all that much */ - -/** - * \def gift128b_load_and_forward_schedule() - * \brief Generate the decryption key at the end of the last round. - * - * To do that, we run the block operation forward to determine the - * final state of the key schedule after the last round: - * - * w0 = ks->k[0]; - * w1 = ks->k[1]; - * w2 = ks->k[2]; - * w3 = ks->k[3]; - * for (round = 0; round < 40; ++round) { - * temp = w3; - * w3 = w2; - * w2 = w1; - * w1 = w0; - * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | - * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); - * } - * - * We can short-cut all of the above by noticing that we don't need - * to do the word rotations. Every 4 rounds, the rotation alignment - * returns to the original position and each word has been rotated - * by applying the "2 right and 4 left" bit-rotation step to it. - * We then repeat that 10 times for the full 40 rounds. The overall - * effect is to apply a "20 right and 40 left" bit-rotation to every - * word in the key schedule. That is equivalent to "4 right and 8 left" - * on the 16-bit sub-words. - */ -#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#else -/* The small variant needs to also undo some of the rotations that were - * done to generate the fixsliced version of the key schedule */ -#define gift128b_load_and_forward_schedule() \ - do { \ - w0 = ks->k[3]; \ - w1 = ks->k[1]; \ - w2 = ks->k[2]; \ - w3 = ks->k[0]; \ - gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ - gift128b_swap_move(w3, w3, 0x00003333U, 18); \ - gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ - gift128b_swap_move(w3, w3, 0x00550055U, 9); \ - gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ - gift128b_swap_move(w1, w1, 0x00003333U, 18); \ - gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ - gift128b_swap_move(w1, w1, 0x00550055U, 9); \ - gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ - gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ - gift128b_swap_move(w2, w2, 0x03030303U, 6); \ - gift128b_swap_move(w2, w2, 0x11111111U, 3); \ - gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ - gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ - gift128b_swap_move(w0, w0, 0x03030303U, 6); \ - gift128b_swap_move(w0, w0, 0x11111111U, 3); \ - w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ - ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ - w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ - ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ - w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ - ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ - w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ - ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ - } while (0) -#endif - -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the ciphertext into the state buffer and convert from big endian */ - s0 = be_load_word32(input); - s1 = be_load_word32(input + 4); - s2 = be_load_word32(input + 8); - s3 = be_load_word32(input + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in big endian */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); -} - -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak) -{ - uint32_t s0, s1, s2, s3; - uint32_t w0, w1, w2, w3; - uint32_t temp; - uint8_t round; - - /* Copy the plaintext into the state buffer and convert from nibbles */ - gift128n_to_words(output, input); - s0 = be_load_word32(output); - s1 = be_load_word32(output + 4); - s2 = be_load_word32(output + 8); - s3 = be_load_word32(output + 12); - - /* Generate the decryption key at the end of the last round */ - gift128b_load_and_forward_schedule(); - - /* Perform all 40 rounds */ - for (round = 40; round > 0; --round) { - /* Rotate the key schedule backwards */ - temp = w0; - w0 = w1; - w1 = w2; - w2 = w3; - w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | - ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); - - /* AddTweak - XOR in the tweak every 5 rounds except the last */ - if ((round % 5) == 0 && round < 40) - s0 ^= tweak; - - /* AddRoundKey - XOR in the key schedule and the round constant */ - s2 ^= w1; - s1 ^= w3; - s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; - - /* InvPermBits - apply the inverse of the 128-bit permutation */ - INV_PERM0(s0); - INV_PERM1(s1); - INV_PERM2(s2); - INV_PERM3(s3); - - /* InvSubCells - apply the inverse of the S-box */ - temp = s0; - s0 = s3; - s3 = temp; - s2 ^= s0 & s1; - s3 ^= 0xFFFFFFFFU; - s1 ^= s3; - s3 ^= s2; - s2 ^= s0 | s1; - s0 ^= s1 & s3; - s1 ^= s0 & s2; - } - - /* Pack the state into the plaintext buffer in nibble form */ - be_store_word32(output, s0); - be_store_word32(output + 4, s1); - be_store_word32(output + 8, s2); - be_store_word32(output + 12, s3); - gift128n_to_nibbles(output, output); -} - -#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ - -#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.h deleted file mode 100644 index f57d143..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128.h +++ /dev/null @@ -1,246 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_GIFT128_H -#define LW_INTERNAL_GIFT128_H - -/** - * \file internal-gift128.h - * \brief GIFT-128 block cipher. - * - * There are three versions of GIFT-128 in use within the second round - * submissions to the NIST lightweight cryptography competition. - * - * The most efficient version for 32-bit software implementation is the - * GIFT-128-b bit-sliced version from GIFT-COFB and SUNDAE-GIFT. - * - * The second is the nibble-based version from HYENA. We implement the - * HYENA version as a wrapper around the bit-sliced version. - * - * The third version is a variant on the HYENA nibble-based version that - * includes a 4-bit tweak value for domain separation. It is used by - * the ESTATE submission to NIST. - * - * Technically there is a fourth version of GIFT-128 which is the one that - * appeared in the original GIFT-128 paper. It is almost the same as the - * HYENA version except that the byte ordering is big-endian instead of - * HYENA's little-endian. The original version of GIFT-128 doesn't appear - * in any of the NIST submissions so we don't bother with it in this library. - * - * References: https://eprint.iacr.org/2017/622.pdf, - * https://eprint.iacr.org/2020/412.pdf, - * https://giftcipher.github.io/gift/ - */ - -#include -#include -#include "internal-gift128-config.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of a GIFT-128 block in bytes. - */ -#define GIFT128_BLOCK_SIZE 16 - -/** - * \var GIFT128_ROUND_KEYS - * \brief Number of round keys for the GIFT-128 key schedule. - */ -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY -#define GIFT128_ROUND_KEYS 4 -#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL -#define GIFT128_ROUND_KEYS 20 -#else -#define GIFT128_ROUND_KEYS 80 -#endif - -/** - * \brief Structure of the key schedule for GIFT-128 (bit-sliced). - */ -typedef struct -{ - /** Pre-computed round keys for bit-sliced GIFT-128 */ - uint32_t k[GIFT128_ROUND_KEYS]; - -} gift128b_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (bit-sliced). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128b_encrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced and pre-loaded). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This version assumes that the input has already been pre-loaded from - * big-endian into host byte order in the supplied word array. The output - * is delivered in the same way. - */ -void gift128b_encrypt_preloaded - (const gift128b_key_schedule_t *ks, uint32_t output[4], - const uint32_t input[4]); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (bit-sliced). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128b_decrypt - (const gift128b_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Structure of the key schedule for GIFT-128 (nibble-based). - */ -typedef gift128b_key_schedule_t gift128n_key_schedule_t; - -/** - * \brief Initializes the key schedule for GIFT-128 (nibble-based). - * - * \param ks Points to the key schedule to initialize. - * \param key Points to the 16 bytes of the key data. - */ -void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); - -/** - * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - */ -void gift128n_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/** - * \brief Decrypts a 128-bit block with GIFT-128 (nibble-based). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * - * The \a input and \a output buffers can be the same buffer for - * in-place decryption. - */ -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input); - -/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ -#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ -#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ -#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ -#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ -#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ -#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ -#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ -#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ -#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ -#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ -#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ -#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ -#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ -#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ -#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ -#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ - -/** - * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_encrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -/** - * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). - * - * \param ks Points to the GIFT-128 key schedule. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value expanded to 32-bit. - * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. - * - * This variant of GIFT-128 is used by the ESTATE submission to the - * NIST Lightweight Cryptography Competition. A 4-bit tweak is added to - * some of the rounds to provide domain separation. If the tweak is - * zero, then this function is identical to gift128n_encrypt(). - */ -void gift128t_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, uint32_t tweak); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-avr.S deleted file mode 100644 index 641613a..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-avr.S +++ /dev/null @@ -1,2104 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 40 -table_0: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - movw r30,r24 - movw r26,r22 -.L__stack_usage = 2 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - st Z,r18 - std Z+1,r19 - std Z+2,r20 - std Z+3,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+4,r18 - std Z+5,r19 - std Z+6,r20 - std Z+7,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+8,r18 - std Z+9,r19 - std Z+10,r20 - std Z+11,r21 - ld r21,X+ - ld r20,X+ - ld r19,X+ - ld r18,X+ - std Z+12,r18 - std Z+13,r19 - std Z+14,r20 - std Z+15,r21 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 36 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - mov r16,r1 -46: - rcall 199f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - rcall 199f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - rcall 199f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - rcall 199f - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - lsl r26 - rol r27 - adc r26,r1 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - ldi r17,40 - cpse r16,r17 - rjmp 46b - rjmp 548f -199: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - movw r18,r22 - movw r20,r2 - mov r0,r4 - and r0,r18 - eor r8,r0 - mov r0,r5 - and r0,r19 - eor r9,r0 - mov r0,r6 - and r0,r20 - eor r10,r0 - mov r0,r7 - and r0,r21 - eor r11,r0 - movw r22,r12 - movw r2,r14 - movw r12,r18 - movw r14,r20 - bst r22,1 - bld r0,0 - bst r22,4 - bld r22,1 - bst r2,0 - bld r22,4 - bst r22,2 - bld r2,0 - bst r23,0 - bld r22,2 - bst r22,3 - bld r23,0 - bst r23,4 - bld r22,3 - bst r2,3 - bld r23,4 - bst r23,6 - bld r2,3 - bst r3,3 - bld r23,6 - bst r23,5 - bld r3,3 - bst r2,7 - bld r23,5 - bst r3,6 - bld r2,7 - bst r3,1 - bld r3,6 - bst r22,5 - bld r3,1 - bst r2,4 - bld r22,5 - bst r2,2 - bld r2,4 - bst r23,2 - bld r2,2 - bst r23,3 - bld r23,2 - bst r23,7 - bld r23,3 - bst r3,7 - bld r23,7 - bst r3,5 - bld r3,7 - bst r2,5 - bld r3,5 - bst r2,6 - bld r2,5 - bst r3,2 - bld r2,6 - bst r23,1 - bld r3,2 - bst r22,7 - bld r23,1 - bst r3,4 - bld r22,7 - bst r2,1 - bld r3,4 - bst r22,6 - bld r2,1 - bst r3,0 - bld r22,6 - bst r0,0 - bld r3,0 - bst r4,0 - bld r0,0 - bst r4,1 - bld r4,0 - bst r4,5 - bld r4,1 - bst r6,5 - bld r4,5 - bst r6,7 - bld r6,5 - bst r7,7 - bld r6,7 - bst r7,6 - bld r7,7 - bst r7,2 - bld r7,6 - bst r5,2 - bld r7,2 - bst r5,0 - bld r5,2 - bst r0,0 - bld r5,0 - bst r4,2 - bld r0,0 - bst r5,1 - bld r4,2 - bst r4,4 - bld r5,1 - bst r6,1 - bld r4,4 - bst r4,7 - bld r6,1 - bst r7,5 - bld r4,7 - bst r6,6 - bld r7,5 - bst r7,3 - bld r6,6 - bst r5,6 - bld r7,3 - bst r7,0 - bld r5,6 - bst r0,0 - bld r7,0 - bst r4,3 - bld r0,0 - bst r5,5 - bld r4,3 - bst r6,4 - bld r5,5 - bst r6,3 - bld r6,4 - bst r5,7 - bld r6,3 - bst r7,4 - bld r5,7 - bst r6,2 - bld r7,4 - bst r5,3 - bld r6,2 - bst r5,4 - bld r5,3 - bst r6,0 - bld r5,4 - bst r0,0 - bld r6,0 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r8,2 - bld r8,0 - bst r9,2 - bld r8,2 - bst r9,1 - bld r9,2 - bst r8,5 - bld r9,1 - bst r10,6 - bld r8,5 - bst r11,0 - bld r10,6 - bst r8,3 - bld r11,0 - bst r9,6 - bld r8,3 - bst r11,1 - bld r9,6 - bst r8,7 - bld r11,1 - bst r11,6 - bld r8,7 - bst r11,3 - bld r11,6 - bst r9,7 - bld r11,3 - bst r11,5 - bld r9,7 - bst r10,7 - bld r11,5 - bst r11,4 - bld r10,7 - bst r10,3 - bld r11,4 - bst r9,4 - bld r10,3 - bst r10,1 - bld r9,4 - bst r8,4 - bld r10,1 - bst r10,2 - bld r8,4 - bst r9,0 - bld r10,2 - bst r8,1 - bld r9,0 - bst r8,6 - bld r8,1 - bst r11,2 - bld r8,6 - bst r9,3 - bld r11,2 - bst r9,5 - bld r9,3 - bst r10,5 - bld r9,5 - bst r10,4 - bld r10,5 - bst r10,0 - bld r10,4 - bst r0,0 - bld r10,0 - bst r12,0 - bld r0,0 - bst r12,3 - bld r12,0 - bst r13,7 - bld r12,3 - bst r15,6 - bld r13,7 - bst r15,0 - bld r15,6 - bst r0,0 - bld r15,0 - bst r12,1 - bld r0,0 - bst r12,7 - bld r12,1 - bst r15,7 - bld r12,7 - bst r15,4 - bld r15,7 - bst r14,0 - bld r15,4 - bst r0,0 - bld r14,0 - bst r12,2 - bld r0,0 - bst r13,3 - bld r12,2 - bst r13,6 - bld r13,3 - bst r15,2 - bld r13,6 - bst r13,0 - bld r15,2 - bst r0,0 - bld r13,0 - bst r12,4 - bld r0,0 - bst r14,3 - bld r12,4 - bst r13,5 - bld r14,3 - bst r14,6 - bld r13,5 - bst r15,1 - bld r14,6 - bst r0,0 - bld r15,1 - bst r12,5 - bld r0,0 - bst r14,7 - bld r12,5 - bst r15,5 - bld r14,7 - bst r14,4 - bld r15,5 - bst r14,1 - bld r14,4 - bst r0,0 - bld r14,1 - bst r12,6 - bld r0,0 - bst r15,3 - bld r12,6 - bst r13,4 - bld r15,3 - bst r14,2 - bld r13,4 - bst r13,1 - bld r14,2 - bst r0,0 - bld r13,1 - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - inc r16 - ret -548: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r17,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-full-avr.S deleted file mode 100644 index ff11875..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-full-avr.S +++ /dev/null @@ -1,5037 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_FULL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 18 - ld r13,X+ - ld r12,X+ - ld r11,X+ - ld r10,X+ - ld r5,X+ - ld r4,X+ - ld r3,X+ - ld r2,X+ - ld r9,X+ - ld r8,X+ - ld r7,X+ - ld r6,X+ - ld r29,X+ - ld r28,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - ldi r24,4 -33: - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r29 - ror r28 - ror r0 - lsr r29 - ror r28 - ror r0 - or r29,r0 - st Z+,r22 - st Z+,r23 - st Z+,r28 - st Z+,r29 - mov r0,r22 - mov r22,r2 - mov r2,r0 - mov r0,r23 - mov r23,r3 - mov r3,r0 - mov r0,r28 - mov r28,r4 - mov r4,r0 - mov r0,r29 - mov r29,r5 - mov r5,r0 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - lsl r6 - rol r7 - adc r6,r1 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - mov r0,r6 - mov r6,r10 - mov r10,r0 - mov r0,r7 - mov r7,r11 - mov r11,r0 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r28,Z+2 - ldd r29,Z+3 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - st Z,r29 - std Z+1,r23 - std Z+2,r28 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r28,Z+6 - ldd r29,Z+7 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+4,r29 - std Z+5,r23 - std Z+6,r28 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r28,Z+10 - ldd r29,Z+11 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+8,r29 - std Z+9,r23 - std Z+10,r28 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r28,Z+14 - ldd r29,Z+15 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+12,r29 - std Z+13,r23 - std Z+14,r28 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+16,r29 - std Z+17,r23 - std Z+18,r28 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+20,r29 - std Z+21,r23 - std Z+22,r28 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+24,r29 - std Z+25,r23 - std Z+26,r28 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r28 - eor r21,r29 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - movw r18,r22 - movw r20,r28 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r28,r20 - eor r29,r21 - std Z+28,r29 - std Z+29,r23 - std Z+30,r28 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - adiw r30,40 - movw r26,r30 - subi r26,80 - sbc r27,r1 - ldi r24,6 -1274: - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r2 - eor r19,r3 - andi r18,51 - andi r19,51 - eor r2,r18 - eor r3,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - st Z,r2 - std Z+1,r3 - std Z+2,r4 - std Z+3,r5 - movw r18,r22 - movw r20,r28 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - andi r28,204 - andi r29,204 - or r28,r21 - or r29,r18 - or r22,r19 - or r23,r20 - movw r18,r28 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r28 - eor r19,r29 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r28,r18 - eor r29,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r28 - std Z+5,r29 - std Z+6,r22 - std Z+7,r23 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - swap r3 - lsl r4 - adc r4,r1 - lsl r4 - adc r4,r1 - swap r5 - std Z+8,r2 - std Z+9,r3 - std Z+10,r4 - std Z+11,r5 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r28 - adc r28,r1 - lsl r29 - adc r29,r1 - lsl r29 - adc r29,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r28 - std Z+15,r29 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - ldi r25,85 - and r2,r25 - and r3,r25 - and r4,r25 - and r5,r25 - or r2,r19 - or r3,r20 - or r4,r21 - or r5,r18 - std Z+16,r4 - std Z+17,r5 - std Z+18,r2 - std Z+19,r3 - movw r18,r22 - movw r20,r28 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - andi r28,170 - andi r29,170 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - lsl r22 - rol r23 - rol r28 - rol r29 - adc r22,r1 - or r22,r18 - or r23,r19 - or r28,r20 - or r29,r21 - std Z+20,r29 - std Z+21,r22 - std Z+22,r23 - std Z+23,r28 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r4 - eor r21,r5 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r4,r20 - eor r5,r21 - movw r18,r2 - movw r20,r4 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r14,r18 - movw r16,r20 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - lsr r17 - ror r16 - ror r15 - ror r14 - eor r14,r18 - eor r15,r19 - eor r16,r20 - eor r17,r21 - ldi r25,8 - and r14,r25 - and r15,r25 - andi r16,8 - andi r17,8 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - lsl r14 - rol r15 - rol r16 - rol r17 - eor r18,r14 - eor r19,r15 - eor r20,r16 - eor r21,r17 - ldi r17,15 - and r2,r17 - and r3,r17 - and r4,r17 - and r5,r17 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - std Z+24,r2 - std Z+25,r3 - std Z+26,r4 - std Z+27,r5 - movw r18,r28 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r2,r22 - movw r4,r28 - ldi r16,1 - and r2,r16 - and r3,r16 - and r4,r16 - and r5,r16 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - lsl r2 - rol r3 - rol r4 - rol r5 - or r2,r18 - or r3,r19 - movw r18,r28 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r2,r18 - or r3,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r4,r18 - or r5,r19 - movw r18,r22 - movw r20,r28 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r2,r18 - or r3,r19 - or r4,r20 - or r5,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r4,r22 - or r5,r23 - std Z+28,r2 - std Z+29,r3 - std Z+30,r4 - std Z+31,r5 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - mov r0,r1 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - lsr r5 - ror r4 - ror r0 - or r5,r0 - std Z+32,r3 - std Z+33,r2 - std Z+34,r4 - std Z+35,r5 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r28 - mov r28,r29 - mov r29,r0 - lsl r28 - rol r29 - adc r28,r1 - lsl r28 - rol r29 - adc r28,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r28 - std Z+39,r29 - dec r24 - breq 1733f - adiw r30,40 - rjmp 1274b -1733: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r30 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rcall 27f - rjmp 765f -27: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -765: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e -.L__stack_usage = 19 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r30 - subi r26,192 - sbci r27,254 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,160 - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rcall 30f - rjmp 768f -30: - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r11 - mov r11,r10 - mov r10,r9 - mov r9,r8 - mov r8,r0 - mov r0,r12 - mov r12,r13 - mov r13,r14 - mov r14,r15 - mov r15,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r1 - lsr r22 - ror r0 - lsr r22 - ror r0 - or r22,r0 - mov r0,r1 - lsr r23 - ror r0 - lsr r23 - ror r0 - or r23,r0 - mov r0,r1 - lsr r2 - ror r0 - lsr r2 - ror r0 - or r2,r0 - mov r0,r1 - lsr r3 - ror r0 - lsr r3 - ror r0 - or r3,r0 - swap r4 - swap r5 - swap r6 - swap r7 - lsl r8 - adc r8,r1 - lsl r8 - adc r8,r1 - lsl r9 - adc r9,r1 - lsl r9 - adc r9,r1 - lsl r10 - adc r10,r1 - lsl r10 - adc r10,r1 - lsl r11 - adc r11,r1 - lsl r11 - adc r11,r1 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - mov r0,r1 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - lsr r9 - ror r8 - ror r0 - or r9,r0 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - com r22 - com r23 - com r2 - com r3 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - dec r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - dec r30 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - ld r21,-X - ld r20,-X - ld r19,-X - ld r18,-X - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,119 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,17 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -768: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+1 - ldd r27,Y+2 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - pop r0 - pop r0 - pop r17 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-small-avr.S deleted file mode 100644 index 77ef9fd..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-small-avr.S +++ /dev/null @@ -1,6053 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -33: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5115f - rjmp 33b -5115: - subi r30,80 - sbc r31,r1 - ldi r24,2 -119: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1268f - adiw r30,40 - rjmp 119b -1268: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ldi r24,20 -1: - ld r22,Z+ - ld r23,Z+ - ld r2,Z+ - ld r3,Z+ - std Y+1,r22 - std Y+2,r23 - std Y+3,r2 - std Y+4,r3 - adiw r28,4 - dec r24 - brne 1b - subi r28,80 - sbc r29,r1 - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 73f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 811f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 73f - rcall 73f - rjmp 1285f -73: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -811: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -1285: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r25 - mov r25,r26 - mov r26,r0 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -678: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 830f - cpse r16,r1 - rjmp 678b - rjmp 1175f -830: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -1175: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-tiny-avr.S deleted file mode 100644 index e7a03f1..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-gift128b-tiny-avr.S +++ /dev/null @@ -1,6766 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - -#include "internal-gift128-config.h" - -#if GIFT128_VARIANT == GIFT128_VARIANT_TINY - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_0, @object - .size table_0, 160 -table_0: - .byte 8 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 128 - .byte 1 - .byte 128 - .byte 2 - .byte 0 - .byte 0 - .byte 84 - .byte 129 - .byte 1 - .byte 1 - .byte 1 - .byte 31 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 136 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 81 - .byte 128 - .byte 1 - .byte 3 - .byte 3 - .byte 47 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 96 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 65 - .byte 128 - .byte 0 - .byte 3 - .byte 3 - .byte 39 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 224 - .byte 1 - .byte 64 - .byte 2 - .byte 0 - .byte 80 - .byte 17 - .byte 128 - .byte 1 - .byte 2 - .byte 3 - .byte 43 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 8 - .byte 8 - .byte 16 - .byte 0 - .byte 64 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 64 - .byte 1 - .byte 128 - .byte 0 - .byte 2 - .byte 2 - .byte 33 - .byte 0 - .byte 0 - .byte 128 - .byte 128 - .byte 0 - .byte 0 - .byte 16 - .byte 0 - .byte 192 - .byte 1 - .byte 0 - .byte 2 - .byte 0 - .byte 0 - .byte 81 - .byte 128 - .byte 1 - .byte 1 - .byte 3 - .byte 46 - .byte 0 - .byte 0 - .byte 128 - .byte 0 - .byte 136 - .byte 8 - .byte 16 - .byte 0 - .byte 32 - .byte 1 - .byte 96 - .byte 2 - .byte 0 - .byte 80 - .byte 64 - .byte 128 - .byte 0 - .byte 3 - .byte 1 - .byte 6 - .byte 0 - .byte 0 - .byte 128 - .byte 8 - .byte 136 - .byte 0 - .byte 16 - .byte 0 - .byte 160 - .byte 1 - .byte 192 - .byte 2 - .byte 0 - .byte 80 - .byte 20 - .byte 129 - .byte 1 - .byte 2 - .byte 1 - .byte 26 - .byte 0 - .byte 0 - .byte 128 - - .text -.global gift128b_init - .type gift128b_init, @function -gift128b_init: - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 - movw r26,r22 -.L__stack_usage = 16 - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - st Z,r22 - std Z+1,r23 - std Z+2,r2 - std Z+3,r3 - std Z+4,r4 - std Z+5,r5 - std Z+6,r6 - std Z+7,r7 - std Z+8,r8 - std Z+9,r9 - std Z+10,r10 - std Z+11,r11 - std Z+12,r12 - std Z+13,r13 - std Z+14,r14 - std Z+15,r15 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - ret - .size gift128b_init, .-gift128b_init - - .text -.global gift128b_encrypt - .type gift128b_encrypt, @function -gift128b_encrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt, .-gift128b_encrypt - - .text -.global gift128b_encrypt_preloaded - .type gift128b_encrypt_preloaded, @function -gift128b_encrypt_preloaded: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - subi r28,80 - sbci r29,0 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 100 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r4,Z+4 - ldd r5,Z+5 - ldd r6,Z+6 - ldd r7,Z+7 - ldd r8,Z+8 - ldd r9,Z+9 - ldd r10,Z+10 - ldd r11,Z+11 - ldd r12,Z+12 - ldd r13,Z+13 - ldd r14,Z+14 - ldd r15,Z+15 - movw r30,r28 - adiw r30,1 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - ldi r24,4 -35: - st Z+,r4 - st Z+,r5 - st Z+,r6 - st Z+,r7 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - lsl r22 - rol r23 - adc r22,r1 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - st Z+,r22 - st Z+,r23 - st Z+,r2 - st Z+,r3 - mov r0,r22 - mov r22,r4 - mov r4,r0 - mov r0,r23 - mov r23,r5 - mov r5,r0 - mov r0,r2 - mov r2,r6 - mov r6,r0 - mov r0,r3 - mov r3,r7 - mov r7,r0 - st Z+,r12 - st Z+,r13 - st Z+,r14 - st Z+,r15 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - mov r0,r1 - lsr r11 - ror r10 - ror r0 - lsr r11 - ror r10 - ror r0 - or r11,r0 - st Z+,r8 - st Z+,r9 - st Z+,r10 - st Z+,r11 - mov r0,r8 - mov r8,r12 - mov r12,r0 - mov r0,r9 - mov r9,r13 - mov r13,r0 - mov r0,r10 - mov r10,r14 - mov r14,r0 - mov r0,r11 - mov r11,r15 - mov r15,r0 - dec r24 - breq 5117f - rjmp 35b -5117: - subi r30,80 - sbc r31,r1 - ldi r24,2 -121: - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - st Z,r3 - std Z+1,r23 - std Z+2,r2 - std Z+3,r22 - ldd r22,Z+4 - ldd r23,Z+5 - ldd r2,Z+6 - ldd r3,Z+7 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,85 - mov r19,r1 - andi r20,85 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+4,r3 - std Z+5,r23 - std Z+6,r2 - std Z+7,r22 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+8,r3 - std Z+9,r23 - std Z+10,r2 - std Z+11,r22 - ldd r22,Z+12 - ldd r23,Z+13 - ldd r2,Z+14 - ldd r3,Z+15 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,17 - andi r19,17 - andi r20,17 - andi r21,17 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,15 - mov r19,r1 - andi r20,15 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+12,r3 - std Z+13,r23 - std Z+14,r2 - std Z+15,r22 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+16,r3 - std Z+17,r23 - std Z+18,r2 - std Z+19,r22 - ldd r22,Z+20 - ldd r23,Z+21 - ldd r2,Z+22 - ldd r3,Z+23 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r19 - rol r20 - rol r21 - rol r0 - movw r18,r20 - mov r20,r0 - mov r21,r1 - eor r18,r22 - eor r19,r23 - andi r18,170 - andi r19,170 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r0,r1 - lsr r20 - ror r19 - ror r18 - ror r0 - movw r20,r18 - mov r19,r0 - mov r18,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - movw r18,r20 - mov r20,r1 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,51 - andi r19,51 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+20,r3 - std Z+21,r23 - std Z+22,r2 - std Z+23,r22 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+24,r3 - std Z+25,r23 - std Z+26,r2 - std Z+27,r22 - ldd r22,Z+28 - ldd r23,Z+29 - ldd r2,Z+30 - ldd r3,Z+31 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,10 - andi r19,10 - andi r20,10 - andi r21,10 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r0,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - lsl r18 - rol r19 - rol r20 - rol r21 - rol r0 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r0 - eor r18,r22 - eor r19,r23 - eor r20,r2 - eor r21,r3 - andi r18,204 - mov r19,r1 - andi r20,204 - mov r21,r1 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - lsr r21 - ror r20 - ror r19 - ror r18 - ror r0 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r0 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - movw r18,r22 - movw r20,r2 - mov r18,r19 - mov r19,r20 - mov r20,r21 - mov r21,r1 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r22 - eor r19,r23 - andi r18,240 - andi r19,240 - eor r22,r18 - eor r23,r19 - mov r20,r1 - mov r21,r1 - mov r21,r20 - mov r20,r19 - mov r19,r18 - mov r18,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - std Z+28,r3 - std Z+29,r23 - std Z+30,r2 - std Z+31,r22 - dec r24 - breq 1270f - adiw r30,40 - rjmp 121b -1270: - ld r22,X+ - ld r23,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - ld r14,X+ - ld r15,X+ - movw r26,r28 - adiw r26,1 - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,20 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,40 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,60 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,80 - sbiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,100 - adiw r26,40 - rcall 1329f -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - rcall 2067f - ldi r30,lo8(table_0) - ldi r31,hi8(table_0) -#if defined(RAMPZ) - ldi r24,hh8(table_0) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r24 -#endif - ldi r30,120 - sbiw r26,40 - rcall 1329f - rcall 1329f - rjmp 2541f -1329: - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,204 - andi r19,204 - andi r20,204 - andi r21,204 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - ldi r25,51 - and r4,r25 - and r5,r25 - and r6,r25 - and r7,r25 - or r4,r18 - or r5,r19 - or r6,r20 - or r7,r21 - movw r18,r8 - movw r20,r10 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,238 - andi r19,238 - andi r20,238 - andi r21,238 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - lsr r11 - ror r10 - ror r9 - ror r8 - ldi r24,17 - and r8,r24 - and r9,r24 - and r10,r24 - and r11,r24 - or r8,r18 - or r9,r19 - or r10,r20 - or r11,r21 - movw r18,r12 - movw r20,r14 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - andi r18,136 - andi r19,136 - andi r20,136 - andi r21,136 - lsr r15 - ror r14 - ror r13 - ror r12 - ldi r17,119 - and r12,r17 - and r13,r17 - and r14,r17 - and r15,r17 - or r12,r18 - or r13,r19 - or r14,r20 - or r15,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r1 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - lsr r3 - ror r2 - ror r0 - or r3,r0 - mov r0,r5 - mov r5,r4 - mov r4,r0 - mov r0,r7 - mov r7,r6 - mov r6,r0 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r8 - rol r9 - adc r8,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - lsl r10 - rol r11 - adc r10,r1 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - movw r18,r4 - movw r20,r6 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - mov r0,r10 - mov r10,r8 - mov r8,r0 - mov r0,r11 - mov r11,r9 - mov r9,r0 - movw r18,r8 - movw r20,r10 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r8 - eor r19,r9 - andi r18,85 - andi r19,85 - eor r8,r18 - eor r9,r19 - mov r20,r1 - mov r21,r1 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - mov r0,r14 - mov r14,r12 - mov r12,r0 - mov r0,r15 - mov r15,r13 - mov r13,r0 - movw r18,r14 - lsr r19 - ror r18 - eor r18,r14 - eor r19,r15 - andi r18,85 - andi r19,85 - eor r14,r18 - eor r15,r19 - lsl r18 - rol r19 - eor r14,r18 - eor r15,r19 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - mov r0,r12 - and r0,r8 - eor r4,r0 - mov r0,r13 - and r0,r9 - eor r5,r0 - mov r0,r14 - and r0,r10 - eor r6,r0 - mov r0,r15 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r22 - eor r12,r0 - mov r0,r5 - and r0,r23 - eor r13,r0 - mov r0,r6 - and r0,r2 - eor r14,r0 - mov r0,r7 - and r0,r3 - eor r15,r0 - mov r0,r12 - or r0,r4 - eor r8,r0 - mov r0,r13 - or r0,r5 - eor r9,r0 - mov r0,r14 - or r0,r6 - eor r10,r0 - mov r0,r15 - or r0,r7 - eor r11,r0 - eor r22,r8 - eor r23,r9 - eor r2,r10 - eor r3,r11 - eor r4,r22 - eor r5,r23 - eor r6,r2 - eor r7,r3 - com r22 - com r23 - com r2 - com r3 - mov r0,r12 - and r0,r4 - eor r8,r0 - mov r0,r13 - and r0,r5 - eor r9,r0 - mov r0,r14 - and r0,r6 - eor r10,r0 - mov r0,r15 - and r0,r7 - eor r11,r0 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - swap r4 - swap r5 - swap r6 - swap r7 - mov r0,r1 - lsr r8 - ror r0 - lsr r8 - ror r0 - or r8,r0 - mov r0,r1 - lsr r9 - ror r0 - lsr r9 - ror r0 - or r9,r0 - mov r0,r1 - lsr r10 - ror r0 - lsr r10 - ror r0 - or r10,r0 - mov r0,r1 - lsr r11 - ror r0 - lsr r11 - ror r0 - or r11,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r12,r18 - eor r13,r19 - eor r14,r20 - eor r15,r21 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - com r12 - com r13 - com r14 - com r15 - mov r0,r22 - and r0,r4 - eor r8,r0 - mov r0,r23 - and r0,r5 - eor r9,r0 - mov r0,r2 - and r0,r6 - eor r10,r0 - mov r0,r3 - and r0,r7 - eor r11,r0 - mov r0,r6 - mov r6,r4 - mov r4,r0 - mov r0,r7 - mov r7,r5 - mov r5,r0 - mov r0,r8 - mov r8,r9 - mov r9,r10 - mov r10,r11 - mov r11,r0 - mov r0,r15 - mov r15,r14 - mov r14,r13 - mov r13,r12 - mov r12,r0 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ld r18,X+ - ld r19,X+ - ld r20,X+ - ld r21,X+ - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r19,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r19,Z -#elif defined(__AVR_TINY__) - ld r19,Z -#else - lpm - mov r19,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r20,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r20,Z -#elif defined(__AVR_TINY__) - ld r20,Z -#else - lpm - mov r20,r0 -#endif - inc r30 -#if defined(RAMPZ) - elpm r21,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r21,Z -#elif defined(__AVR_TINY__) - ld r21,Z -#else - lpm - mov r21,r0 -#endif - inc r30 - eor r22,r18 - eor r23,r19 - eor r2,r20 - eor r3,r21 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - eor r12,r22 - eor r13,r23 - eor r14,r2 - eor r15,r3 - eor r22,r12 - eor r23,r13 - eor r2,r14 - eor r3,r15 - ret -2067: - movw r30,r26 - sbiw r30,40 - push r3 - push r2 - push r23 - push r22 - push r7 - push r6 - push r5 - push r4 - ld r22,Z - ldd r23,Z+1 - ldd r2,Z+2 - ldd r3,Z+3 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - movw r18,r26 - movw r20,r24 - movw r18,r20 - mov r20,r1 - mov r21,r1 - eor r18,r26 - eor r19,r27 - andi r18,51 - andi r19,51 - eor r26,r18 - eor r27,r19 - mov r20,r1 - mov r21,r1 - movw r20,r18 - mov r18,r1 - mov r19,r1 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,68 - andi r19,68 - andi r20,85 - andi r21,85 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - st Z,r26 - std Z+1,r27 - std Z+2,r24 - std Z+3,r25 - movw r18,r22 - movw r20,r2 - andi r18,51 - andi r19,51 - andi r20,51 - andi r21,51 - andi r22,204 - andi r23,204 - ldi r17,204 - and r2,r17 - and r3,r17 - or r2,r21 - or r3,r18 - or r22,r19 - or r23,r20 - movw r18,r2 - movw r20,r22 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r2 - eor r19,r3 - eor r20,r22 - eor r21,r23 - mov r18,r1 - andi r19,17 - andi r20,85 - andi r21,85 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r2,r18 - eor r3,r19 - eor r22,r20 - eor r23,r21 - std Z+4,r2 - std Z+5,r3 - std Z+6,r22 - std Z+7,r23 - ldd r22,Z+8 - ldd r23,Z+9 - ldd r2,Z+10 - ldd r3,Z+11 - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - lsl r26 - adc r26,r1 - lsl r26 - adc r26,r1 - swap r27 - lsl r24 - adc r24,r1 - lsl r24 - adc r24,r1 - swap r25 - std Z+8,r26 - std Z+9,r27 - std Z+10,r24 - std Z+11,r25 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r22 - adc r22,r1 - lsl r23 - adc r23,r1 - lsl r23 - adc r23,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r2 - adc r2,r1 - lsl r3 - adc r3,r1 - lsl r3 - adc r3,r1 - std Z+12,r22 - std Z+13,r23 - std Z+14,r2 - std Z+15,r3 - ldd r22,Z+16 - ldd r23,Z+17 - ldd r2,Z+18 - ldd r3,Z+19 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r24,Z+22 - ldd r25,Z+23 - movw r18,r26 - movw r20,r24 - andi r18,170 - andi r19,170 - andi r20,170 - andi r21,170 - andi r26,85 - andi r27,85 - andi r24,85 - andi r25,85 - or r26,r19 - or r27,r20 - or r24,r21 - or r25,r18 - std Z+16,r24 - std Z+17,r25 - std Z+18,r26 - std Z+19,r27 - movw r18,r22 - movw r20,r2 - andi r18,85 - andi r19,85 - andi r20,85 - andi r21,85 - andi r22,170 - andi r23,170 - ldi r16,170 - and r2,r16 - and r3,r16 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - lsl r22 - rol r23 - rol r2 - rol r3 - adc r22,r1 - or r22,r18 - or r23,r19 - or r2,r20 - or r3,r21 - std Z+20,r3 - std Z+21,r22 - std Z+22,r23 - std Z+23,r2 - ldd r22,Z+24 - ldd r23,Z+25 - ldd r2,Z+26 - ldd r3,Z+27 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r24,Z+30 - ldd r25,Z+31 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - lsr r21 - ror r20 - ror r19 - ror r18 - eor r18,r26 - eor r19,r27 - eor r20,r24 - eor r21,r25 - andi r18,3 - andi r19,3 - andi r20,3 - andi r21,3 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - lsl r18 - rol r19 - rol r20 - rol r21 - lsl r18 - rol r19 - rol r20 - rol r21 - eor r26,r18 - eor r27,r19 - eor r24,r20 - eor r25,r21 - movw r18,r26 - movw r20,r24 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,120 - andi r19,120 - andi r20,120 - andi r21,120 - movw r4,r18 - movw r6,r20 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - lsr r7 - ror r6 - ror r5 - ror r4 - eor r4,r18 - eor r5,r19 - eor r6,r20 - eor r7,r21 - ldi r16,8 - and r4,r16 - and r5,r16 - and r6,r16 - and r7,r16 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - lsl r4 - rol r5 - rol r6 - rol r7 - eor r18,r4 - eor r19,r5 - eor r20,r6 - eor r21,r7 - andi r26,15 - andi r27,15 - andi r24,15 - andi r25,15 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - std Z+24,r26 - std Z+25,r27 - std Z+26,r24 - std Z+27,r25 - movw r18,r2 - lsr r19 - ror r18 - lsr r19 - ror r18 - andi r18,48 - andi r19,48 - movw r26,r22 - movw r24,r2 - andi r26,1 - andi r27,1 - andi r24,1 - andi r25,1 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - lsl r26 - rol r27 - rol r24 - rol r25 - or r26,r18 - or r27,r19 - movw r18,r2 - lsl r18 - rol r19 - lsl r18 - rol r19 - andi r18,192 - andi r19,192 - or r26,r18 - or r27,r19 - movw r18,r22 - andi r18,224 - andi r19,224 - lsr r19 - ror r18 - or r24,r18 - or r25,r19 - movw r18,r22 - movw r20,r2 - lsr r21 - ror r20 - ror r19 - ror r18 - andi r18,7 - andi r19,7 - andi r20,7 - andi r21,7 - or r26,r18 - or r27,r19 - or r24,r20 - or r25,r21 - andi r22,16 - andi r23,16 - lsl r22 - rol r23 - lsl r22 - rol r23 - lsl r22 - rol r23 - or r24,r22 - or r25,r23 - std Z+28,r26 - std Z+29,r27 - std Z+30,r24 - std Z+31,r25 - ldd r22,Z+32 - ldd r23,Z+33 - ldd r2,Z+34 - ldd r3,Z+35 - ldd r26,Z+36 - ldd r27,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Z+32,r27 - std Z+33,r26 - std Z+34,r24 - std Z+35,r25 - mov r0,r1 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - lsr r23 - ror r22 - ror r0 - or r23,r0 - mov r0,r2 - mov r2,r3 - mov r3,r0 - lsl r2 - rol r3 - adc r2,r1 - lsl r2 - rol r3 - adc r2,r1 - std Z+36,r22 - std Z+37,r23 - std Z+38,r2 - std Z+39,r3 - pop r4 - pop r5 - pop r6 - pop r7 - pop r22 - pop r23 - pop r2 - pop r3 - movw r26,r30 - ret -2541: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - subi r28,175 - sbci r29,255 - ld r26,Y+ - ld r27,Y - subi r28,82 - sbc r29,r1 - st X+,r22 - st X+,r23 - st X+,r2 - st X+,r3 - st X+,r4 - st X+,r5 - st X+,r6 - st X+,r7 - st X+,r8 - st X+,r9 - st X+,r10 - st X+,r11 - st X+,r12 - st X+,r13 - st X+,r14 - st X+,r15 - subi r28,174 - sbci r29,255 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded - - .section .progmem.data,"a",@progbits - .p2align 8 - .type table_1, @object - .size table_1, 40 -table_1: - .byte 1 - .byte 3 - .byte 7 - .byte 15 - .byte 31 - .byte 62 - .byte 61 - .byte 59 - .byte 55 - .byte 47 - .byte 30 - .byte 60 - .byte 57 - .byte 51 - .byte 39 - .byte 14 - .byte 29 - .byte 58 - .byte 53 - .byte 43 - .byte 22 - .byte 44 - .byte 24 - .byte 48 - .byte 33 - .byte 2 - .byte 5 - .byte 11 - .byte 23 - .byte 46 - .byte 28 - .byte 56 - .byte 49 - .byte 35 - .byte 6 - .byte 13 - .byte 27 - .byte 54 - .byte 45 - .byte 26 - - .text -.global gift128b_decrypt - .type gift128b_decrypt, @function -gift128b_decrypt: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r23 - push r22 - movw r30,r24 - movw r26,r20 - in r28,0x3d - in r29,0x3e - sbiw r28,16 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 -.L__stack_usage = 35 - ld r3,X+ - ld r2,X+ - ld r23,X+ - ld r22,X+ - ld r7,X+ - ld r6,X+ - ld r5,X+ - ld r4,X+ - ld r11,X+ - ld r10,X+ - ld r9,X+ - ld r8,X+ - ld r15,X+ - ld r14,X+ - ld r13,X+ - ld r12,X+ - ldd r26,Z+12 - ldd r27,Z+13 - ldd r24,Z+14 - ldd r25,Z+15 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Z+4 - ldd r27,Z+5 - ldd r24,Z+6 - ldd r25,Z+7 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Z+8 - ldd r27,Z+9 - ldd r24,Z+10 - ldd r25,Z+11 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ld r26,Z - ldd r27,Z+1 - ldd r24,Z+2 - ldd r25,Z+3 - mov r0,r27 - mov r27,r26 - mov r26,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - lsr r25 - ror r24 - ror r0 - or r25,r0 - ldi r30,lo8(table_1) - ldi r31,hi8(table_1) -#if defined(RAMPZ) - ldi r17,hh8(table_1) - in r0,_SFR_IO_ADDR(RAMPZ) - push r0 - out _SFR_IO_ADDR(RAMPZ),r17 -#endif - ldi r16,40 -114: - ldd r0,Y+9 - eor r8,r0 - ldd r0,Y+10 - eor r9,r0 - ldd r0,Y+11 - eor r10,r0 - ldd r0,Y+12 - eor r11,r0 - std Y+13,r26 - std Y+14,r27 - std Y+15,r24 - std Y+16,r25 - ldd r26,Y+1 - ldd r27,Y+2 - ldd r24,Y+3 - ldd r25,Y+4 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+13 - eor r8,r0 - ldd r0,Y+14 - eor r9,r0 - ldd r0,Y+15 - eor r10,r0 - ldd r0,Y+16 - eor r11,r0 - std Y+1,r26 - std Y+2,r27 - std Y+3,r24 - std Y+4,r25 - ldd r26,Y+5 - ldd r27,Y+6 - ldd r24,Y+7 - ldd r25,Y+8 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+1 - eor r8,r0 - ldd r0,Y+2 - eor r9,r0 - ldd r0,Y+3 - eor r10,r0 - ldd r0,Y+4 - eor r11,r0 - std Y+5,r26 - std Y+6,r27 - std Y+7,r24 - std Y+8,r25 - ldd r26,Y+9 - ldd r27,Y+10 - ldd r24,Y+11 - ldd r25,Y+12 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - ldd r0,Y+5 - eor r8,r0 - ldd r0,Y+6 - eor r9,r0 - ldd r0,Y+7 - eor r10,r0 - ldd r0,Y+8 - eor r11,r0 - std Y+9,r26 - std Y+10,r27 - std Y+11,r24 - std Y+12,r25 - ldd r26,Y+13 - ldd r27,Y+14 - ldd r24,Y+15 - ldd r25,Y+16 - mov r0,r1 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - lsr r27 - ror r26 - ror r0 - or r27,r0 - lsl r24 - rol r25 - adc r24,r1 - lsl r24 - rol r25 - adc r24,r1 - rcall 266f - cpse r16,r1 - rjmp 114b - rjmp 611f -266: - eor r4,r26 - eor r5,r27 - eor r6,r24 - eor r7,r25 - ldi r18,128 - eor r15,r18 - dec r16 - mov r30,r16 -#if defined(RAMPZ) - elpm r18,Z -#elif defined(__AVR_HAVE_LPMX__) - lpm r18,Z -#elif defined(__AVR_TINY__) - ld r18,Z -#else - lpm - mov r18,r0 -#endif - eor r12,r18 - bst r22,1 - bld r0,0 - bst r3,0 - bld r22,1 - bst r22,6 - bld r3,0 - bst r2,1 - bld r22,6 - bst r3,4 - bld r2,1 - bst r22,7 - bld r3,4 - bst r23,1 - bld r22,7 - bst r3,2 - bld r23,1 - bst r2,6 - bld r3,2 - bst r2,5 - bld r2,6 - bst r3,5 - bld r2,5 - bst r3,7 - bld r3,5 - bst r23,7 - bld r3,7 - bst r23,3 - bld r23,7 - bst r23,2 - bld r23,3 - bst r2,2 - bld r23,2 - bst r2,4 - bld r2,2 - bst r22,5 - bld r2,4 - bst r3,1 - bld r22,5 - bst r3,6 - bld r3,1 - bst r2,7 - bld r3,6 - bst r23,5 - bld r2,7 - bst r3,3 - bld r23,5 - bst r23,6 - bld r3,3 - bst r2,3 - bld r23,6 - bst r23,4 - bld r2,3 - bst r22,3 - bld r23,4 - bst r23,0 - bld r22,3 - bst r22,2 - bld r23,0 - bst r2,0 - bld r22,2 - bst r22,4 - bld r2,0 - bst r0,0 - bld r22,4 - bst r4,0 - bld r0,0 - bst r5,0 - bld r4,0 - bst r5,2 - bld r5,0 - bst r7,2 - bld r5,2 - bst r7,6 - bld r7,2 - bst r7,7 - bld r7,6 - bst r6,7 - bld r7,7 - bst r6,5 - bld r6,7 - bst r4,5 - bld r6,5 - bst r4,1 - bld r4,5 - bst r0,0 - bld r4,1 - bst r4,2 - bld r0,0 - bst r7,0 - bld r4,2 - bst r5,6 - bld r7,0 - bst r7,3 - bld r5,6 - bst r6,6 - bld r7,3 - bst r7,5 - bld r6,6 - bst r4,7 - bld r7,5 - bst r6,1 - bld r4,7 - bst r4,4 - bld r6,1 - bst r5,1 - bld r4,4 - bst r0,0 - bld r5,1 - bst r4,3 - bld r0,0 - bst r6,0 - bld r4,3 - bst r5,4 - bld r6,0 - bst r5,3 - bld r5,4 - bst r6,2 - bld r5,3 - bst r7,4 - bld r6,2 - bst r5,7 - bld r7,4 - bst r6,3 - bld r5,7 - bst r6,4 - bld r6,3 - bst r5,5 - bld r6,4 - bst r0,0 - bld r5,5 - bst r4,6 - bld r0,0 - bst r7,1 - bld r4,6 - bst r0,0 - bld r7,1 - bst r8,0 - bld r0,0 - bst r10,0 - bld r8,0 - bst r10,4 - bld r10,0 - bst r10,5 - bld r10,4 - bst r9,5 - bld r10,5 - bst r9,3 - bld r9,5 - bst r11,2 - bld r9,3 - bst r8,6 - bld r11,2 - bst r8,1 - bld r8,6 - bst r9,0 - bld r8,1 - bst r10,2 - bld r9,0 - bst r8,4 - bld r10,2 - bst r10,1 - bld r8,4 - bst r9,4 - bld r10,1 - bst r10,3 - bld r9,4 - bst r11,4 - bld r10,3 - bst r10,7 - bld r11,4 - bst r11,5 - bld r10,7 - bst r9,7 - bld r11,5 - bst r11,3 - bld r9,7 - bst r11,6 - bld r11,3 - bst r8,7 - bld r11,6 - bst r11,1 - bld r8,7 - bst r9,6 - bld r11,1 - bst r8,3 - bld r9,6 - bst r11,0 - bld r8,3 - bst r10,6 - bld r11,0 - bst r8,5 - bld r10,6 - bst r9,1 - bld r8,5 - bst r9,2 - bld r9,1 - bst r8,2 - bld r9,2 - bst r0,0 - bld r8,2 - bst r12,0 - bld r0,0 - bst r15,0 - bld r12,0 - bst r15,6 - bld r15,0 - bst r13,7 - bld r15,6 - bst r12,3 - bld r13,7 - bst r0,0 - bld r12,3 - bst r12,1 - bld r0,0 - bst r14,0 - bld r12,1 - bst r15,4 - bld r14,0 - bst r15,7 - bld r15,4 - bst r12,7 - bld r15,7 - bst r0,0 - bld r12,7 - bst r12,2 - bld r0,0 - bst r13,0 - bld r12,2 - bst r15,2 - bld r13,0 - bst r13,6 - bld r15,2 - bst r13,3 - bld r13,6 - bst r0,0 - bld r13,3 - bst r12,4 - bld r0,0 - bst r15,1 - bld r12,4 - bst r14,6 - bld r15,1 - bst r13,5 - bld r14,6 - bst r14,3 - bld r13,5 - bst r0,0 - bld r14,3 - bst r12,5 - bld r0,0 - bst r14,1 - bld r12,5 - bst r14,4 - bld r14,1 - bst r15,5 - bld r14,4 - bst r14,7 - bld r15,5 - bst r0,0 - bld r14,7 - bst r12,6 - bld r0,0 - bst r13,1 - bld r12,6 - bst r14,2 - bld r13,1 - bst r13,4 - bld r14,2 - bst r15,3 - bld r13,4 - bst r0,0 - bld r15,3 - movw r18,r12 - movw r20,r14 - movw r12,r22 - movw r14,r2 - movw r22,r18 - movw r2,r20 - and r18,r4 - and r19,r5 - and r20,r6 - and r21,r7 - eor r8,r18 - eor r9,r19 - eor r10,r20 - eor r11,r21 - com r12 - com r13 - com r14 - com r15 - eor r4,r12 - eor r5,r13 - eor r6,r14 - eor r7,r15 - eor r12,r8 - eor r13,r9 - eor r14,r10 - eor r15,r11 - mov r0,r22 - or r0,r4 - eor r8,r0 - mov r0,r23 - or r0,r5 - eor r9,r0 - mov r0,r2 - or r0,r6 - eor r10,r0 - mov r0,r3 - or r0,r7 - eor r11,r0 - mov r0,r4 - and r0,r12 - eor r22,r0 - mov r0,r5 - and r0,r13 - eor r23,r0 - mov r0,r6 - and r0,r14 - eor r2,r0 - mov r0,r7 - and r0,r15 - eor r3,r0 - mov r0,r22 - and r0,r8 - eor r4,r0 - mov r0,r23 - and r0,r9 - eor r5,r0 - mov r0,r2 - and r0,r10 - eor r6,r0 - mov r0,r3 - and r0,r11 - eor r7,r0 - ret -611: -#if defined(RAMPZ) - pop r0 - out _SFR_IO_ADDR(RAMPZ),r0 -#endif - ldd r26,Y+17 - ldd r27,Y+18 - st X+,r3 - st X+,r2 - st X+,r23 - st X+,r22 - st X+,r7 - st X+,r6 - st X+,r5 - st X+,r4 - st X+,r11 - st X+,r10 - st X+,r9 - st X+,r8 - st X+,r15 - st X+,r14 - st X+,r13 - st X+,r12 - adiw r28,18 - in r0,0x3f - cli - out 0x3e,r29 - out 0x3f,r0 - out 0x3d,r28 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size gift128b_decrypt, .-gift128b_decrypt - -#endif - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.c deleted file mode 100644 index d192b8e..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "sundae-gift.h" -#include "internal-gift128.h" -#include "internal-util.h" -#include - -aead_cipher_t const sundae_gift_0_cipher = { - "SUNDAE-GIFT-0", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_0_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_0_aead_encrypt, - sundae_gift_0_aead_decrypt -}; - -aead_cipher_t const sundae_gift_64_cipher = { - "SUNDAE-GIFT-64", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_64_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_64_aead_encrypt, - sundae_gift_64_aead_decrypt -}; - -aead_cipher_t const sundae_gift_96_cipher = { - "SUNDAE-GIFT-96", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_96_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_96_aead_encrypt, - sundae_gift_96_aead_decrypt -}; - -aead_cipher_t const sundae_gift_128_cipher = { - "SUNDAE-GIFT-128", - SUNDAE_GIFT_KEY_SIZE, - SUNDAE_GIFT_128_NONCE_SIZE, - SUNDAE_GIFT_TAG_SIZE, - AEAD_FLAG_NONE, - sundae_gift_128_aead_encrypt, - sundae_gift_128_aead_decrypt -}; - -/* Multiply a block value by 2 in the special byte field */ -STATIC_INLINE void sundae_gift_multiply(unsigned char B[16]) -{ - unsigned char B0 = B[0]; - unsigned index; - for (index = 0; index < 15; ++index) - B[index] = B[index + 1]; - B[15] = B0; - B[10] ^= B0; - B[12] ^= B0; - B[14] ^= B0; -} - -/* Compute a MAC over the concatenation of two data buffers */ -static void sundae_gift_aead_mac - (const gift128b_key_schedule_t *ks, unsigned char V[16], - const unsigned char *data1, unsigned data1len, - const unsigned char *data2, unsigned long data2len) -{ - unsigned len; - - /* Nothing to do if the input is empty */ - if (!data1len && !data2len) - return; - - /* Format the first block. We assume that data1len <= 16 - * as it is will be the nonce if it is non-zero in length */ - lw_xor_block(V, data1, data1len); - len = 16 - data1len; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V + data1len, data2, len); - data2 += len; - data2len -= len; - len += data1len; - - /* Process as many full blocks as we can, except the last */ - while (data2len > 0) { - gift128b_encrypt(ks, V, V); - len = 16; - if (len > data2len) - len = (unsigned)data2len; - lw_xor_block(V, data2, len); - data2 += len; - data2len -= len; - } - - /* Pad and process the last block */ - if (len < 16) { - V[len] ^= 0x80; - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } else { - sundae_gift_multiply(V); - sundae_gift_multiply(V); - gift128b_encrypt(ks, V, V); - } -} - -static int sundae_gift_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char P[16]; - - /* Compute the length of the output ciphertext */ - *clen = mlen + SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (mlen > 0) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, T, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, T, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, T, 0, 0, m, mlen); - - /* Encrypt the plaintext to produce the ciphertext. We need to be - * careful how we manage the data because we could be doing in-place - * encryption. In SUNDAE-GIFT, the first 16 bytes of the ciphertext - * is the tag rather than the last 16 bytes in other algorithms. - * We need to swap the plaintext for the current block with the - * ciphertext or tag from the previous block */ - memcpy(V, T, 16); - while (mlen >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(P, V, m, 16); - memcpy(c, T, 16); - memcpy(T, P, 16); - c += 16; - m += 16; - mlen -= 16; - } - if (mlen > 0) { - unsigned leftover = (unsigned)mlen; - gift128b_encrypt(&ks, V, V); - lw_xor_block(V, m, leftover); - memcpy(c, T, 16); - memcpy(c + 16, V, leftover); - } else { - memcpy(c, T, 16); - } - return 0; -} - -static int sundae_gift_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, unsigned npublen, - const unsigned char *k, unsigned char domainsep) -{ - gift128b_key_schedule_t ks; - unsigned char V[16]; - unsigned char T[16]; - unsigned char *mtemp; - unsigned long len; - - /* Bail out if the ciphertext is too short */ - if (clen < SUNDAE_GIFT_TAG_SIZE) - return -1; - len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; - - /* Set the key schedule */ - gift128b_init(&ks, k); - - /* Decrypt the ciphertext to produce the plaintext, using the - * tag as the initialization vector for the decryption process */ - memcpy(T, c, SUNDAE_GIFT_TAG_SIZE); - c += SUNDAE_GIFT_TAG_SIZE; - mtemp = m; - memcpy(V, T, 16); - while (len >= 16) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, 16); - c += 16; - mtemp += 16; - len -= 16; - } - if (len > 0) { - gift128b_encrypt(&ks, V, V); - lw_xor_block_2_src(mtemp, c, V, (unsigned)len); - } - - /* Format and encrypt the initial domain separation block */ - if (adlen > 0) - domainsep |= 0x80; - if (clen > SUNDAE_GIFT_TAG_SIZE) - domainsep |= 0x40; - V[0] = domainsep; - memset(V + 1, 0, sizeof(V) - 1); - gift128b_encrypt(&ks, V, V); - - /* Authenticate the nonce and the associated data */ - sundae_gift_aead_mac(&ks, V, npub, npublen, ad, adlen); - - /* Authenticate the plaintext */ - sundae_gift_aead_mac(&ks, V, 0, 0, m, *mlen); - - /* Check the authentication tag */ - return aead_check_tag(m, *mlen, T, V, 16); -} - -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - (void)npub; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, 0, 0, k, 0x00); -} - -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_64_NONCE_SIZE, k, 0x90); -} - -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_96_NONCE_SIZE, k, 0xA0); -} - -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_encrypt - (c, clen, m, mlen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} - -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - (void)nsec; - return sundae_gift_aead_decrypt - (m, mlen, c, clen, ad, adlen, - npub, SUNDAE_GIFT_128_NONCE_SIZE, k, 0xB0); -} diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.h deleted file mode 100644 index 9040dd5..0000000 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys-avr/sundae-gift.h +++ /dev/null @@ -1,341 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_SUNDAE_GIFT_H -#define LWCRYPTO_SUNDAE_GIFT_H - -#include "aead-common.h" - -/** - * \file sundae-gift.h - * \brief SUNDAE-GIFT encryption algorithm family. - * - * The SUNDAE-GIFT family consists of several related algorithms: - * - * \li SUNDAE-GIFT-0 with a 128-bit key, a 0-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-64 with a 128-bit key, a 64-bit nonce, and 128-bit tag. - * \li SUNDAE-GIFT-96 with a 128-bit key, a 96-bit nonce, and 128-bit tag. - * This is the primary member of the family. - * \li SUNDAE-GIFT-128 with a 128-bit key, a 128-bit nonce, and 128-bit tag. - * - * SUNDAE-GIFT is resistant against nonce reuse as long as the combination - * of the associated data and plaintext is unique. - * - * If a nonce is reused (or there is no nonce in the case of SUNDAE-GIFT-0), - * then two packets with the same associated data and plaintext will encrypt - * to the same ciphertext. This will leak that the same plaintext has been - * sent for a second time but will not reveal the plaintext itself. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for all SUNDAE-GIFT family members. - */ -#define SUNDAE_GIFT_TAG_SIZE 16 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-0. - */ -#define SUNDAE_GIFT_0_NONCE_SIZE 0 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-64. - */ -#define SUNDAE_GIFT_64_NONCE_SIZE 8 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-96. - */ -#define SUNDAE_GIFT_96_NONCE_SIZE 12 - -/** - * \brief Size of the nonce for SUNDAE-GIFT-128. - */ -#define SUNDAE_GIFT_128_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the SUNDAE-GIFT-0 cipher. - */ -extern aead_cipher_t const sundae_gift_0_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-64 cipher. - */ -extern aead_cipher_t const sundae_gift_64_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-96 cipher. - */ -extern aead_cipher_t const sundae_gift_96_cipher; - -/** - * \brief Meta-information block for the SUNDAE-GIFT-128 cipher. - */ -extern aead_cipher_t const sundae_gift_128_cipher; - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_0_aead_decrypt() - */ -int sundae_gift_0_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-0. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce - not used by this algorithm. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_0_aead_encrypt() - */ -int sundae_gift_0_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_64_aead_decrypt() - */ -int sundae_gift_64_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-64. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 8 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_64_aead_encrypt() - */ -int sundae_gift_64_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_96_aead_decrypt() - */ -int sundae_gift_96_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-96. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_96_aead_encrypt() - */ -int sundae_gift_96_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with SUNDAE-GIFT-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa sundae_gift_128_aead_decrypt() - */ -int sundae_gift_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with SUNDAE-GIFT-12896. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa sundae_gift_128_aead_encrypt() - */ -int sundae_gift_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128-config.h similarity index 51% rename from comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.h rename to sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128-config.h index 29d5ccf..62131ba 100644 --- a/comet/Implementations/crypto_aead/comet128chamv1/rhys-avr/internal-cham.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128-config.h @@ -20,48 +20,61 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_CHAM_H -#define LW_INTERNAL_CHAM_H +#ifndef LW_INTERNAL_GIFT128_CONFIG_H +#define LW_INTERNAL_GIFT128_CONFIG_H /** - * \file internal-cham.h - * \brief CHAM block cipher. + * \file internal-gift128-config.h + * \brief Configures the variant of GIFT-128 to use. */ -#ifdef __cplusplus -extern "C" { -#endif +/** + * \brief Select the full variant of GIFT-128. + * + * The full variant requires 320 bytes for the key schedule and uses the + * fixslicing method to implement encryption and decryption. + */ +#define GIFT128_VARIANT_FULL 0 /** - * \brief Encrypts a 128-bit block with CHAM-128-128. + * \brief Select the small variant of GIFT-128. * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 16 bytes in length. - * \param input Input buffer which must be at least 16 bytes in length. + * The small variant requires 80 bytes for the key schedule. The rest + * of the key schedule is expanded on the fly during encryption. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The fixslicing method is used to implement encryption and the slower + * bitslicing method is used to implement decryption. The small variant + * is suitable when memory is at a premium, decryption is not needed, + * but encryption performance is still important. */ -void cham128_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_SMALL 1 /** - * \brief Encrypts a 64-bit block with CHAM-64-128. - * - * \param key Points to the 16 bytes of the key. - * \param output Output buffer which must be at least 8 bytes in length. - * \param input Input buffer which must be at least 8 bytes in length. + * \brief Select the tiny variant of GIFT-128. * - * The \a input and \a output buffers can be the same buffer for - * in-place encryption. + * The tiny variant requires 16 bytes for the key schedule and uses the + * bitslicing method to implement encryption and decryption. It is suitable + * for use when memory is very tight and performance is not critical. */ -void cham64_128_encrypt - (const unsigned char *key, unsigned char *output, - const unsigned char *input); +#define GIFT128_VARIANT_TINY 2 -#ifdef __cplusplus -} +/** + * \def GIFT128_VARIANT + * \brief Selects the default variant of GIFT-128 to use on this platform. + */ +/** + * \def GIFT128_VARIANT_ASM + * \brief Defined to 1 if the GIFT-128 implementation has been replaced + * with an assembly code version. + */ +#if defined(__AVR__) && !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 1 +#endif +#if !defined(GIFT128_VARIANT) +#define GIFT128_VARIANT GIFT128_VARIANT_FULL +#endif +#if !defined(GIFT128_VARIANT_ASM) +#define GIFT128_VARIANT_ASM 0 #endif #endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c index 681dbc8..c6ac5ec 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.c @@ -23,8 +23,12 @@ #include "internal-gift128.h" #include "internal-util.h" +#if !GIFT128_VARIANT_ASM + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /* Round constants for GIFT-128 in the fixsliced representation */ -static uint32_t const GIFT128_RC[40] = { +static uint32_t const GIFT128_RC_fixsliced[40] = { 0x10000008, 0x80018000, 0x54000002, 0x01010181, 0x8000001f, 0x10888880, 0x6001e000, 0x51500002, 0x03030180, 0x8000002f, 0x10088880, 0x60016000, 0x41500002, 0x03030080, 0x80000027, 0x10008880, 0x4001e000, 0x11500002, @@ -34,6 +38,246 @@ static uint32_t const GIFT128_RC[40] = { 0xc001a000, 0x14500002, 0x01020181, 0x8000001a }; +#endif + +#if GIFT128_VARIANT != GIFT128_VARIANT_FULL + +/* Round constants for GIFT-128 in the bitsliced representation */ +static uint8_t const GIFT128_RC[40] = { + 0x01, 0x03, 0x07, 0x0F, 0x1F, 0x3E, 0x3D, 0x3B, + 0x37, 0x2F, 0x1E, 0x3C, 0x39, 0x33, 0x27, 0x0E, + 0x1D, 0x3A, 0x35, 0x2B, 0x16, 0x2C, 0x18, 0x30, + 0x21, 0x02, 0x05, 0x0B, 0x17, 0x2E, 0x1C, 0x38, + 0x31, 0x23, 0x06, 0x0D, 0x1B, 0x36, 0x2D, 0x1A +}; + +#endif + +/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ +#define bit_permute_step(_y, mask, shift) \ + do { \ + uint32_t y = (_y); \ + uint32_t t = ((y >> (shift)) ^ y) & (mask); \ + (_y) = (y ^ t) ^ (t << (shift)); \ + } while (0) + +/* + * The permutation below was generated by the online permuation generator at + * "http://programming.sirrida.de/calcperm.php". + * + * All of the permutuations are essentially the same, except that each is + * rotated by 8 bits with respect to the next: + * + * P0: 0 24 16 8 1 25 17 9 2 26 18 10 3 27 19 11 4 28 20 12 5 29 21 13 6 30 22 14 7 31 23 15 + * P1: 8 0 24 16 9 1 25 17 10 2 26 18 11 3 27 19 12 4 28 20 13 5 29 21 14 6 30 22 15 7 31 23 + * P2: 16 8 0 24 17 9 1 25 18 10 2 26 19 11 3 27 20 12 4 28 21 13 5 29 22 14 6 30 23 15 7 31 + * P3: 24 16 8 0 25 17 9 1 26 18 10 2 27 19 11 3 28 20 12 4 29 21 13 5 30 22 14 6 31 23 15 7 + * + * The most efficient permutation from the online generator was P3, so we + * perform it as the core of the others, and then perform a final rotation. + * + * It is possible to do slightly better than "P3 then rotate" on desktop and + * server architectures for the other permutations. But the advantage isn't + * as evident on embedded platforms so we keep things simple. + */ +#define PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define PERM0(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate8(_x); \ + } while (0) +#define PERM1(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate16(_x); \ + } while (0) +#define PERM2(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = leftRotate24(_x); \ + } while (0) +#define PERM3(x) \ + do { \ + uint32_t _x = (x); \ + PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +#define INV_PERM3_INNER(x) \ + do { \ + bit_permute_step(x, 0x00550055, 9); \ + bit_permute_step(x, 0x00003333, 18); \ + bit_permute_step(x, 0x000f000f, 12); \ + bit_permute_step(x, 0x000000ff, 24); \ + } while (0) +#define INV_PERM0(x) \ + do { \ + uint32_t _x = rightRotate8(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM1(x) \ + do { \ + uint32_t _x = rightRotate16(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM2(x) \ + do { \ + uint32_t _x = rightRotate24(x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) +#define INV_PERM3(x) \ + do { \ + uint32_t _x = (x); \ + INV_PERM3_INNER(_x); \ + (x) = _x; \ + } while (0) + +/** + * \brief Converts the GIFT-128 nibble-based representation into word-based. + * + * \param output Output buffer to write the word-based version to. + * \param input Input buffer to read the nibble-based version from. + * + * The \a input and \a output buffers can be the same buffer. + */ +static void gift128n_to_words + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input buffer into 32-bit words. We use the nibble order + * from the HYENA submission to NIST which is byte-reversed with respect + * to the nibble order of the original GIFT-128 paper. Nibble zero is in + * the first byte instead of the last, which means little-endian order. */ + s0 = le_load_word32(input + 12); + s1 = le_load_word32(input + 8); + s2 = le_load_word32(input + 4); + s3 = le_load_word32(input); + + /* Rearrange the bits so that bits 0..3 of each nibble are + * scattered to bytes 0..3 of each word. The permutation is: + * + * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 + * + * Generated with "http://programming.sirrida.de/calcperm.php". + */ + #define PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x0a0a0a0a, 3); \ + bit_permute_step(x, 0x00cc00cc, 6); \ + bit_permute_step(x, 0x0000f0f0, 12); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + PERM_WORDS(s0); + PERM_WORDS(s1); + PERM_WORDS(s2); + PERM_WORDS(s3); + + /* Rearrange the bytes and write them to the output buffer */ + output[0] = (uint8_t)s0; + output[1] = (uint8_t)s1; + output[2] = (uint8_t)s2; + output[3] = (uint8_t)s3; + output[4] = (uint8_t)(s0 >> 8); + output[5] = (uint8_t)(s1 >> 8); + output[6] = (uint8_t)(s2 >> 8); + output[7] = (uint8_t)(s3 >> 8); + output[8] = (uint8_t)(s0 >> 16); + output[9] = (uint8_t)(s1 >> 16); + output[10] = (uint8_t)(s2 >> 16); + output[11] = (uint8_t)(s3 >> 16); + output[12] = (uint8_t)(s0 >> 24); + output[13] = (uint8_t)(s1 >> 24); + output[14] = (uint8_t)(s2 >> 24); + output[15] = (uint8_t)(s3 >> 24); +} + +/** + * \brief Converts the GIFT-128 word-based representation into nibble-based. + * + * \param output Output buffer to write the nibble-based version to. + * \param input Input buffer to read the word-based version from. + */ +static void gift128n_to_nibbles + (unsigned char *output, const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + + /* Load the input bytes and rearrange them so that s0 contains the + * most significant nibbles and s3 contains the least significant */ + s0 = (((uint32_t)(input[12])) << 24) | + (((uint32_t)(input[8])) << 16) | + (((uint32_t)(input[4])) << 8) | + ((uint32_t)(input[0])); + s1 = (((uint32_t)(input[13])) << 24) | + (((uint32_t)(input[9])) << 16) | + (((uint32_t)(input[5])) << 8) | + ((uint32_t)(input[1])); + s2 = (((uint32_t)(input[14])) << 24) | + (((uint32_t)(input[10])) << 16) | + (((uint32_t)(input[6])) << 8) | + ((uint32_t)(input[2])); + s3 = (((uint32_t)(input[15])) << 24) | + (((uint32_t)(input[11])) << 16) | + (((uint32_t)(input[7])) << 8) | + ((uint32_t)(input[3])); + + /* Apply the inverse of PERM_WORDS() from the function above */ + #define INV_PERM_WORDS(_x) \ + do { \ + uint32_t x = (_x); \ + bit_permute_step(x, 0x00aa00aa, 7); \ + bit_permute_step(x, 0x0000cccc, 14); \ + bit_permute_step(x, 0x00f000f0, 4); \ + bit_permute_step(x, 0x0000ff00, 8); \ + (_x) = x; \ + } while (0) + INV_PERM_WORDS(s0); + INV_PERM_WORDS(s1); + INV_PERM_WORDS(s2); + INV_PERM_WORDS(s3); + + /* Store the result into the output buffer as 32-bit words */ + le_store_word32(output + 12, s0); + le_store_word32(output + 8, s1); + le_store_word32(output + 4, s2); + le_store_word32(output, s3); +} + +void gift128n_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_encrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +void gift128n_decrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + gift128n_to_words(output, input); + gift128b_decrypt(ks, output, output); + gift128n_to_nibbles(output, output); +} + +#if GIFT128_VARIANT != GIFT128_VARIANT_TINY + /** * \brief Swaps bits within two words. * @@ -202,21 +446,27 @@ static void gift128b_compute_round_keys /* Keys 8, 9, 18, and 19 do not need any adjustment */ } +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL /* Derive the fixsliced keys for the remaining rounds 11..40 */ for (index = 20; index < 80; index += 10) { gift128b_derive_keys(ks->k + index, ks->k + index - 20); } +#endif } -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) { - if (!ks || !key || key_len != 16) - return 0; gift128b_compute_round_keys (ks, be_load_word32(key), be_load_word32(key + 4), be_load_word32(key + 8), be_load_word32(key + 12)); - return 1; +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission */ + gift128b_compute_round_keys + (ks, le_load_word32(key + 12), le_load_word32(key + 8), + le_load_word32(key + 4), le_load_word32(key)); } /** @@ -521,11 +771,37 @@ int gift128b_init gift128b_inv_sbox(s3, s1, s2, s0); \ } while (0) +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key) +{ + /* Mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = be_load_word32(key + 12); + ks->k[1] = be_load_word32(key + 4); + ks->k[2] = be_load_word32(key + 8); + ks->k[3] = be_load_word32(key); +} + +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key) +{ + /* Use the little-endian key byte order from the HYENA submission + * and mirror the fixslicing word order of 3, 1, 2, 0 */ + ks->k[0] = le_load_word32(key); + ks->k[1] = le_load_word32(key + 8); + ks->k[2] = le_load_word32(key + 4); + ks->k[3] = le_load_word32(key + 12); +} + +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into the state buffer and convert from big endian */ s0 = be_load_word32(input); @@ -534,14 +810,20 @@ void gift128b_encrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -555,6 +837,7 @@ void gift128b_encrypt_preloaded const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t k[20]; /* Copy the plaintext into local variables */ s0 = input[0]; @@ -563,14 +846,20 @@ void gift128b_encrypt_preloaded s3 = input[3]; /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer */ output[0] = s0; @@ -579,7 +868,55 @@ void gift128b_encrypt_preloaded output[3] = s3; } -void gift128b_decrypt +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; + uint32_t k[20]; + + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_derive_keys(k, ks->k); + gift128b_derive_keys(k + 10, ks->k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_derive_keys(k, k); + gift128b_derive_keys(k + 10, k + 10); + gift128b_encrypt_5_rounds(k, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(k + 10, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#elif GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_encrypt (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { @@ -592,14 +929,14 @@ void gift128b_decrypt s3 = be_load_word32(input + 12); /* Perform all 40 rounds five at a time using the fixsliced method */ - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); /* Pack the state into the ciphertext buffer in big endian */ be_store_word32(output, s0); @@ -608,173 +945,308 @@ void gift128b_decrypt be_store_word32(output + 12, s3); } -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { - /* Use the little-endian key byte order from the HYENA submission */ - if (!ks || !key || key_len != 16) - return 0; - gift128b_compute_round_keys - (ks, le_load_word32(key + 12), le_load_word32(key + 8), - le_load_word32(key + 4), le_load_word32(key)); - return 1; + uint32_t s0, s1, s2, s3; + + /* Copy the plaintext into local variables */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; + + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -/* http://programming.sirrida.de/perm_fn.html#bit_permute_step */ -#define bit_permute_step(_y, mask, shift) \ - do { \ - uint32_t y = (_y); \ - uint32_t t = ((y >> (shift)) ^ y) & (mask); \ - (_y) = (y ^ t) ^ (t << (shift)); \ - } while (0) +void gift128t_encrypt + (const gift128n_key_schedule_t *ks, unsigned char *output, + const unsigned char *input, uint32_t tweak) +{ + uint32_t s0, s1, s2, s3; -/** - * \brief Converts the GIFT-128 nibble-based representation into word-based. - * - * \param output Output buffer to write the word-based version to. - * \param input Input buffer to read the nibble-based version from. - * - * The \a input and \a output buffers can be the same buffer. - */ -static void gift128n_to_words - (unsigned char *output, const unsigned char *input) + /* Copy the plaintext into the state buffer and convert from nibbles */ + gift128n_to_words(output, input); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* Perform all 40 rounds five at a time using the fixsliced method. + * Every 5 rounds except the last we add the tweak value to the state */ + gift128b_encrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); + gift128n_to_nibbles(output, output); +} + +#else /* GIFT128_VARIANT_TINY */ + +void gift128b_encrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input buffer into 32-bit words. We use the nibble order - * from the HYENA submission to NIST which is byte-reversed with respect - * to the nibble order of the original GIFT-128 paper. Nibble zero is in - * the first byte instead of the last, which means little-endian order. */ - s0 = le_load_word32(input + 12); - s1 = le_load_word32(input + 8); - s2 = le_load_word32(input + 4); - s3 = le_load_word32(input); + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); - /* Rearrange the bits so that bits 0..3 of each nibble are - * scattered to bytes 0..3 of each word. The permutation is: - * - * 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 - * - * Generated with "http://programming.sirrida.de/calcperm.php". - */ - #define PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x0a0a0a0a, 3); \ - bit_permute_step(x, 0x00cc00cc, 6); \ - bit_permute_step(x, 0x0000f0f0, 12); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - PERM_WORDS(s0); - PERM_WORDS(s1); - PERM_WORDS(s2); - PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Rearrange the bytes and write them to the output buffer */ - output[0] = (uint8_t)s0; - output[1] = (uint8_t)s1; - output[2] = (uint8_t)s2; - output[3] = (uint8_t)s3; - output[4] = (uint8_t)(s0 >> 8); - output[5] = (uint8_t)(s1 >> 8); - output[6] = (uint8_t)(s2 >> 8); - output[7] = (uint8_t)(s3 >> 8); - output[8] = (uint8_t)(s0 >> 16); - output[9] = (uint8_t)(s1 >> 16); - output[10] = (uint8_t)(s2 >> 16); - output[11] = (uint8_t)(s3 >> 16); - output[12] = (uint8_t)(s0 >> 24); - output[13] = (uint8_t)(s1 >> 24); - output[14] = (uint8_t)(s2 >> 24); - output[15] = (uint8_t)(s3 >> 24); + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); } -/** - * \brief Converts the GIFT-128 word-based representation into nibble-based. - * - * \param output Output buffer to write the nibble-based version to. - * \param input Input buffer to read the word-based version from. - */ -static void gift128n_to_nibbles - (unsigned char *output, const unsigned char *input) +void gift128b_encrypt_preloaded + (const gift128b_key_schedule_t *ks, uint32_t output[4], + const uint32_t input[4]) { uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Load the input bytes and rearrange them so that s0 contains the - * most significant nibbles and s3 contains the least significant */ - s0 = (((uint32_t)(input[12])) << 24) | - (((uint32_t)(input[8])) << 16) | - (((uint32_t)(input[4])) << 8) | - ((uint32_t)(input[0])); - s1 = (((uint32_t)(input[13])) << 24) | - (((uint32_t)(input[9])) << 16) | - (((uint32_t)(input[5])) << 8) | - ((uint32_t)(input[1])); - s2 = (((uint32_t)(input[14])) << 24) | - (((uint32_t)(input[10])) << 16) | - (((uint32_t)(input[6])) << 8) | - ((uint32_t)(input[2])); - s3 = (((uint32_t)(input[15])) << 24) | - (((uint32_t)(input[11])) << 16) | - (((uint32_t)(input[7])) << 8) | - ((uint32_t)(input[3])); + /* Copy the plaintext into the state buffer */ + s0 = input[0]; + s1 = input[1]; + s2 = input[2]; + s3 = input[3]; - /* Apply the inverse of PERM_WORDS() from the function above */ - #define INV_PERM_WORDS(_x) \ - do { \ - uint32_t x = (_x); \ - bit_permute_step(x, 0x00aa00aa, 7); \ - bit_permute_step(x, 0x0000cccc, 14); \ - bit_permute_step(x, 0x00f000f0, 4); \ - bit_permute_step(x, 0x0000ff00, 8); \ - (_x) = x; \ - } while (0) - INV_PERM_WORDS(s0); - INV_PERM_WORDS(s1); - INV_PERM_WORDS(s2); - INV_PERM_WORDS(s3); + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } - /* Store the result into the output buffer as 32-bit words */ - le_store_word32(output + 12, s0); - le_store_word32(output + 8, s1); - le_store_word32(output + 4, s2); - le_store_word32(output, s3); + /* Pack the state into the ciphertext buffer */ + output[0] = s0; + output[1] = s1; + output[2] = s2; + output[3] = s3; } -void gift128n_encrypt +void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input) + const unsigned char *input, uint32_t tweak) { + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); - gift128b_encrypt(ks, output, output); + s0 = be_load_word32(output); + s1 = be_load_word32(output + 4); + s2 = be_load_word32(output + 8); + s3 = be_load_word32(output + 12); + + /* The key schedule is initialized with the key itself */ + w0 = ks->k[3]; + w1 = ks->k[1]; + w2 = ks->k[2]; + w3 = ks->k[0]; + + /* Perform all 40 rounds */ + for (round = 0; round < 40; ++round) { + /* SubCells - apply the S-box */ + s1 ^= s0 & s2; + s0 ^= s1 & s3; + s2 ^= s0 | s1; + s3 ^= s2; + s1 ^= s3; + s3 ^= 0xFFFFFFFFU; + s2 ^= s0 & s1; + temp = s0; + s0 = s3; + s3 = temp; + + /* PermBits - apply the 128-bit permutation */ + PERM0(s0); + PERM1(s1); + PERM2(s2); + PERM3(s3); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round]; + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if (((round + 1) % 5) == 0 && round < 39) + s0 ^= tweak; + + /* Rotate the key schedule */ + temp = w3; + w3 = w2; + w2 = w1; + w1 = w0; + w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + } + + /* Pack the state into the ciphertext buffer in nibble form */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } -void gift128n_decrypt - (const gift128n_key_schedule_t *ks, unsigned char *output, +#endif /* GIFT128_VARIANT_TINY */ + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, const unsigned char *input) { - gift128n_to_words(output, input); - gift128b_decrypt(ks, output, output); - gift128n_to_nibbles(output, output); -} + uint32_t s0, s1, s2, s3; -/* 4-bit tweak values expanded to 32-bit */ -static uint32_t const GIFT128_tweaks[16] = { - 0x00000000, 0xe1e1e1e1, 0xd2d2d2d2, 0x33333333, - 0xb4b4b4b4, 0x55555555, 0x66666666, 0x87878787, - 0x78787878, 0x99999999, 0xaaaaaaaa, 0x4b4b4b4b, - 0xcccccccc, 0x2d2d2d2d, 0x1e1e1e1e, 0xffffffff -}; + /* Copy the plaintext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); -void gift128t_encrypt + /* Perform all 40 rounds five at a time using the fixsliced method */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); + + /* Pack the state into the ciphertext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + +void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; - /* Copy the plaintext into the state buffer and convert from nibbles */ + /* Copy the ciphertext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); @@ -782,25 +1254,24 @@ void gift128t_encrypt s3 = be_load_word32(output + 12); /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the last we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_encrypt_5_rounds(ks->k, GIFT128_RC); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_encrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); + * Every 5 rounds except the first we add the tweak value to the state */ + gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC_fixsliced + 35); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC_fixsliced + 30); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC_fixsliced + 25); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC_fixsliced + 20); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC_fixsliced + 15); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC_fixsliced + 10); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC_fixsliced + 5); + s0 ^= tweak; + gift128b_decrypt_5_rounds(ks->k, GIFT128_RC_fixsliced); - /* Pack the state into the ciphertext buffer in nibble form */ + /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); be_store_word32(output + 4, s1); be_store_word32(output + 8, s2); @@ -808,37 +1279,211 @@ void gift128t_encrypt gift128n_to_nibbles(output, output); } +#else /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +/* The small variant uses fixslicing for encryption, but we need to change + * to bitslicing for decryption because of the difficulty of fast-forwarding + * the fixsliced key schedule to the end. So the tiny variant is used for + * decryption when the small variant is selected. Since the NIST AEAD modes + * for GIFT-128 only use the block encrypt operation, the inefficiencies + * in decryption don't matter all that much */ + +/** + * \def gift128b_load_and_forward_schedule() + * \brief Generate the decryption key at the end of the last round. + * + * To do that, we run the block operation forward to determine the + * final state of the key schedule after the last round: + * + * w0 = ks->k[0]; + * w1 = ks->k[1]; + * w2 = ks->k[2]; + * w3 = ks->k[3]; + * for (round = 0; round < 40; ++round) { + * temp = w3; + * w3 = w2; + * w2 = w1; + * w1 = w0; + * w0 = ((temp & 0xFFFC0000U) >> 2) | ((temp & 0x00030000U) << 14) | + * ((temp & 0x00000FFFU) << 4) | ((temp & 0x0000F000U) >> 12); + * } + * + * We can short-cut all of the above by noticing that we don't need + * to do the word rotations. Every 4 rounds, the rotation alignment + * returns to the original position and each word has been rotated + * by applying the "2 right and 4 left" bit-rotation step to it. + * We then repeat that 10 times for the full 40 rounds. The overall + * effect is to apply a "20 right and 40 left" bit-rotation to every + * word in the key schedule. That is equivalent to "4 right and 8 left" + * on the 16-bit sub-words. + */ +#if GIFT128_VARIANT != GIFT128_VARIANT_SMALL +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#else +/* The small variant needs to also undo some of the rotations that were + * done to generate the fixsliced version of the key schedule */ +#define gift128b_load_and_forward_schedule() \ + do { \ + w0 = ks->k[3]; \ + w1 = ks->k[1]; \ + w2 = ks->k[2]; \ + w3 = ks->k[0]; \ + gift128b_swap_move(w3, w3, 0x000000FFU, 24); \ + gift128b_swap_move(w3, w3, 0x00003333U, 18); \ + gift128b_swap_move(w3, w3, 0x000F000FU, 12); \ + gift128b_swap_move(w3, w3, 0x00550055U, 9); \ + gift128b_swap_move(w1, w1, 0x000000FFU, 24); \ + gift128b_swap_move(w1, w1, 0x00003333U, 18); \ + gift128b_swap_move(w1, w1, 0x000F000FU, 12); \ + gift128b_swap_move(w1, w1, 0x00550055U, 9); \ + gift128b_swap_move(w2, w2, 0x000000FFU, 24); \ + gift128b_swap_move(w2, w2, 0x000F000FU, 12); \ + gift128b_swap_move(w2, w2, 0x03030303U, 6); \ + gift128b_swap_move(w2, w2, 0x11111111U, 3); \ + gift128b_swap_move(w0, w0, 0x000000FFU, 24); \ + gift128b_swap_move(w0, w0, 0x000F000FU, 12); \ + gift128b_swap_move(w0, w0, 0x03030303U, 6); \ + gift128b_swap_move(w0, w0, 0x11111111U, 3); \ + w0 = ((w0 & 0xFFF00000U) >> 4) | ((w0 & 0x000F0000U) << 12) | \ + ((w0 & 0x000000FFU) << 8) | ((w0 & 0x0000FF00U) >> 8); \ + w1 = ((w1 & 0xFFF00000U) >> 4) | ((w1 & 0x000F0000U) << 12) | \ + ((w1 & 0x000000FFU) << 8) | ((w1 & 0x0000FF00U) >> 8); \ + w2 = ((w2 & 0xFFF00000U) >> 4) | ((w2 & 0x000F0000U) << 12) | \ + ((w2 & 0x000000FFU) << 8) | ((w2 & 0x0000FF00U) >> 8); \ + w3 = ((w3 & 0xFFF00000U) >> 4) | ((w3 & 0x000F0000U) << 12) | \ + ((w3 & 0x000000FFU) << 8) | ((w3 & 0x0000FF00U) >> 8); \ + } while (0) +#endif + +void gift128b_decrypt + (const gift128b_key_schedule_t *ks, unsigned char *output, + const unsigned char *input) +{ + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; + + /* Copy the ciphertext into the state buffer and convert from big endian */ + s0 = be_load_word32(input); + s1 = be_load_word32(input + 4); + s2 = be_load_word32(input + 8); + s3 = be_load_word32(input + 12); + + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } + + /* Pack the state into the plaintext buffer in big endian */ + be_store_word32(output, s0); + be_store_word32(output + 4, s1); + be_store_word32(output + 8, s2); + be_store_word32(output + 12, s3); +} + void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak) + const unsigned char *input, uint32_t tweak) { - uint32_t s0, s1, s2, s3, tword; + uint32_t s0, s1, s2, s3; + uint32_t w0, w1, w2, w3; + uint32_t temp; + uint8_t round; - /* Copy the ciphertext into the state buffer and convert from nibbles */ + /* Copy the plaintext into the state buffer and convert from nibbles */ gift128n_to_words(output, input); s0 = be_load_word32(output); s1 = be_load_word32(output + 4); s2 = be_load_word32(output + 8); s3 = be_load_word32(output + 12); - /* Perform all 40 rounds five at a time using the fixsliced method. - * Every 5 rounds except the first we add the tweak value to the state */ - tword = GIFT128_tweaks[tweak]; - gift128b_decrypt_5_rounds(ks->k + 70, GIFT128_RC + 35); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 60, GIFT128_RC + 30); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 50, GIFT128_RC + 25); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 40, GIFT128_RC + 20); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 30, GIFT128_RC + 15); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 20, GIFT128_RC + 10); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k + 10, GIFT128_RC + 5); - s0 ^= tword; - gift128b_decrypt_5_rounds(ks->k, GIFT128_RC); + /* Generate the decryption key at the end of the last round */ + gift128b_load_and_forward_schedule(); + + /* Perform all 40 rounds */ + for (round = 40; round > 0; --round) { + /* Rotate the key schedule backwards */ + temp = w0; + w0 = w1; + w1 = w2; + w2 = w3; + w3 = ((temp & 0x3FFF0000U) << 2) | ((temp & 0xC0000000U) >> 14) | + ((temp & 0x0000FFF0U) >> 4) | ((temp & 0x0000000FU) << 12); + + /* AddTweak - XOR in the tweak every 5 rounds except the last */ + if ((round % 5) == 0 && round < 40) + s0 ^= tweak; + + /* AddRoundKey - XOR in the key schedule and the round constant */ + s2 ^= w1; + s1 ^= w3; + s3 ^= 0x80000000U ^ GIFT128_RC[round - 1]; + + /* InvPermBits - apply the inverse of the 128-bit permutation */ + INV_PERM0(s0); + INV_PERM1(s1); + INV_PERM2(s2); + INV_PERM3(s3); + + /* InvSubCells - apply the inverse of the S-box */ + temp = s0; + s0 = s3; + s3 = temp; + s2 ^= s0 & s1; + s3 ^= 0xFFFFFFFFU; + s1 ^= s3; + s3 ^= s2; + s2 ^= s0 | s1; + s0 ^= s1 & s3; + s1 ^= s0 & s2; + } /* Pack the state into the plaintext buffer in nibble form */ be_store_word32(output, s0); @@ -847,3 +1492,7 @@ void gift128t_decrypt be_store_word32(output + 12, s3); gift128n_to_nibbles(output, output); } + +#endif /* GIFT128_VARIANT_SMALL || GIFT128_VARIANT_TINY */ + +#endif /* !GIFT128_VARIANT_ASM */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h index 1ac40e5..f57d143 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128.h @@ -47,11 +47,13 @@ * in any of the NIST submissions so we don't bother with it in this library. * * References: https://eprint.iacr.org/2017/622.pdf, + * https://eprint.iacr.org/2020/412.pdf, * https://giftcipher.github.io/gift/ */ #include #include +#include "internal-gift128-config.h" #ifdef __cplusplus extern "C" { @@ -63,16 +65,23 @@ extern "C" { #define GIFT128_BLOCK_SIZE 16 /** - * \brief Number of round keys for the fixsliced representation of GIFT-128. + * \var GIFT128_ROUND_KEYS + * \brief Number of round keys for the GIFT-128 key schedule. */ +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY +#define GIFT128_ROUND_KEYS 4 +#elif GIFT128_VARIANT == GIFT128_VARIANT_SMALL +#define GIFT128_ROUND_KEYS 20 +#else #define GIFT128_ROUND_KEYS 80 +#endif /** * \brief Structure of the key schedule for GIFT-128 (bit-sliced). */ typedef struct { - /** Pre-computed round keys in the fixsliced form */ + /** Pre-computed round keys for bit-sliced GIFT-128 */ uint32_t k[GIFT128_ROUND_KEYS]; } gift128b_key_schedule_t; @@ -81,14 +90,9 @@ typedef struct * \brief Initializes the key schedule for GIFT-128 (bit-sliced). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128b_init - (gift128b_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128b_init(gift128b_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (bit-sliced). @@ -145,14 +149,9 @@ typedef gift128b_key_schedule_t gift128n_key_schedule_t; * \brief Initializes the key schedule for GIFT-128 (nibble-based). * * \param ks Points to the key schedule to initialize. - * \param key Points to the key data. - * \param key_len Length of the key data, which must be 16. - * - * \return Non-zero on success or zero if there is something wrong - * with the parameters. + * \param key Points to the 16 bytes of the key data. */ -int gift128n_init - (gift128n_key_schedule_t *ks, const unsigned char *key, size_t key_len); +void gift128n_init(gift128n_key_schedule_t *ks, const unsigned char *key); /** * \brief Encrypts a 128-bit block with GIFT-128 (nibble-based). @@ -182,13 +181,31 @@ void gift128n_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, const unsigned char *input); +/* 4-bit tweak values expanded to 32-bit for TweGIFT-128 */ +#define GIFT128T_TWEAK_0 0x00000000 /**< TweGIFT-128 tweak value 0 */ +#define GIFT128T_TWEAK_1 0xe1e1e1e1 /**< TweGIFT-128 tweak value 1 */ +#define GIFT128T_TWEAK_2 0xd2d2d2d2 /**< TweGIFT-128 tweak value 2 */ +#define GIFT128T_TWEAK_3 0x33333333 /**< TweGIFT-128 tweak value 3 */ +#define GIFT128T_TWEAK_4 0xb4b4b4b4 /**< TweGIFT-128 tweak value 4 */ +#define GIFT128T_TWEAK_5 0x55555555 /**< TweGIFT-128 tweak value 5 */ +#define GIFT128T_TWEAK_6 0x66666666 /**< TweGIFT-128 tweak value 6 */ +#define GIFT128T_TWEAK_7 0x87878787 /**< TweGIFT-128 tweak value 7 */ +#define GIFT128T_TWEAK_8 0x78787878 /**< TweGIFT-128 tweak value 8 */ +#define GIFT128T_TWEAK_9 0x99999999 /**< TweGIFT-128 tweak value 9 */ +#define GIFT128T_TWEAK_10 0xaaaaaaaa /**< TweGIFT-128 tweak value 10 */ +#define GIFT128T_TWEAK_11 0x4b4b4b4b /**< TweGIFT-128 tweak value 11 */ +#define GIFT128T_TWEAK_12 0xcccccccc /**< TweGIFT-128 tweak value 12 */ +#define GIFT128T_TWEAK_13 0x2d2d2d2d /**< TweGIFT-128 tweak value 13 */ +#define GIFT128T_TWEAK_14 0x1e1e1e1e /**< TweGIFT-128 tweak value 14 */ +#define GIFT128T_TWEAK_15 0xffffffff /**< TweGIFT-128 tweak value 15 */ + /** * \brief Encrypts a 128-bit block with TweGIFT-128 (tweakable variant). * * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -200,7 +217,7 @@ void gift128n_decrypt */ void gift128t_encrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); /** * \brief Decrypts a 128-bit block with TweGIFT-128 (tweakable variant). @@ -208,7 +225,7 @@ void gift128t_encrypt * \param ks Points to the GIFT-128 key schedule. * \param output Output buffer which must be at least 16 bytes in length. * \param input Input buffer which must be at least 16 bytes in length. - * \param tweak 4-bit tweak value. + * \param tweak 4-bit tweak value expanded to 32-bit. * * The \a input and \a output buffers can be the same buffer for * in-place encryption. @@ -220,7 +237,7 @@ void gift128t_encrypt */ void gift128t_decrypt (const gift128n_key_schedule_t *ks, unsigned char *output, - const unsigned char *input, unsigned char tweak); + const unsigned char *input, uint32_t tweak); #ifdef __cplusplus } diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-full-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-full-avr.S new file mode 100644 index 0000000..ff11875 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-full-avr.S @@ -0,0 +1,5037 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_FULL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 18 + ld r13,X+ + ld r12,X+ + ld r11,X+ + ld r10,X+ + ld r5,X+ + ld r4,X+ + ld r3,X+ + ld r2,X+ + ld r9,X+ + ld r8,X+ + ld r7,X+ + ld r6,X+ + ld r29,X+ + ld r28,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + ldi r24,4 +33: + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r29 + ror r28 + ror r0 + lsr r29 + ror r28 + ror r0 + or r29,r0 + st Z+,r22 + st Z+,r23 + st Z+,r28 + st Z+,r29 + mov r0,r22 + mov r22,r2 + mov r2,r0 + mov r0,r23 + mov r23,r3 + mov r3,r0 + mov r0,r28 + mov r28,r4 + mov r4,r0 + mov r0,r29 + mov r29,r5 + mov r5,r0 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + lsl r6 + rol r7 + adc r6,r1 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + mov r0,r6 + mov r6,r10 + mov r10,r0 + mov r0,r7 + mov r7,r11 + mov r11,r0 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r28,Z+2 + ldd r29,Z+3 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + st Z,r29 + std Z+1,r23 + std Z+2,r28 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r28,Z+6 + ldd r29,Z+7 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+4,r29 + std Z+5,r23 + std Z+6,r28 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r28,Z+10 + ldd r29,Z+11 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+8,r29 + std Z+9,r23 + std Z+10,r28 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r28,Z+14 + ldd r29,Z+15 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+12,r29 + std Z+13,r23 + std Z+14,r28 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+16,r29 + std Z+17,r23 + std Z+18,r28 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+20,r29 + std Z+21,r23 + std Z+22,r28 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+24,r29 + std Z+25,r23 + std Z+26,r28 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r28 + eor r21,r29 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + movw r18,r22 + movw r20,r28 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r28,r20 + eor r29,r21 + std Z+28,r29 + std Z+29,r23 + std Z+30,r28 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + adiw r30,40 + movw r26,r30 + subi r26,80 + sbc r27,r1 + ldi r24,6 +1274: + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r2 + eor r19,r3 + andi r18,51 + andi r19,51 + eor r2,r18 + eor r3,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + st Z,r2 + std Z+1,r3 + std Z+2,r4 + std Z+3,r5 + movw r18,r22 + movw r20,r28 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + andi r28,204 + andi r29,204 + or r28,r21 + or r29,r18 + or r22,r19 + or r23,r20 + movw r18,r28 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r28 + eor r19,r29 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r28,r18 + eor r29,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r28 + std Z+5,r29 + std Z+6,r22 + std Z+7,r23 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + swap r3 + lsl r4 + adc r4,r1 + lsl r4 + adc r4,r1 + swap r5 + std Z+8,r2 + std Z+9,r3 + std Z+10,r4 + std Z+11,r5 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r28 + adc r28,r1 + lsl r29 + adc r29,r1 + lsl r29 + adc r29,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r28 + std Z+15,r29 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + ldi r25,85 + and r2,r25 + and r3,r25 + and r4,r25 + and r5,r25 + or r2,r19 + or r3,r20 + or r4,r21 + or r5,r18 + std Z+16,r4 + std Z+17,r5 + std Z+18,r2 + std Z+19,r3 + movw r18,r22 + movw r20,r28 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + andi r28,170 + andi r29,170 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + lsl r22 + rol r23 + rol r28 + rol r29 + adc r22,r1 + or r22,r18 + or r23,r19 + or r28,r20 + or r29,r21 + std Z+20,r29 + std Z+21,r22 + std Z+22,r23 + std Z+23,r28 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r4 + eor r21,r5 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r4,r20 + eor r5,r21 + movw r18,r2 + movw r20,r4 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r14,r18 + movw r16,r20 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + lsr r17 + ror r16 + ror r15 + ror r14 + eor r14,r18 + eor r15,r19 + eor r16,r20 + eor r17,r21 + ldi r25,8 + and r14,r25 + and r15,r25 + andi r16,8 + andi r17,8 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + lsl r14 + rol r15 + rol r16 + rol r17 + eor r18,r14 + eor r19,r15 + eor r20,r16 + eor r21,r17 + ldi r17,15 + and r2,r17 + and r3,r17 + and r4,r17 + and r5,r17 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + std Z+24,r2 + std Z+25,r3 + std Z+26,r4 + std Z+27,r5 + movw r18,r28 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r2,r22 + movw r4,r28 + ldi r16,1 + and r2,r16 + and r3,r16 + and r4,r16 + and r5,r16 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + lsl r2 + rol r3 + rol r4 + rol r5 + or r2,r18 + or r3,r19 + movw r18,r28 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r2,r18 + or r3,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r4,r18 + or r5,r19 + movw r18,r22 + movw r20,r28 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r2,r18 + or r3,r19 + or r4,r20 + or r5,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r4,r22 + or r5,r23 + std Z+28,r2 + std Z+29,r3 + std Z+30,r4 + std Z+31,r5 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + mov r0,r1 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + lsr r5 + ror r4 + ror r0 + or r5,r0 + std Z+32,r3 + std Z+33,r2 + std Z+34,r4 + std Z+35,r5 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r28 + mov r28,r29 + mov r29,r0 + lsl r28 + rol r29 + adc r28,r1 + lsl r28 + rol r29 + adc r28,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r28 + std Z+39,r29 + dec r24 + breq 1733f + adiw r30,40 + rjmp 1274b +1733: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r30 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rcall 27f + rjmp 765f +27: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +765: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e +.L__stack_usage = 19 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r30 + subi r26,192 + sbci r27,254 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,160 + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rcall 30f + rjmp 768f +30: + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r11 + mov r11,r10 + mov r10,r9 + mov r9,r8 + mov r8,r0 + mov r0,r12 + mov r12,r13 + mov r13,r14 + mov r14,r15 + mov r15,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r1 + lsr r22 + ror r0 + lsr r22 + ror r0 + or r22,r0 + mov r0,r1 + lsr r23 + ror r0 + lsr r23 + ror r0 + or r23,r0 + mov r0,r1 + lsr r2 + ror r0 + lsr r2 + ror r0 + or r2,r0 + mov r0,r1 + lsr r3 + ror r0 + lsr r3 + ror r0 + or r3,r0 + swap r4 + swap r5 + swap r6 + swap r7 + lsl r8 + adc r8,r1 + lsl r8 + adc r8,r1 + lsl r9 + adc r9,r1 + lsl r9 + adc r9,r1 + lsl r10 + adc r10,r1 + lsl r10 + adc r10,r1 + lsl r11 + adc r11,r1 + lsl r11 + adc r11,r1 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + mov r0,r1 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + lsr r9 + ror r8 + ror r0 + or r9,r0 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + com r22 + com r23 + com r2 + com r3 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + dec r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + dec r30 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + ld r21,-X + ld r20,-X + ld r19,-X + ld r18,-X + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,119 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,17 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +768: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+1 + ldd r27,Y+2 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + pop r0 + pop r0 + pop r17 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-small-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-small-avr.S new file mode 100644 index 0000000..77ef9fd --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-small-avr.S @@ -0,0 +1,6053 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_SMALL + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +33: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5115f + rjmp 33b +5115: + subi r30,80 + sbc r31,r1 + ldi r24,2 +119: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1268f + adiw r30,40 + rjmp 119b +1268: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ldi r24,20 +1: + ld r22,Z+ + ld r23,Z+ + ld r2,Z+ + ld r3,Z+ + std Y+1,r22 + std Y+2,r23 + std Y+3,r2 + std Y+4,r3 + adiw r28,4 + dec r24 + brne 1b + subi r28,80 + sbc r29,r1 + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 73f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 811f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 73f + rcall 73f + rjmp 1285f +73: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +811: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +1285: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r25 + mov r25,r26 + mov r26,r0 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +678: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 830f + cpse r16,r1 + rjmp 678b + rjmp 1175f +830: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +1175: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-tiny-avr.S b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-tiny-avr.S new file mode 100644 index 0000000..e7a03f1 --- /dev/null +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-gift128b-tiny-avr.S @@ -0,0 +1,6766 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + +#include "internal-gift128-config.h" + +#if GIFT128_VARIANT == GIFT128_VARIANT_TINY + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_0, @object + .size table_0, 160 +table_0: + .byte 8 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 128 + .byte 1 + .byte 128 + .byte 2 + .byte 0 + .byte 0 + .byte 84 + .byte 129 + .byte 1 + .byte 1 + .byte 1 + .byte 31 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 136 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 81 + .byte 128 + .byte 1 + .byte 3 + .byte 3 + .byte 47 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 96 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 65 + .byte 128 + .byte 0 + .byte 3 + .byte 3 + .byte 39 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 224 + .byte 1 + .byte 64 + .byte 2 + .byte 0 + .byte 80 + .byte 17 + .byte 128 + .byte 1 + .byte 2 + .byte 3 + .byte 43 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 8 + .byte 8 + .byte 16 + .byte 0 + .byte 64 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 64 + .byte 1 + .byte 128 + .byte 0 + .byte 2 + .byte 2 + .byte 33 + .byte 0 + .byte 0 + .byte 128 + .byte 128 + .byte 0 + .byte 0 + .byte 16 + .byte 0 + .byte 192 + .byte 1 + .byte 0 + .byte 2 + .byte 0 + .byte 0 + .byte 81 + .byte 128 + .byte 1 + .byte 1 + .byte 3 + .byte 46 + .byte 0 + .byte 0 + .byte 128 + .byte 0 + .byte 136 + .byte 8 + .byte 16 + .byte 0 + .byte 32 + .byte 1 + .byte 96 + .byte 2 + .byte 0 + .byte 80 + .byte 64 + .byte 128 + .byte 0 + .byte 3 + .byte 1 + .byte 6 + .byte 0 + .byte 0 + .byte 128 + .byte 8 + .byte 136 + .byte 0 + .byte 16 + .byte 0 + .byte 160 + .byte 1 + .byte 192 + .byte 2 + .byte 0 + .byte 80 + .byte 20 + .byte 129 + .byte 1 + .byte 2 + .byte 1 + .byte 26 + .byte 0 + .byte 0 + .byte 128 + + .text +.global gift128b_init + .type gift128b_init, @function +gift128b_init: + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 + movw r26,r22 +.L__stack_usage = 16 + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + st Z,r22 + std Z+1,r23 + std Z+2,r2 + std Z+3,r3 + std Z+4,r4 + std Z+5,r5 + std Z+6,r6 + std Z+7,r7 + std Z+8,r8 + std Z+9,r9 + std Z+10,r10 + std Z+11,r11 + std Z+12,r12 + std Z+13,r13 + std Z+14,r14 + std Z+15,r15 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + ret + .size gift128b_init, .-gift128b_init + + .text +.global gift128b_encrypt + .type gift128b_encrypt, @function +gift128b_encrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt, .-gift128b_encrypt + + .text +.global gift128b_encrypt_preloaded + .type gift128b_encrypt_preloaded, @function +gift128b_encrypt_preloaded: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + subi r28,80 + sbci r29,0 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 100 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r4,Z+4 + ldd r5,Z+5 + ldd r6,Z+6 + ldd r7,Z+7 + ldd r8,Z+8 + ldd r9,Z+9 + ldd r10,Z+10 + ldd r11,Z+11 + ldd r12,Z+12 + ldd r13,Z+13 + ldd r14,Z+14 + ldd r15,Z+15 + movw r30,r28 + adiw r30,1 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + ldi r24,4 +35: + st Z+,r4 + st Z+,r5 + st Z+,r6 + st Z+,r7 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + lsl r22 + rol r23 + adc r22,r1 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + st Z+,r22 + st Z+,r23 + st Z+,r2 + st Z+,r3 + mov r0,r22 + mov r22,r4 + mov r4,r0 + mov r0,r23 + mov r23,r5 + mov r5,r0 + mov r0,r2 + mov r2,r6 + mov r6,r0 + mov r0,r3 + mov r3,r7 + mov r7,r0 + st Z+,r12 + st Z+,r13 + st Z+,r14 + st Z+,r15 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + mov r0,r1 + lsr r11 + ror r10 + ror r0 + lsr r11 + ror r10 + ror r0 + or r11,r0 + st Z+,r8 + st Z+,r9 + st Z+,r10 + st Z+,r11 + mov r0,r8 + mov r8,r12 + mov r12,r0 + mov r0,r9 + mov r9,r13 + mov r13,r0 + mov r0,r10 + mov r10,r14 + mov r14,r0 + mov r0,r11 + mov r11,r15 + mov r15,r0 + dec r24 + breq 5117f + rjmp 35b +5117: + subi r30,80 + sbc r31,r1 + ldi r24,2 +121: + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + st Z,r3 + std Z+1,r23 + std Z+2,r2 + std Z+3,r22 + ldd r22,Z+4 + ldd r23,Z+5 + ldd r2,Z+6 + ldd r3,Z+7 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,85 + mov r19,r1 + andi r20,85 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+4,r3 + std Z+5,r23 + std Z+6,r2 + std Z+7,r22 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+8,r3 + std Z+9,r23 + std Z+10,r2 + std Z+11,r22 + ldd r22,Z+12 + ldd r23,Z+13 + ldd r2,Z+14 + ldd r3,Z+15 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,17 + andi r19,17 + andi r20,17 + andi r21,17 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,15 + mov r19,r1 + andi r20,15 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+12,r3 + std Z+13,r23 + std Z+14,r2 + std Z+15,r22 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+16,r3 + std Z+17,r23 + std Z+18,r2 + std Z+19,r22 + ldd r22,Z+20 + ldd r23,Z+21 + ldd r2,Z+22 + ldd r3,Z+23 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r19 + rol r20 + rol r21 + rol r0 + movw r18,r20 + mov r20,r0 + mov r21,r1 + eor r18,r22 + eor r19,r23 + andi r18,170 + andi r19,170 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r0,r1 + lsr r20 + ror r19 + ror r18 + ror r0 + movw r20,r18 + mov r19,r0 + mov r18,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + movw r18,r20 + mov r20,r1 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,51 + andi r19,51 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+20,r3 + std Z+21,r23 + std Z+22,r2 + std Z+23,r22 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+24,r3 + std Z+25,r23 + std Z+26,r2 + std Z+27,r22 + ldd r22,Z+28 + ldd r23,Z+29 + ldd r2,Z+30 + ldd r3,Z+31 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,10 + andi r19,10 + andi r20,10 + andi r21,10 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r0,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + lsl r18 + rol r19 + rol r20 + rol r21 + rol r0 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r0 + eor r18,r22 + eor r19,r23 + eor r20,r2 + eor r21,r3 + andi r18,204 + mov r19,r1 + andi r20,204 + mov r21,r1 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + lsr r21 + ror r20 + ror r19 + ror r18 + ror r0 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r0 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + movw r18,r22 + movw r20,r2 + mov r18,r19 + mov r19,r20 + mov r20,r21 + mov r21,r1 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r22 + eor r19,r23 + andi r18,240 + andi r19,240 + eor r22,r18 + eor r23,r19 + mov r20,r1 + mov r21,r1 + mov r21,r20 + mov r20,r19 + mov r19,r18 + mov r18,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + std Z+28,r3 + std Z+29,r23 + std Z+30,r2 + std Z+31,r22 + dec r24 + breq 1270f + adiw r30,40 + rjmp 121b +1270: + ld r22,X+ + ld r23,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + ld r14,X+ + ld r15,X+ + movw r26,r28 + adiw r26,1 + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,20 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,40 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,60 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,80 + sbiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,100 + adiw r26,40 + rcall 1329f +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + rcall 2067f + ldi r30,lo8(table_0) + ldi r31,hi8(table_0) +#if defined(RAMPZ) + ldi r24,hh8(table_0) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r24 +#endif + ldi r30,120 + sbiw r26,40 + rcall 1329f + rcall 1329f + rjmp 2541f +1329: + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,204 + andi r19,204 + andi r20,204 + andi r21,204 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + ldi r25,51 + and r4,r25 + and r5,r25 + and r6,r25 + and r7,r25 + or r4,r18 + or r5,r19 + or r6,r20 + or r7,r21 + movw r18,r8 + movw r20,r10 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,238 + andi r19,238 + andi r20,238 + andi r21,238 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + lsr r11 + ror r10 + ror r9 + ror r8 + ldi r24,17 + and r8,r24 + and r9,r24 + and r10,r24 + and r11,r24 + or r8,r18 + or r9,r19 + or r10,r20 + or r11,r21 + movw r18,r12 + movw r20,r14 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + andi r18,136 + andi r19,136 + andi r20,136 + andi r21,136 + lsr r15 + ror r14 + ror r13 + ror r12 + ldi r17,119 + and r12,r17 + and r13,r17 + and r14,r17 + and r15,r17 + or r12,r18 + or r13,r19 + or r14,r20 + or r15,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r1 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + lsr r3 + ror r2 + ror r0 + or r3,r0 + mov r0,r5 + mov r5,r4 + mov r4,r0 + mov r0,r7 + mov r7,r6 + mov r6,r0 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r8 + rol r9 + adc r8,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + lsl r10 + rol r11 + adc r10,r1 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + movw r18,r4 + movw r20,r6 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + mov r0,r10 + mov r10,r8 + mov r8,r0 + mov r0,r11 + mov r11,r9 + mov r9,r0 + movw r18,r8 + movw r20,r10 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r8 + eor r19,r9 + andi r18,85 + andi r19,85 + eor r8,r18 + eor r9,r19 + mov r20,r1 + mov r21,r1 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + mov r0,r14 + mov r14,r12 + mov r12,r0 + mov r0,r15 + mov r15,r13 + mov r13,r0 + movw r18,r14 + lsr r19 + ror r18 + eor r18,r14 + eor r19,r15 + andi r18,85 + andi r19,85 + eor r14,r18 + eor r15,r19 + lsl r18 + rol r19 + eor r14,r18 + eor r15,r19 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + mov r0,r12 + and r0,r8 + eor r4,r0 + mov r0,r13 + and r0,r9 + eor r5,r0 + mov r0,r14 + and r0,r10 + eor r6,r0 + mov r0,r15 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r22 + eor r12,r0 + mov r0,r5 + and r0,r23 + eor r13,r0 + mov r0,r6 + and r0,r2 + eor r14,r0 + mov r0,r7 + and r0,r3 + eor r15,r0 + mov r0,r12 + or r0,r4 + eor r8,r0 + mov r0,r13 + or r0,r5 + eor r9,r0 + mov r0,r14 + or r0,r6 + eor r10,r0 + mov r0,r15 + or r0,r7 + eor r11,r0 + eor r22,r8 + eor r23,r9 + eor r2,r10 + eor r3,r11 + eor r4,r22 + eor r5,r23 + eor r6,r2 + eor r7,r3 + com r22 + com r23 + com r2 + com r3 + mov r0,r12 + and r0,r4 + eor r8,r0 + mov r0,r13 + and r0,r5 + eor r9,r0 + mov r0,r14 + and r0,r6 + eor r10,r0 + mov r0,r15 + and r0,r7 + eor r11,r0 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + swap r4 + swap r5 + swap r6 + swap r7 + mov r0,r1 + lsr r8 + ror r0 + lsr r8 + ror r0 + or r8,r0 + mov r0,r1 + lsr r9 + ror r0 + lsr r9 + ror r0 + or r9,r0 + mov r0,r1 + lsr r10 + ror r0 + lsr r10 + ror r0 + or r10,r0 + mov r0,r1 + lsr r11 + ror r0 + lsr r11 + ror r0 + or r11,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r12,r18 + eor r13,r19 + eor r14,r20 + eor r15,r21 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + com r12 + com r13 + com r14 + com r15 + mov r0,r22 + and r0,r4 + eor r8,r0 + mov r0,r23 + and r0,r5 + eor r9,r0 + mov r0,r2 + and r0,r6 + eor r10,r0 + mov r0,r3 + and r0,r7 + eor r11,r0 + mov r0,r6 + mov r6,r4 + mov r4,r0 + mov r0,r7 + mov r7,r5 + mov r5,r0 + mov r0,r8 + mov r8,r9 + mov r9,r10 + mov r10,r11 + mov r11,r0 + mov r0,r15 + mov r15,r14 + mov r14,r13 + mov r13,r12 + mov r12,r0 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ld r18,X+ + ld r19,X+ + ld r20,X+ + ld r21,X+ + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r19,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r19,Z +#elif defined(__AVR_TINY__) + ld r19,Z +#else + lpm + mov r19,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r20,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r20,Z +#elif defined(__AVR_TINY__) + ld r20,Z +#else + lpm + mov r20,r0 +#endif + inc r30 +#if defined(RAMPZ) + elpm r21,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r21,Z +#elif defined(__AVR_TINY__) + ld r21,Z +#else + lpm + mov r21,r0 +#endif + inc r30 + eor r22,r18 + eor r23,r19 + eor r2,r20 + eor r3,r21 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + eor r12,r22 + eor r13,r23 + eor r14,r2 + eor r15,r3 + eor r22,r12 + eor r23,r13 + eor r2,r14 + eor r3,r15 + ret +2067: + movw r30,r26 + sbiw r30,40 + push r3 + push r2 + push r23 + push r22 + push r7 + push r6 + push r5 + push r4 + ld r22,Z + ldd r23,Z+1 + ldd r2,Z+2 + ldd r3,Z+3 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + movw r18,r26 + movw r20,r24 + movw r18,r20 + mov r20,r1 + mov r21,r1 + eor r18,r26 + eor r19,r27 + andi r18,51 + andi r19,51 + eor r26,r18 + eor r27,r19 + mov r20,r1 + mov r21,r1 + movw r20,r18 + mov r18,r1 + mov r19,r1 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,68 + andi r19,68 + andi r20,85 + andi r21,85 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + st Z,r26 + std Z+1,r27 + std Z+2,r24 + std Z+3,r25 + movw r18,r22 + movw r20,r2 + andi r18,51 + andi r19,51 + andi r20,51 + andi r21,51 + andi r22,204 + andi r23,204 + ldi r17,204 + and r2,r17 + and r3,r17 + or r2,r21 + or r3,r18 + or r22,r19 + or r23,r20 + movw r18,r2 + movw r20,r22 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r2 + eor r19,r3 + eor r20,r22 + eor r21,r23 + mov r18,r1 + andi r19,17 + andi r20,85 + andi r21,85 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r2,r18 + eor r3,r19 + eor r22,r20 + eor r23,r21 + std Z+4,r2 + std Z+5,r3 + std Z+6,r22 + std Z+7,r23 + ldd r22,Z+8 + ldd r23,Z+9 + ldd r2,Z+10 + ldd r3,Z+11 + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + lsl r26 + adc r26,r1 + lsl r26 + adc r26,r1 + swap r27 + lsl r24 + adc r24,r1 + lsl r24 + adc r24,r1 + swap r25 + std Z+8,r26 + std Z+9,r27 + std Z+10,r24 + std Z+11,r25 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r22 + adc r22,r1 + lsl r23 + adc r23,r1 + lsl r23 + adc r23,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r2 + adc r2,r1 + lsl r3 + adc r3,r1 + lsl r3 + adc r3,r1 + std Z+12,r22 + std Z+13,r23 + std Z+14,r2 + std Z+15,r3 + ldd r22,Z+16 + ldd r23,Z+17 + ldd r2,Z+18 + ldd r3,Z+19 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r24,Z+22 + ldd r25,Z+23 + movw r18,r26 + movw r20,r24 + andi r18,170 + andi r19,170 + andi r20,170 + andi r21,170 + andi r26,85 + andi r27,85 + andi r24,85 + andi r25,85 + or r26,r19 + or r27,r20 + or r24,r21 + or r25,r18 + std Z+16,r24 + std Z+17,r25 + std Z+18,r26 + std Z+19,r27 + movw r18,r22 + movw r20,r2 + andi r18,85 + andi r19,85 + andi r20,85 + andi r21,85 + andi r22,170 + andi r23,170 + ldi r16,170 + and r2,r16 + and r3,r16 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + lsl r22 + rol r23 + rol r2 + rol r3 + adc r22,r1 + or r22,r18 + or r23,r19 + or r2,r20 + or r3,r21 + std Z+20,r3 + std Z+21,r22 + std Z+22,r23 + std Z+23,r2 + ldd r22,Z+24 + ldd r23,Z+25 + ldd r2,Z+26 + ldd r3,Z+27 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r24,Z+30 + ldd r25,Z+31 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + lsr r21 + ror r20 + ror r19 + ror r18 + eor r18,r26 + eor r19,r27 + eor r20,r24 + eor r21,r25 + andi r18,3 + andi r19,3 + andi r20,3 + andi r21,3 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + lsl r18 + rol r19 + rol r20 + rol r21 + lsl r18 + rol r19 + rol r20 + rol r21 + eor r26,r18 + eor r27,r19 + eor r24,r20 + eor r25,r21 + movw r18,r26 + movw r20,r24 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,120 + andi r19,120 + andi r20,120 + andi r21,120 + movw r4,r18 + movw r6,r20 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + lsr r7 + ror r6 + ror r5 + ror r4 + eor r4,r18 + eor r5,r19 + eor r6,r20 + eor r7,r21 + ldi r16,8 + and r4,r16 + and r5,r16 + and r6,r16 + and r7,r16 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + lsl r4 + rol r5 + rol r6 + rol r7 + eor r18,r4 + eor r19,r5 + eor r20,r6 + eor r21,r7 + andi r26,15 + andi r27,15 + andi r24,15 + andi r25,15 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + std Z+24,r26 + std Z+25,r27 + std Z+26,r24 + std Z+27,r25 + movw r18,r2 + lsr r19 + ror r18 + lsr r19 + ror r18 + andi r18,48 + andi r19,48 + movw r26,r22 + movw r24,r2 + andi r26,1 + andi r27,1 + andi r24,1 + andi r25,1 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + lsl r26 + rol r27 + rol r24 + rol r25 + or r26,r18 + or r27,r19 + movw r18,r2 + lsl r18 + rol r19 + lsl r18 + rol r19 + andi r18,192 + andi r19,192 + or r26,r18 + or r27,r19 + movw r18,r22 + andi r18,224 + andi r19,224 + lsr r19 + ror r18 + or r24,r18 + or r25,r19 + movw r18,r22 + movw r20,r2 + lsr r21 + ror r20 + ror r19 + ror r18 + andi r18,7 + andi r19,7 + andi r20,7 + andi r21,7 + or r26,r18 + or r27,r19 + or r24,r20 + or r25,r21 + andi r22,16 + andi r23,16 + lsl r22 + rol r23 + lsl r22 + rol r23 + lsl r22 + rol r23 + or r24,r22 + or r25,r23 + std Z+28,r26 + std Z+29,r27 + std Z+30,r24 + std Z+31,r25 + ldd r22,Z+32 + ldd r23,Z+33 + ldd r2,Z+34 + ldd r3,Z+35 + ldd r26,Z+36 + ldd r27,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Z+32,r27 + std Z+33,r26 + std Z+34,r24 + std Z+35,r25 + mov r0,r1 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + lsr r23 + ror r22 + ror r0 + or r23,r0 + mov r0,r2 + mov r2,r3 + mov r3,r0 + lsl r2 + rol r3 + adc r2,r1 + lsl r2 + rol r3 + adc r2,r1 + std Z+36,r22 + std Z+37,r23 + std Z+38,r2 + std Z+39,r3 + pop r4 + pop r5 + pop r6 + pop r7 + pop r22 + pop r23 + pop r2 + pop r3 + movw r26,r30 + ret +2541: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + subi r28,175 + sbci r29,255 + ld r26,Y+ + ld r27,Y + subi r28,82 + sbc r29,r1 + st X+,r22 + st X+,r23 + st X+,r2 + st X+,r3 + st X+,r4 + st X+,r5 + st X+,r6 + st X+,r7 + st X+,r8 + st X+,r9 + st X+,r10 + st X+,r11 + st X+,r12 + st X+,r13 + st X+,r14 + st X+,r15 + subi r28,174 + sbci r29,255 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_encrypt_preloaded, .-gift128b_encrypt_preloaded + + .section .progmem.data,"a",@progbits + .p2align 8 + .type table_1, @object + .size table_1, 40 +table_1: + .byte 1 + .byte 3 + .byte 7 + .byte 15 + .byte 31 + .byte 62 + .byte 61 + .byte 59 + .byte 55 + .byte 47 + .byte 30 + .byte 60 + .byte 57 + .byte 51 + .byte 39 + .byte 14 + .byte 29 + .byte 58 + .byte 53 + .byte 43 + .byte 22 + .byte 44 + .byte 24 + .byte 48 + .byte 33 + .byte 2 + .byte 5 + .byte 11 + .byte 23 + .byte 46 + .byte 28 + .byte 56 + .byte 49 + .byte 35 + .byte 6 + .byte 13 + .byte 27 + .byte 54 + .byte 45 + .byte 26 + + .text +.global gift128b_decrypt + .type gift128b_decrypt, @function +gift128b_decrypt: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r23 + push r22 + movw r30,r24 + movw r26,r20 + in r28,0x3d + in r29,0x3e + sbiw r28,16 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 +.L__stack_usage = 35 + ld r3,X+ + ld r2,X+ + ld r23,X+ + ld r22,X+ + ld r7,X+ + ld r6,X+ + ld r5,X+ + ld r4,X+ + ld r11,X+ + ld r10,X+ + ld r9,X+ + ld r8,X+ + ld r15,X+ + ld r14,X+ + ld r13,X+ + ld r12,X+ + ldd r26,Z+12 + ldd r27,Z+13 + ldd r24,Z+14 + ldd r25,Z+15 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Z+4 + ldd r27,Z+5 + ldd r24,Z+6 + ldd r25,Z+7 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Z+8 + ldd r27,Z+9 + ldd r24,Z+10 + ldd r25,Z+11 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ld r26,Z + ldd r27,Z+1 + ldd r24,Z+2 + ldd r25,Z+3 + mov r0,r27 + mov r27,r26 + mov r26,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + lsr r25 + ror r24 + ror r0 + or r25,r0 + ldi r30,lo8(table_1) + ldi r31,hi8(table_1) +#if defined(RAMPZ) + ldi r17,hh8(table_1) + in r0,_SFR_IO_ADDR(RAMPZ) + push r0 + out _SFR_IO_ADDR(RAMPZ),r17 +#endif + ldi r16,40 +114: + ldd r0,Y+9 + eor r8,r0 + ldd r0,Y+10 + eor r9,r0 + ldd r0,Y+11 + eor r10,r0 + ldd r0,Y+12 + eor r11,r0 + std Y+13,r26 + std Y+14,r27 + std Y+15,r24 + std Y+16,r25 + ldd r26,Y+1 + ldd r27,Y+2 + ldd r24,Y+3 + ldd r25,Y+4 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+13 + eor r8,r0 + ldd r0,Y+14 + eor r9,r0 + ldd r0,Y+15 + eor r10,r0 + ldd r0,Y+16 + eor r11,r0 + std Y+1,r26 + std Y+2,r27 + std Y+3,r24 + std Y+4,r25 + ldd r26,Y+5 + ldd r27,Y+6 + ldd r24,Y+7 + ldd r25,Y+8 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+1 + eor r8,r0 + ldd r0,Y+2 + eor r9,r0 + ldd r0,Y+3 + eor r10,r0 + ldd r0,Y+4 + eor r11,r0 + std Y+5,r26 + std Y+6,r27 + std Y+7,r24 + std Y+8,r25 + ldd r26,Y+9 + ldd r27,Y+10 + ldd r24,Y+11 + ldd r25,Y+12 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + ldd r0,Y+5 + eor r8,r0 + ldd r0,Y+6 + eor r9,r0 + ldd r0,Y+7 + eor r10,r0 + ldd r0,Y+8 + eor r11,r0 + std Y+9,r26 + std Y+10,r27 + std Y+11,r24 + std Y+12,r25 + ldd r26,Y+13 + ldd r27,Y+14 + ldd r24,Y+15 + ldd r25,Y+16 + mov r0,r1 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + lsr r27 + ror r26 + ror r0 + or r27,r0 + lsl r24 + rol r25 + adc r24,r1 + lsl r24 + rol r25 + adc r24,r1 + rcall 266f + cpse r16,r1 + rjmp 114b + rjmp 611f +266: + eor r4,r26 + eor r5,r27 + eor r6,r24 + eor r7,r25 + ldi r18,128 + eor r15,r18 + dec r16 + mov r30,r16 +#if defined(RAMPZ) + elpm r18,Z +#elif defined(__AVR_HAVE_LPMX__) + lpm r18,Z +#elif defined(__AVR_TINY__) + ld r18,Z +#else + lpm + mov r18,r0 +#endif + eor r12,r18 + bst r22,1 + bld r0,0 + bst r3,0 + bld r22,1 + bst r22,6 + bld r3,0 + bst r2,1 + bld r22,6 + bst r3,4 + bld r2,1 + bst r22,7 + bld r3,4 + bst r23,1 + bld r22,7 + bst r3,2 + bld r23,1 + bst r2,6 + bld r3,2 + bst r2,5 + bld r2,6 + bst r3,5 + bld r2,5 + bst r3,7 + bld r3,5 + bst r23,7 + bld r3,7 + bst r23,3 + bld r23,7 + bst r23,2 + bld r23,3 + bst r2,2 + bld r23,2 + bst r2,4 + bld r2,2 + bst r22,5 + bld r2,4 + bst r3,1 + bld r22,5 + bst r3,6 + bld r3,1 + bst r2,7 + bld r3,6 + bst r23,5 + bld r2,7 + bst r3,3 + bld r23,5 + bst r23,6 + bld r3,3 + bst r2,3 + bld r23,6 + bst r23,4 + bld r2,3 + bst r22,3 + bld r23,4 + bst r23,0 + bld r22,3 + bst r22,2 + bld r23,0 + bst r2,0 + bld r22,2 + bst r22,4 + bld r2,0 + bst r0,0 + bld r22,4 + bst r4,0 + bld r0,0 + bst r5,0 + bld r4,0 + bst r5,2 + bld r5,0 + bst r7,2 + bld r5,2 + bst r7,6 + bld r7,2 + bst r7,7 + bld r7,6 + bst r6,7 + bld r7,7 + bst r6,5 + bld r6,7 + bst r4,5 + bld r6,5 + bst r4,1 + bld r4,5 + bst r0,0 + bld r4,1 + bst r4,2 + bld r0,0 + bst r7,0 + bld r4,2 + bst r5,6 + bld r7,0 + bst r7,3 + bld r5,6 + bst r6,6 + bld r7,3 + bst r7,5 + bld r6,6 + bst r4,7 + bld r7,5 + bst r6,1 + bld r4,7 + bst r4,4 + bld r6,1 + bst r5,1 + bld r4,4 + bst r0,0 + bld r5,1 + bst r4,3 + bld r0,0 + bst r6,0 + bld r4,3 + bst r5,4 + bld r6,0 + bst r5,3 + bld r5,4 + bst r6,2 + bld r5,3 + bst r7,4 + bld r6,2 + bst r5,7 + bld r7,4 + bst r6,3 + bld r5,7 + bst r6,4 + bld r6,3 + bst r5,5 + bld r6,4 + bst r0,0 + bld r5,5 + bst r4,6 + bld r0,0 + bst r7,1 + bld r4,6 + bst r0,0 + bld r7,1 + bst r8,0 + bld r0,0 + bst r10,0 + bld r8,0 + bst r10,4 + bld r10,0 + bst r10,5 + bld r10,4 + bst r9,5 + bld r10,5 + bst r9,3 + bld r9,5 + bst r11,2 + bld r9,3 + bst r8,6 + bld r11,2 + bst r8,1 + bld r8,6 + bst r9,0 + bld r8,1 + bst r10,2 + bld r9,0 + bst r8,4 + bld r10,2 + bst r10,1 + bld r8,4 + bst r9,4 + bld r10,1 + bst r10,3 + bld r9,4 + bst r11,4 + bld r10,3 + bst r10,7 + bld r11,4 + bst r11,5 + bld r10,7 + bst r9,7 + bld r11,5 + bst r11,3 + bld r9,7 + bst r11,6 + bld r11,3 + bst r8,7 + bld r11,6 + bst r11,1 + bld r8,7 + bst r9,6 + bld r11,1 + bst r8,3 + bld r9,6 + bst r11,0 + bld r8,3 + bst r10,6 + bld r11,0 + bst r8,5 + bld r10,6 + bst r9,1 + bld r8,5 + bst r9,2 + bld r9,1 + bst r8,2 + bld r9,2 + bst r0,0 + bld r8,2 + bst r12,0 + bld r0,0 + bst r15,0 + bld r12,0 + bst r15,6 + bld r15,0 + bst r13,7 + bld r15,6 + bst r12,3 + bld r13,7 + bst r0,0 + bld r12,3 + bst r12,1 + bld r0,0 + bst r14,0 + bld r12,1 + bst r15,4 + bld r14,0 + bst r15,7 + bld r15,4 + bst r12,7 + bld r15,7 + bst r0,0 + bld r12,7 + bst r12,2 + bld r0,0 + bst r13,0 + bld r12,2 + bst r15,2 + bld r13,0 + bst r13,6 + bld r15,2 + bst r13,3 + bld r13,6 + bst r0,0 + bld r13,3 + bst r12,4 + bld r0,0 + bst r15,1 + bld r12,4 + bst r14,6 + bld r15,1 + bst r13,5 + bld r14,6 + bst r14,3 + bld r13,5 + bst r0,0 + bld r14,3 + bst r12,5 + bld r0,0 + bst r14,1 + bld r12,5 + bst r14,4 + bld r14,1 + bst r15,5 + bld r14,4 + bst r14,7 + bld r15,5 + bst r0,0 + bld r14,7 + bst r12,6 + bld r0,0 + bst r13,1 + bld r12,6 + bst r14,2 + bld r13,1 + bst r13,4 + bld r14,2 + bst r15,3 + bld r13,4 + bst r0,0 + bld r15,3 + movw r18,r12 + movw r20,r14 + movw r12,r22 + movw r14,r2 + movw r22,r18 + movw r2,r20 + and r18,r4 + and r19,r5 + and r20,r6 + and r21,r7 + eor r8,r18 + eor r9,r19 + eor r10,r20 + eor r11,r21 + com r12 + com r13 + com r14 + com r15 + eor r4,r12 + eor r5,r13 + eor r6,r14 + eor r7,r15 + eor r12,r8 + eor r13,r9 + eor r14,r10 + eor r15,r11 + mov r0,r22 + or r0,r4 + eor r8,r0 + mov r0,r23 + or r0,r5 + eor r9,r0 + mov r0,r2 + or r0,r6 + eor r10,r0 + mov r0,r3 + or r0,r7 + eor r11,r0 + mov r0,r4 + and r0,r12 + eor r22,r0 + mov r0,r5 + and r0,r13 + eor r23,r0 + mov r0,r6 + and r0,r14 + eor r2,r0 + mov r0,r7 + and r0,r15 + eor r3,r0 + mov r0,r22 + and r0,r8 + eor r4,r0 + mov r0,r23 + and r0,r9 + eor r5,r0 + mov r0,r2 + and r0,r10 + eor r6,r0 + mov r0,r3 + and r0,r11 + eor r7,r0 + ret +611: +#if defined(RAMPZ) + pop r0 + out _SFR_IO_ADDR(RAMPZ),r0 +#endif + ldd r26,Y+17 + ldd r27,Y+18 + st X+,r3 + st X+,r2 + st X+,r23 + st X+,r22 + st X+,r7 + st X+,r6 + st X+,r5 + st X+,r4 + st X+,r11 + st X+,r10 + st X+,r9 + st X+,r8 + st X+,r15 + st X+,r14 + st X+,r13 + st X+,r12 + adiw r28,18 + in r0,0x3f + cli + out 0x3e,r29 + out 0x3f,r0 + out 0x3d,r28 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size gift128b_decrypt, .-gift128b_decrypt + +#endif + +#endif diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c index 984a4db..d192b8e 100644 --- a/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c +++ b/sundae-gift/Implementations/crypto_aead/sundaegift96v1/rhys/sundae-gift.c @@ -140,8 +140,7 @@ static int sundae_gift_aead_encrypt *clen = mlen + SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Format and encrypt the initial domain separation block */ if (adlen > 0) @@ -205,8 +204,7 @@ static int sundae_gift_aead_decrypt len = *mlen = clen - SUNDAE_GIFT_TAG_SIZE; /* Set the key schedule */ - if (!gift128b_init(&ks, k, SUNDAE_GIFT_KEY_SIZE)) - return -1; + gift128b_init(&ks, k); /* Decrypt the ciphertext to produce the plaintext, using the * tag as the initialization vector for the decryption process */ diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/api.h deleted file mode 100644 index 32c9622..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/encrypt.c deleted file mode 100644 index 832ac67..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "tinyjambu.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_128_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_128_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu-avr.S deleted file mode 100644 index c7f2d1c..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu-avr.S +++ /dev/null @@ -1,471 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global tiny_jambu_permutation - .type tiny_jambu_permutation, @function -tiny_jambu_permutation: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r26,r24 - movw r30,r22 -.L__stack_usage = 18 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - lsl r20 - lsl r20 - mov r19,r1 -19: - movw r24,r4 - movw r16,r6 - mov r15,r3 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r22,r24 - eor r23,r25 - eor r28,r16 - eor r29,r17 - mov r14,r7 - mov r15,r8 - mov r24,r9 - mov r25,r10 - mov r0,r6 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r9 - mov r0,r8 - mov r17,r10 - mov r21,r11 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r11 - mov r17,r12 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r10 - movw r16,r12 - mov r15,r9 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r22,r15 - eor r23,r24 - eor r28,r25 - eor r29,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r8 - movw r16,r10 - mov r15,r7 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r2,r24 - eor r3,r25 - eor r4,r16 - eor r5,r17 - mov r14,r11 - mov r15,r12 - mov r24,r13 - mov r25,r22 - mov r0,r10 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r13 - mov r0,r12 - mov r17,r22 - mov r21,r23 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r23 - mov r17,r28 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r22 - movw r16,r28 - mov r15,r13 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r2,r15 - eor r3,r24 - eor r4,r25 - eor r5,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r12 - movw r16,r22 - mov r15,r11 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r6,r24 - eor r7,r25 - eor r8,r16 - eor r9,r17 - mov r14,r23 - mov r15,r28 - mov r24,r29 - mov r25,r2 - mov r0,r22 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r29 - mov r0,r28 - mov r17,r2 - mov r21,r3 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r3 - mov r17,r4 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r2 - movw r16,r4 - mov r15,r29 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r6,r15 - eor r7,r24 - eor r8,r25 - eor r9,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r28 - movw r16,r2 - mov r15,r23 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r10,r24 - eor r11,r25 - eor r12,r16 - eor r13,r17 - mov r14,r3 - mov r15,r4 - mov r24,r5 - mov r25,r6 - mov r0,r2 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r5 - mov r0,r4 - mov r17,r6 - mov r21,r7 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r7 - mov r17,r8 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - movw r24,r6 - movw r16,r8 - mov r15,r5 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r10,r15 - eor r11,r24 - eor r12,r25 - eor r13,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - dec r18 - breq 401f - subi r19,240 - cp r19,r20 - breq 5396f - rjmp 19b -5396: - sub r30,r20 - sbc r31,r1 - mov r19,r1 - rjmp 19b -401: - st -X,r13 - st -X,r12 - st -X,r11 - st -X,r10 - st -X,r9 - st -X,r8 - st -X,r7 - st -X,r6 - st -X,r5 - st -X,r4 - st -X,r3 - st -X,r2 - st -X,r29 - st -X,r28 - st -X,r23 - st -X,r22 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size tiny_jambu_permutation, .-tiny_jambu_permutation - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.c deleted file mode 100644 index 7f6fcf2..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-tinyjambu.h" - -#if !defined(__AVR__) - -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds) -{ - uint32_t t1, t2, t3, t4; - unsigned round; - - /* Load the state into local variables */ - uint32_t s0 = state[0]; - uint32_t s1 = state[1]; - uint32_t s2 = state[2]; - uint32_t s3 = state[3]; - - /* Perform all permutation rounds. Each round consists of 128 steps, - * which can be performed 32 at a time plus a rotation. After four - * sets of 32 steps, the rotation order returns to the original position. - * So we can hide the rotations by doing 128 steps each round */ - for (round = 0; round < rounds; ++round) { - /* Get the key words to use during this round */ - const uint32_t *k = &(key[(round * 4) % key_words]); - - /* Perform the 128 steps of this round in groups of 32 */ - #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ - do { \ - t1 = (s1 >> 15) | (s2 << 17); \ - t2 = (s2 >> 6) | (s3 << 26); \ - t3 = (s2 >> 21) | (s3 << 11); \ - t4 = (s2 >> 27) | (s3 << 5); \ - s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ - } while (0) - tiny_jambu_steps_32(s0, s1, s2, s3, 0); - tiny_jambu_steps_32(s1, s2, s3, s0, 1); - tiny_jambu_steps_32(s2, s3, s0, s1, 2); - tiny_jambu_steps_32(s3, s0, s1, s2, 3); - } - - /* Store the local variables back to the state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.h deleted file mode 100644 index f3bc599..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-tinyjambu.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_TINYJAMBU_H -#define LW_INTERNAL_TINYJAMBU_H - -#include "internal-util.h" - -/** - * \file internal-tinyjambu.h - * \brief Internal implementation of the TinyJAMBU permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the TinyJAMBU state in 32-bit words. - */ -#define TINY_JAMBU_STATE_SIZE 4 - -/** - * \brief Converts a number of steps into a number of rounds, where each - * round consists of 128 steps. - * - * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. - * - * \return The number of rounds corresponding to \a steps. - */ -#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) - -/** - * \brief Perform the TinyJAMBU permutation. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform. - * - * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, - * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the - * \a key_words parameter is a multiple of 4. - */ -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.c deleted file mode 100644 index 09fc41d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.c +++ /dev/null @@ -1,487 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "tinyjambu.h" -#include "internal-tinyjambu.h" -#include - -aead_cipher_t const tiny_jambu_128_cipher = { - "TinyJAMBU-128", - TINY_JAMBU_128_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_128_aead_encrypt, - tiny_jambu_128_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_192_cipher = { - "TinyJAMBU-192", - TINY_JAMBU_192_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_192_aead_encrypt, - tiny_jambu_192_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_256_cipher = { - "TinyJAMBU-256", - TINY_JAMBU_256_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_256_aead_encrypt, - tiny_jambu_256_aead_decrypt -}; - -/** - * \brief Set up the TinyJAMBU state with the key and the nonce. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to absorb the key. - * \param nonce Points to the nonce. - * - * \sa tiny_jambu_permutation() - */ -static void tiny_jambu_setup - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, const unsigned char *nonce) -{ - /* Initialize the state with the key */ - memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); - tiny_jambu_permutation(state, key, key_words, rounds); - - /* Absorb the three 32-bit words of the 96-bit nonce */ - state[1] ^= 0x10; /* Domain separator for the nonce */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 4); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 8); -} - -/** - * \brief Processes the associated data for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void tiny_jambu_process_ad - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, const unsigned char *ad, unsigned long long adlen) -{ - /* Process as many full 32-bit words as we can */ - while (adlen >= 4) { - state[1] ^= 0x30; /* Domain separator for associated data */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(ad); - ad += 4; - adlen -= 4; - } - - /* Handle the left-over associated data bytes, if any */ - if (adlen == 1) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= ad[0]; - state[1] ^= 0x01; - } else if (adlen == 2) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad); - state[1] ^= 0x02; - } else if (adlen == 3) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); - state[1] ^= 0x03; - } -} - -/** - * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the plaintext. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_encrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(m); - state[3] ^= data; - data ^= state[2]; - le_store_word32(c, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over plaintext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = m[0]; - state[3] ^= data; - state[1] ^= 0x01; - c[0] = (uint8_t)(state[2] ^ data); - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m); - state[3] ^= data; - state[1] ^= 0x02; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); - state[3] ^= data; - state[1] ^= 0x03; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - c[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the ciphertext. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_decrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(c) ^ state[2]; - state[3] ^= data; - le_store_word32(m, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over ciphertext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (c[0] ^ state[2]) & 0xFFU; - state[3] ^= data; - state[1] ^= 0x01; - m[0] = (uint8_t)data; - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; - state[3] ^= data; - state[1] ^= 0x02; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); - data = (data ^ state[2]) & 0xFFFFFFU; - state[3] ^= data; - state[1] ^= 0x03; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - m[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Generates the final authentication tag for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to generate the tag. - * \param tag Buffer to receive the tag. - */ -static void tiny_jambu_generate_tag - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *tag) -{ - state[1] ^= 0x70; /* Domain separator for finalization */ - tiny_jambu_permutation(state, key, key_words, rounds); - le_store_word32(tag, state[2]); - state[1] ^= 0x70; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - le_store_word32(tag + 4, state[2]); -} - -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); - return 0; -} - -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); - return 0; -} - -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); - return 0; -} - -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.h deleted file mode 100644 index cb304ff..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys-avr/tinyjambu.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_TINYJAMBU_H -#define LWCRYPTO_TINYJAMBU_H - -#include "aead-common.h" - -/** - * \file tinyjambu.h - * \brief TinyJAMBU authenticated encryption algorithm. - * - * TinyJAMBU is a family of encryption algorithms that are built around a - * lightweight 128-bit permutation. There are three variants of TinyJAMBU - * with different key sizes: - * - * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. - * This is the primary member of the family. - * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. - * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. - * - * TinyJAMBU has one of the smallest RAM and flash memory footprints - * out of all the algorithms in this library. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for TinyJAMBU-128. - */ -#define TINY_JAMBU_128_KEY_SIZE 16 - -/** - * \brief Size of the key for TinyJAMBU-192. - */ -#define TINY_JAMBU_192_KEY_SIZE 24 - -/** - * \brief Size of the key for TinyJAMBU-256. - */ -#define TINY_JAMBU_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all TinyJAMBU variants. - */ -#define TINY_JAMBU_TAG_SIZE 8 - -/** - * \brief Size of the nonce for all TinyJAMBU variants. - */ -#define TINY_JAMBU_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the TinyJAMBU-128 cipher. - */ -extern aead_cipher_t const tiny_jambu_128_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-192 cipher. - */ -extern aead_cipher_t const tiny_jambu_192_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-256 cipher. - */ -extern aead_cipher_t const tiny_jambu_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_128_aead_decrypt() - */ -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_128_aead_encrypt() - */ -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_192_aead_decrypt() - */ -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_192_aead_encrypt() - */ -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_256_aead_decrypt() - */ -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_256_aead_encrypt() - */ -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu-avr.S new file mode 100644 index 0000000..c7f2d1c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu-avr.S @@ -0,0 +1,471 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global tiny_jambu_permutation + .type tiny_jambu_permutation, @function +tiny_jambu_permutation: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r26,r24 + movw r30,r22 +.L__stack_usage = 18 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + lsl r20 + lsl r20 + mov r19,r1 +19: + movw r24,r4 + movw r16,r6 + mov r15,r3 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r22,r24 + eor r23,r25 + eor r28,r16 + eor r29,r17 + mov r14,r7 + mov r15,r8 + mov r24,r9 + mov r25,r10 + mov r0,r6 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r9 + mov r0,r8 + mov r17,r10 + mov r21,r11 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r11 + mov r17,r12 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r10 + movw r16,r12 + mov r15,r9 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r22,r15 + eor r23,r24 + eor r28,r25 + eor r29,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r8 + movw r16,r10 + mov r15,r7 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r2,r24 + eor r3,r25 + eor r4,r16 + eor r5,r17 + mov r14,r11 + mov r15,r12 + mov r24,r13 + mov r25,r22 + mov r0,r10 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r13 + mov r0,r12 + mov r17,r22 + mov r21,r23 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r23 + mov r17,r28 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r22 + movw r16,r28 + mov r15,r13 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r2,r15 + eor r3,r24 + eor r4,r25 + eor r5,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r12 + movw r16,r22 + mov r15,r11 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r6,r24 + eor r7,r25 + eor r8,r16 + eor r9,r17 + mov r14,r23 + mov r15,r28 + mov r24,r29 + mov r25,r2 + mov r0,r22 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r29 + mov r0,r28 + mov r17,r2 + mov r21,r3 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r3 + mov r17,r4 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r2 + movw r16,r4 + mov r15,r29 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r6,r15 + eor r7,r24 + eor r8,r25 + eor r9,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r28 + movw r16,r2 + mov r15,r23 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r10,r24 + eor r11,r25 + eor r12,r16 + eor r13,r17 + mov r14,r3 + mov r15,r4 + mov r24,r5 + mov r25,r6 + mov r0,r2 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r5 + mov r0,r4 + mov r17,r6 + mov r21,r7 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r7 + mov r17,r8 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + movw r24,r6 + movw r16,r8 + mov r15,r5 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r10,r15 + eor r11,r24 + eor r12,r25 + eor r13,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + dec r18 + breq 401f + subi r19,240 + cp r19,r20 + breq 5396f + rjmp 19b +5396: + sub r30,r20 + sbc r31,r1 + mov r19,r1 + rjmp 19b +401: + st -X,r13 + st -X,r12 + st -X,r11 + st -X,r10 + st -X,r9 + st -X,r8 + st -X,r7 + st -X,r6 + st -X,r5 + st -X,r4 + st -X,r3 + st -X,r2 + st -X,r29 + st -X,r28 + st -X,r23 + st -X,r22 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size tiny_jambu_permutation, .-tiny_jambu_permutation + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c index 7308718..7f6fcf2 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-tinyjambu.c @@ -22,6 +22,8 @@ #include "internal-tinyjambu.h" +#if !defined(__AVR__) + void tiny_jambu_permutation (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, unsigned key_words, unsigned rounds) @@ -64,3 +66,5 @@ void tiny_jambu_permutation state[2] = s2; state[3] = s3; } + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h index e79158c..e30166d 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu128/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/api.h deleted file mode 100644 index 1ee99ed..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 24 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/encrypt.c deleted file mode 100644 index 62a5dde..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "tinyjambu.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_192_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_192_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu-avr.S deleted file mode 100644 index c7f2d1c..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu-avr.S +++ /dev/null @@ -1,471 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global tiny_jambu_permutation - .type tiny_jambu_permutation, @function -tiny_jambu_permutation: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r26,r24 - movw r30,r22 -.L__stack_usage = 18 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - lsl r20 - lsl r20 - mov r19,r1 -19: - movw r24,r4 - movw r16,r6 - mov r15,r3 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r22,r24 - eor r23,r25 - eor r28,r16 - eor r29,r17 - mov r14,r7 - mov r15,r8 - mov r24,r9 - mov r25,r10 - mov r0,r6 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r9 - mov r0,r8 - mov r17,r10 - mov r21,r11 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r11 - mov r17,r12 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r10 - movw r16,r12 - mov r15,r9 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r22,r15 - eor r23,r24 - eor r28,r25 - eor r29,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r8 - movw r16,r10 - mov r15,r7 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r2,r24 - eor r3,r25 - eor r4,r16 - eor r5,r17 - mov r14,r11 - mov r15,r12 - mov r24,r13 - mov r25,r22 - mov r0,r10 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r13 - mov r0,r12 - mov r17,r22 - mov r21,r23 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r23 - mov r17,r28 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r22 - movw r16,r28 - mov r15,r13 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r2,r15 - eor r3,r24 - eor r4,r25 - eor r5,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r12 - movw r16,r22 - mov r15,r11 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r6,r24 - eor r7,r25 - eor r8,r16 - eor r9,r17 - mov r14,r23 - mov r15,r28 - mov r24,r29 - mov r25,r2 - mov r0,r22 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r29 - mov r0,r28 - mov r17,r2 - mov r21,r3 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r3 - mov r17,r4 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r2 - movw r16,r4 - mov r15,r29 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r6,r15 - eor r7,r24 - eor r8,r25 - eor r9,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r28 - movw r16,r2 - mov r15,r23 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r10,r24 - eor r11,r25 - eor r12,r16 - eor r13,r17 - mov r14,r3 - mov r15,r4 - mov r24,r5 - mov r25,r6 - mov r0,r2 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r5 - mov r0,r4 - mov r17,r6 - mov r21,r7 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r7 - mov r17,r8 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - movw r24,r6 - movw r16,r8 - mov r15,r5 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r10,r15 - eor r11,r24 - eor r12,r25 - eor r13,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - dec r18 - breq 401f - subi r19,240 - cp r19,r20 - breq 5396f - rjmp 19b -5396: - sub r30,r20 - sbc r31,r1 - mov r19,r1 - rjmp 19b -401: - st -X,r13 - st -X,r12 - st -X,r11 - st -X,r10 - st -X,r9 - st -X,r8 - st -X,r7 - st -X,r6 - st -X,r5 - st -X,r4 - st -X,r3 - st -X,r2 - st -X,r29 - st -X,r28 - st -X,r23 - st -X,r22 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size tiny_jambu_permutation, .-tiny_jambu_permutation - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.c deleted file mode 100644 index 7f6fcf2..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-tinyjambu.h" - -#if !defined(__AVR__) - -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds) -{ - uint32_t t1, t2, t3, t4; - unsigned round; - - /* Load the state into local variables */ - uint32_t s0 = state[0]; - uint32_t s1 = state[1]; - uint32_t s2 = state[2]; - uint32_t s3 = state[3]; - - /* Perform all permutation rounds. Each round consists of 128 steps, - * which can be performed 32 at a time plus a rotation. After four - * sets of 32 steps, the rotation order returns to the original position. - * So we can hide the rotations by doing 128 steps each round */ - for (round = 0; round < rounds; ++round) { - /* Get the key words to use during this round */ - const uint32_t *k = &(key[(round * 4) % key_words]); - - /* Perform the 128 steps of this round in groups of 32 */ - #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ - do { \ - t1 = (s1 >> 15) | (s2 << 17); \ - t2 = (s2 >> 6) | (s3 << 26); \ - t3 = (s2 >> 21) | (s3 << 11); \ - t4 = (s2 >> 27) | (s3 << 5); \ - s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ - } while (0) - tiny_jambu_steps_32(s0, s1, s2, s3, 0); - tiny_jambu_steps_32(s1, s2, s3, s0, 1); - tiny_jambu_steps_32(s2, s3, s0, s1, 2); - tiny_jambu_steps_32(s3, s0, s1, s2, 3); - } - - /* Store the local variables back to the state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.h deleted file mode 100644 index f3bc599..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-tinyjambu.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_TINYJAMBU_H -#define LW_INTERNAL_TINYJAMBU_H - -#include "internal-util.h" - -/** - * \file internal-tinyjambu.h - * \brief Internal implementation of the TinyJAMBU permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the TinyJAMBU state in 32-bit words. - */ -#define TINY_JAMBU_STATE_SIZE 4 - -/** - * \brief Converts a number of steps into a number of rounds, where each - * round consists of 128 steps. - * - * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. - * - * \return The number of rounds corresponding to \a steps. - */ -#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) - -/** - * \brief Perform the TinyJAMBU permutation. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform. - * - * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, - * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the - * \a key_words parameter is a multiple of 4. - */ -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.c deleted file mode 100644 index 09fc41d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.c +++ /dev/null @@ -1,487 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "tinyjambu.h" -#include "internal-tinyjambu.h" -#include - -aead_cipher_t const tiny_jambu_128_cipher = { - "TinyJAMBU-128", - TINY_JAMBU_128_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_128_aead_encrypt, - tiny_jambu_128_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_192_cipher = { - "TinyJAMBU-192", - TINY_JAMBU_192_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_192_aead_encrypt, - tiny_jambu_192_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_256_cipher = { - "TinyJAMBU-256", - TINY_JAMBU_256_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_256_aead_encrypt, - tiny_jambu_256_aead_decrypt -}; - -/** - * \brief Set up the TinyJAMBU state with the key and the nonce. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to absorb the key. - * \param nonce Points to the nonce. - * - * \sa tiny_jambu_permutation() - */ -static void tiny_jambu_setup - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, const unsigned char *nonce) -{ - /* Initialize the state with the key */ - memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); - tiny_jambu_permutation(state, key, key_words, rounds); - - /* Absorb the three 32-bit words of the 96-bit nonce */ - state[1] ^= 0x10; /* Domain separator for the nonce */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 4); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 8); -} - -/** - * \brief Processes the associated data for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void tiny_jambu_process_ad - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, const unsigned char *ad, unsigned long long adlen) -{ - /* Process as many full 32-bit words as we can */ - while (adlen >= 4) { - state[1] ^= 0x30; /* Domain separator for associated data */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(ad); - ad += 4; - adlen -= 4; - } - - /* Handle the left-over associated data bytes, if any */ - if (adlen == 1) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= ad[0]; - state[1] ^= 0x01; - } else if (adlen == 2) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad); - state[1] ^= 0x02; - } else if (adlen == 3) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); - state[1] ^= 0x03; - } -} - -/** - * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the plaintext. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_encrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(m); - state[3] ^= data; - data ^= state[2]; - le_store_word32(c, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over plaintext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = m[0]; - state[3] ^= data; - state[1] ^= 0x01; - c[0] = (uint8_t)(state[2] ^ data); - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m); - state[3] ^= data; - state[1] ^= 0x02; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); - state[3] ^= data; - state[1] ^= 0x03; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - c[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the ciphertext. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_decrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(c) ^ state[2]; - state[3] ^= data; - le_store_word32(m, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over ciphertext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (c[0] ^ state[2]) & 0xFFU; - state[3] ^= data; - state[1] ^= 0x01; - m[0] = (uint8_t)data; - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; - state[3] ^= data; - state[1] ^= 0x02; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); - data = (data ^ state[2]) & 0xFFFFFFU; - state[3] ^= data; - state[1] ^= 0x03; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - m[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Generates the final authentication tag for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to generate the tag. - * \param tag Buffer to receive the tag. - */ -static void tiny_jambu_generate_tag - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *tag) -{ - state[1] ^= 0x70; /* Domain separator for finalization */ - tiny_jambu_permutation(state, key, key_words, rounds); - le_store_word32(tag, state[2]); - state[1] ^= 0x70; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - le_store_word32(tag + 4, state[2]); -} - -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); - return 0; -} - -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); - return 0; -} - -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); - return 0; -} - -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.h deleted file mode 100644 index cb304ff..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys-avr/tinyjambu.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_TINYJAMBU_H -#define LWCRYPTO_TINYJAMBU_H - -#include "aead-common.h" - -/** - * \file tinyjambu.h - * \brief TinyJAMBU authenticated encryption algorithm. - * - * TinyJAMBU is a family of encryption algorithms that are built around a - * lightweight 128-bit permutation. There are three variants of TinyJAMBU - * with different key sizes: - * - * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. - * This is the primary member of the family. - * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. - * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. - * - * TinyJAMBU has one of the smallest RAM and flash memory footprints - * out of all the algorithms in this library. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for TinyJAMBU-128. - */ -#define TINY_JAMBU_128_KEY_SIZE 16 - -/** - * \brief Size of the key for TinyJAMBU-192. - */ -#define TINY_JAMBU_192_KEY_SIZE 24 - -/** - * \brief Size of the key for TinyJAMBU-256. - */ -#define TINY_JAMBU_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all TinyJAMBU variants. - */ -#define TINY_JAMBU_TAG_SIZE 8 - -/** - * \brief Size of the nonce for all TinyJAMBU variants. - */ -#define TINY_JAMBU_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the TinyJAMBU-128 cipher. - */ -extern aead_cipher_t const tiny_jambu_128_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-192 cipher. - */ -extern aead_cipher_t const tiny_jambu_192_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-256 cipher. - */ -extern aead_cipher_t const tiny_jambu_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_128_aead_decrypt() - */ -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_128_aead_encrypt() - */ -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_192_aead_decrypt() - */ -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_192_aead_encrypt() - */ -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_256_aead_decrypt() - */ -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_256_aead_encrypt() - */ -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu-avr.S new file mode 100644 index 0000000..c7f2d1c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu-avr.S @@ -0,0 +1,471 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global tiny_jambu_permutation + .type tiny_jambu_permutation, @function +tiny_jambu_permutation: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r26,r24 + movw r30,r22 +.L__stack_usage = 18 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + lsl r20 + lsl r20 + mov r19,r1 +19: + movw r24,r4 + movw r16,r6 + mov r15,r3 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r22,r24 + eor r23,r25 + eor r28,r16 + eor r29,r17 + mov r14,r7 + mov r15,r8 + mov r24,r9 + mov r25,r10 + mov r0,r6 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r9 + mov r0,r8 + mov r17,r10 + mov r21,r11 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r11 + mov r17,r12 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r10 + movw r16,r12 + mov r15,r9 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r22,r15 + eor r23,r24 + eor r28,r25 + eor r29,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r8 + movw r16,r10 + mov r15,r7 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r2,r24 + eor r3,r25 + eor r4,r16 + eor r5,r17 + mov r14,r11 + mov r15,r12 + mov r24,r13 + mov r25,r22 + mov r0,r10 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r13 + mov r0,r12 + mov r17,r22 + mov r21,r23 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r23 + mov r17,r28 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r22 + movw r16,r28 + mov r15,r13 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r2,r15 + eor r3,r24 + eor r4,r25 + eor r5,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r12 + movw r16,r22 + mov r15,r11 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r6,r24 + eor r7,r25 + eor r8,r16 + eor r9,r17 + mov r14,r23 + mov r15,r28 + mov r24,r29 + mov r25,r2 + mov r0,r22 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r29 + mov r0,r28 + mov r17,r2 + mov r21,r3 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r3 + mov r17,r4 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r2 + movw r16,r4 + mov r15,r29 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r6,r15 + eor r7,r24 + eor r8,r25 + eor r9,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r28 + movw r16,r2 + mov r15,r23 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r10,r24 + eor r11,r25 + eor r12,r16 + eor r13,r17 + mov r14,r3 + mov r15,r4 + mov r24,r5 + mov r25,r6 + mov r0,r2 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r5 + mov r0,r4 + mov r17,r6 + mov r21,r7 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r7 + mov r17,r8 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + movw r24,r6 + movw r16,r8 + mov r15,r5 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r10,r15 + eor r11,r24 + eor r12,r25 + eor r13,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + dec r18 + breq 401f + subi r19,240 + cp r19,r20 + breq 5396f + rjmp 19b +5396: + sub r30,r20 + sbc r31,r1 + mov r19,r1 + rjmp 19b +401: + st -X,r13 + st -X,r12 + st -X,r11 + st -X,r10 + st -X,r9 + st -X,r8 + st -X,r7 + st -X,r6 + st -X,r5 + st -X,r4 + st -X,r3 + st -X,r2 + st -X,r29 + st -X,r28 + st -X,r23 + st -X,r22 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size tiny_jambu_permutation, .-tiny_jambu_permutation + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c index 7308718..7f6fcf2 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-tinyjambu.c @@ -22,6 +22,8 @@ #include "internal-tinyjambu.h" +#if !defined(__AVR__) + void tiny_jambu_permutation (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, unsigned key_words, unsigned rounds) @@ -64,3 +66,5 @@ void tiny_jambu_permutation state[2] = s2; state[3] = s3; } + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h index e79158c..e30166d 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu192/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/api.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/api.h deleted file mode 100644 index fd4ff9f..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 32 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 12 -#define CRYPTO_ABYTES 8 -#define CRYPTO_NOOVERLAP 1 diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/encrypt.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/encrypt.c deleted file mode 100644 index 357b9fe..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "tinyjambu.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_256_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return tiny_jambu_256_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu-avr.S deleted file mode 100644 index c7f2d1c..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu-avr.S +++ /dev/null @@ -1,471 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global tiny_jambu_permutation - .type tiny_jambu_permutation, @function -tiny_jambu_permutation: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - movw r26,r24 - movw r30,r22 -.L__stack_usage = 18 - ld r22,X+ - ld r23,X+ - ld r28,X+ - ld r29,X+ - ld r2,X+ - ld r3,X+ - ld r4,X+ - ld r5,X+ - ld r6,X+ - ld r7,X+ - ld r8,X+ - ld r9,X+ - ld r10,X+ - ld r11,X+ - ld r12,X+ - ld r13,X+ - lsl r20 - lsl r20 - mov r19,r1 -19: - movw r24,r4 - movw r16,r6 - mov r15,r3 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r22,r24 - eor r23,r25 - eor r28,r16 - eor r29,r17 - mov r14,r7 - mov r15,r8 - mov r24,r9 - mov r25,r10 - mov r0,r6 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r9 - mov r0,r8 - mov r17,r10 - mov r21,r11 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r11 - mov r17,r12 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r10 - movw r16,r12 - mov r15,r9 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r22,r15 - eor r23,r24 - eor r28,r25 - eor r29,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r22,r14 - eor r23,r15 - eor r28,r24 - eor r29,r25 - movw r24,r8 - movw r16,r10 - mov r15,r7 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r2,r24 - eor r3,r25 - eor r4,r16 - eor r5,r17 - mov r14,r11 - mov r15,r12 - mov r24,r13 - mov r25,r22 - mov r0,r10 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r13 - mov r0,r12 - mov r17,r22 - mov r21,r23 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r23 - mov r17,r28 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r22 - movw r16,r28 - mov r15,r13 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r2,r15 - eor r3,r24 - eor r4,r25 - eor r5,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r2,r14 - eor r3,r15 - eor r4,r24 - eor r5,r25 - movw r24,r12 - movw r16,r22 - mov r15,r11 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r6,r24 - eor r7,r25 - eor r8,r16 - eor r9,r17 - mov r14,r23 - mov r15,r28 - mov r24,r29 - mov r25,r2 - mov r0,r22 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r29 - mov r0,r28 - mov r17,r2 - mov r21,r3 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r3 - mov r17,r4 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r2 - movw r16,r4 - mov r15,r29 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r6,r15 - eor r7,r24 - eor r8,r25 - eor r9,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r6,r14 - eor r7,r15 - eor r8,r24 - eor r9,r25 - movw r24,r28 - movw r16,r2 - mov r15,r23 - lsl r15 - rol r24 - rol r25 - rol r16 - rol r17 - eor r10,r24 - eor r11,r25 - eor r12,r16 - eor r13,r17 - mov r14,r3 - mov r15,r4 - mov r24,r5 - mov r25,r6 - mov r0,r2 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - lsl r0 - rol r14 - rol r15 - rol r24 - rol r25 - mov r16,r5 - mov r0,r4 - mov r17,r6 - mov r21,r7 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - lsl r0 - rol r16 - rol r17 - rol r21 - and r14,r16 - and r15,r17 - and r24,r21 - mov r16,r7 - mov r17,r8 - lsl r16 - rol r17 - lsl r16 - rol r17 - lsl r16 - rol r17 - and r25,r17 - com r14 - com r15 - com r24 - com r25 - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - movw r24,r6 - movw r16,r8 - mov r15,r5 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - lsr r17 - ror r16 - ror r25 - ror r24 - ror r15 - eor r10,r15 - eor r11,r24 - eor r12,r25 - eor r13,r16 - ld r14,Z+ - ld r15,Z+ - ld r24,Z+ - ld r25,Z+ - eor r10,r14 - eor r11,r15 - eor r12,r24 - eor r13,r25 - dec r18 - breq 401f - subi r19,240 - cp r19,r20 - breq 5396f - rjmp 19b -5396: - sub r30,r20 - sbc r31,r1 - mov r19,r1 - rjmp 19b -401: - st -X,r13 - st -X,r12 - st -X,r11 - st -X,r10 - st -X,r9 - st -X,r8 - st -X,r7 - st -X,r6 - st -X,r5 - st -X,r4 - st -X,r3 - st -X,r2 - st -X,r29 - st -X,r28 - st -X,r23 - st -X,r22 - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size tiny_jambu_permutation, .-tiny_jambu_permutation - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.c deleted file mode 100644 index 7f6fcf2..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.c +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-tinyjambu.h" - -#if !defined(__AVR__) - -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds) -{ - uint32_t t1, t2, t3, t4; - unsigned round; - - /* Load the state into local variables */ - uint32_t s0 = state[0]; - uint32_t s1 = state[1]; - uint32_t s2 = state[2]; - uint32_t s3 = state[3]; - - /* Perform all permutation rounds. Each round consists of 128 steps, - * which can be performed 32 at a time plus a rotation. After four - * sets of 32 steps, the rotation order returns to the original position. - * So we can hide the rotations by doing 128 steps each round */ - for (round = 0; round < rounds; ++round) { - /* Get the key words to use during this round */ - const uint32_t *k = &(key[(round * 4) % key_words]); - - /* Perform the 128 steps of this round in groups of 32 */ - #define tiny_jambu_steps_32(s0, s1, s2, s3, offset) \ - do { \ - t1 = (s1 >> 15) | (s2 << 17); \ - t2 = (s2 >> 6) | (s3 << 26); \ - t3 = (s2 >> 21) | (s3 << 11); \ - t4 = (s2 >> 27) | (s3 << 5); \ - s0 ^= t1 ^ (~(t2 & t3)) ^ t4 ^ k[offset]; \ - } while (0) - tiny_jambu_steps_32(s0, s1, s2, s3, 0); - tiny_jambu_steps_32(s1, s2, s3, s0, 1); - tiny_jambu_steps_32(s2, s3, s0, s1, 2); - tiny_jambu_steps_32(s3, s0, s1, s2, 3); - } - - /* Store the local variables back to the state */ - state[0] = s0; - state[1] = s1; - state[2] = s2; - state[3] = s3; -} - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.h deleted file mode 100644 index f3bc599..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-tinyjambu.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_TINYJAMBU_H -#define LW_INTERNAL_TINYJAMBU_H - -#include "internal-util.h" - -/** - * \file internal-tinyjambu.h - * \brief Internal implementation of the TinyJAMBU permutation. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the TinyJAMBU state in 32-bit words. - */ -#define TINY_JAMBU_STATE_SIZE 4 - -/** - * \brief Converts a number of steps into a number of rounds, where each - * round consists of 128 steps. - * - * \param steps The number of steps to perform; 384, 1024, 1152, or 1280. - * - * \return The number of rounds corresponding to \a steps. - */ -#define TINYJAMBU_ROUNDS(steps) ((steps) / 128) - -/** - * \brief Perform the TinyJAMBU permutation. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform. - * - * The number of key words should be 4 for TinyJAMBU-128, 12 for TinyJAMBU-192, - * and 8 for TinuJAMBU-256. The TinyJAMBU-192 key is duplicated so that the - * \a key_words parameter is a multiple of 4. - */ -void tiny_jambu_permutation - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.c deleted file mode 100644 index 09fc41d..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.c +++ /dev/null @@ -1,487 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "tinyjambu.h" -#include "internal-tinyjambu.h" -#include - -aead_cipher_t const tiny_jambu_128_cipher = { - "TinyJAMBU-128", - TINY_JAMBU_128_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_128_aead_encrypt, - tiny_jambu_128_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_192_cipher = { - "TinyJAMBU-192", - TINY_JAMBU_192_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_192_aead_encrypt, - tiny_jambu_192_aead_decrypt -}; - -aead_cipher_t const tiny_jambu_256_cipher = { - "TinyJAMBU-256", - TINY_JAMBU_256_KEY_SIZE, - TINY_JAMBU_NONCE_SIZE, - TINY_JAMBU_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - tiny_jambu_256_aead_encrypt, - tiny_jambu_256_aead_decrypt -}; - -/** - * \brief Set up the TinyJAMBU state with the key and the nonce. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to absorb the key. - * \param nonce Points to the nonce. - * - * \sa tiny_jambu_permutation() - */ -static void tiny_jambu_setup - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, const unsigned char *nonce) -{ - /* Initialize the state with the key */ - memset(state, 0, TINY_JAMBU_STATE_SIZE * sizeof(uint32_t)); - tiny_jambu_permutation(state, key, key_words, rounds); - - /* Absorb the three 32-bit words of the 96-bit nonce */ - state[1] ^= 0x10; /* Domain separator for the nonce */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 4); - state[1] ^= 0x10; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(nonce + 8); -} - -/** - * \brief Processes the associated data for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param ad Points to the associated data. - * \param adlen Length of the associated data in bytes. - */ -static void tiny_jambu_process_ad - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, const unsigned char *ad, unsigned long long adlen) -{ - /* Process as many full 32-bit words as we can */ - while (adlen >= 4) { - state[1] ^= 0x30; /* Domain separator for associated data */ - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word32(ad); - ad += 4; - adlen -= 4; - } - - /* Handle the left-over associated data bytes, if any */ - if (adlen == 1) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= ad[0]; - state[1] ^= 0x01; - } else if (adlen == 2) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad); - state[1] ^= 0x02; - } else if (adlen == 3) { - state[1] ^= 0x30; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - state[3] ^= le_load_word16(ad) | (((uint32_t)(ad[2])) << 16); - state[1] ^= 0x03; - } -} - -/** - * \brief Encrypts the plaintext with TinyJAMBU to produce the ciphertext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the plaintext. - * \param c Points to the ciphertext output buffer. - * \param m Points to the plaintext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_encrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *c, - const unsigned char *m, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(m); - state[3] ^= data; - data ^= state[2]; - le_store_word32(c, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over plaintext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = m[0]; - state[3] ^= data; - state[1] ^= 0x01; - c[0] = (uint8_t)(state[2] ^ data); - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m); - state[3] ^= data; - state[1] ^= 0x02; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(m) | (((uint32_t)(m[2])) << 16); - state[3] ^= data; - state[1] ^= 0x03; - data ^= state[2]; - c[0] = (uint8_t)data; - c[1] = (uint8_t)(data >> 8); - c[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Decrypts the ciphertext with TinyJAMBU to produce the plaintext. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to process the ciphertext. - * \param m Points to the plaintext output buffer. - * \param c Points to the ciphertext input buffer. - * \param mlen Length of the plaintext in bytes. - */ -static void tiny_jambu_decrypt - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *m, - const unsigned char *c, unsigned long long mlen) -{ - uint32_t data; - - /* Process as many full 32-bit words as we can */ - while (mlen >= 4) { - state[1] ^= 0x50; /* Domain separator for message data */ - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word32(c) ^ state[2]; - state[3] ^= data; - le_store_word32(m, data); - c += 4; - m += 4; - mlen -= 4; - } - - /* Handle the left-over ciphertext data bytes, if any */ - if (mlen == 1) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (c[0] ^ state[2]) & 0xFFU; - state[3] ^= data; - state[1] ^= 0x01; - m[0] = (uint8_t)data; - } else if (mlen == 2) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = (le_load_word16(c) ^ state[2]) & 0xFFFFU; - state[3] ^= data; - state[1] ^= 0x02; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - } else if (mlen == 3) { - state[1] ^= 0x50; - tiny_jambu_permutation(state, key, key_words, rounds); - data = le_load_word16(c) | (((uint32_t)(c[2])) << 16); - data = (data ^ state[2]) & 0xFFFFFFU; - state[3] ^= data; - state[1] ^= 0x03; - m[0] = (uint8_t)data; - m[1] = (uint8_t)(data >> 8); - m[2] = (uint8_t)(data >> 16); - } -} - -/** - * \brief Generates the final authentication tag for TinyJAMBU. - * - * \param state TinyJAMBU state to be permuted. - * \param key Points to the key words. - * \param key_words The number of words in the key. - * \param rounds The number of rounds to perform to generate the tag. - * \param tag Buffer to receive the tag. - */ -static void tiny_jambu_generate_tag - (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, - unsigned key_words, unsigned rounds, unsigned char *tag) -{ - state[1] ^= 0x70; /* Domain separator for finalization */ - tiny_jambu_permutation(state, key, key_words, rounds); - le_store_word32(tag, state[2]); - state[1] ^= 0x70; - tiny_jambu_permutation(state, key, key_words, TINYJAMBU_ROUNDS(384)); - le_store_word32(tag + 4, state[2]); -} - -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), c + mlen); - return 0; -} - -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[4]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 4, TINYJAMBU_ROUNDS(1024), npub); - tiny_jambu_process_ad(state, key, 4, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 4, TINYJAMBU_ROUNDS(1024), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 4, TINYJAMBU_ROUNDS(1024), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), c + mlen); - return 0; -} - -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[12]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key and duplicate it to make the length a multiple of 4 */ - key[6] = key[0] = le_load_word32(k); - key[7] = key[1] = le_load_word32(k + 4); - key[8] = key[2] = le_load_word32(k + 8); - key[9] = key[3] = le_load_word32(k + 12); - key[10] = key[4] = le_load_word32(k + 16); - key[11] = key[5] = le_load_word32(k + 20); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 12, TINYJAMBU_ROUNDS(1152), npub); - tiny_jambu_process_ad(state, key, 12, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 12, TINYJAMBU_ROUNDS(1152), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 12, TINYJAMBU_ROUNDS(1152), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} - -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - tiny_jambu_encrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), c, m, mlen); - - /* Generate the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), c + mlen); - return 0; -} - -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - uint32_t state[TINY_JAMBU_STATE_SIZE]; - uint32_t key[8]; - unsigned char tag[TINY_JAMBU_TAG_SIZE]; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < TINY_JAMBU_TAG_SIZE) - return -1; - *mlen = clen - TINY_JAMBU_TAG_SIZE; - - /* Unpack the key */ - key[0] = le_load_word32(k); - key[1] = le_load_word32(k + 4); - key[2] = le_load_word32(k + 8); - key[3] = le_load_word32(k + 12); - key[4] = le_load_word32(k + 16); - key[5] = le_load_word32(k + 20); - key[6] = le_load_word32(k + 24); - key[7] = le_load_word32(k + 28); - - /* Set up the TinyJAMBU state with the key, nonce, and associated data */ - tiny_jambu_setup(state, key, 8, TINYJAMBU_ROUNDS(1280), npub); - tiny_jambu_process_ad(state, key, 8, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - tiny_jambu_decrypt(state, key, 8, TINYJAMBU_ROUNDS(1280), m, c, *mlen); - - /* Check the authentication tag */ - tiny_jambu_generate_tag(state, key, 8, TINYJAMBU_ROUNDS(1280), tag); - return aead_check_tag(m, *mlen, tag, c + *mlen, TINY_JAMBU_TAG_SIZE); -} diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.h deleted file mode 100644 index cb304ff..0000000 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys-avr/tinyjambu.h +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_TINYJAMBU_H -#define LWCRYPTO_TINYJAMBU_H - -#include "aead-common.h" - -/** - * \file tinyjambu.h - * \brief TinyJAMBU authenticated encryption algorithm. - * - * TinyJAMBU is a family of encryption algorithms that are built around a - * lightweight 128-bit permutation. There are three variants of TinyJAMBU - * with different key sizes: - * - * \li TinyJAMBU-128 with a 128-bit key, a 96-bit nonce, and a 64-bit tag. - * This is the primary member of the family. - * \li TinyJAMBU-192 with a 192-bit key, a 96-bit nonce, and a 64-bit tag. - * \li TinyJAMBU-256 with a 256-bit key, a 96-bit nonce, and a 64-bit tag. - * - * TinyJAMBU has one of the smallest RAM and flash memory footprints - * out of all the algorithms in this library. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for TinyJAMBU-128. - */ -#define TINY_JAMBU_128_KEY_SIZE 16 - -/** - * \brief Size of the key for TinyJAMBU-192. - */ -#define TINY_JAMBU_192_KEY_SIZE 24 - -/** - * \brief Size of the key for TinyJAMBU-256. - */ -#define TINY_JAMBU_256_KEY_SIZE 32 - -/** - * \brief Size of the authentication tag for all TinyJAMBU variants. - */ -#define TINY_JAMBU_TAG_SIZE 8 - -/** - * \brief Size of the nonce for all TinyJAMBU variants. - */ -#define TINY_JAMBU_NONCE_SIZE 12 - -/** - * \brief Meta-information block for the TinyJAMBU-128 cipher. - */ -extern aead_cipher_t const tiny_jambu_128_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-192 cipher. - */ -extern aead_cipher_t const tiny_jambu_192_cipher; - -/** - * \brief Meta-information block for the TinyJAMBU-256 cipher. - */ -extern aead_cipher_t const tiny_jambu_256_cipher; - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-128. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_128_aead_decrypt() - */ -int tiny_jambu_128_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-128. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_128_aead_encrypt() - */ -int tiny_jambu_128_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-192. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_192_aead_decrypt() - */ -int tiny_jambu_192_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-192. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 24 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_192_aead_encrypt() - */ -int tiny_jambu_192_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Encrypts and authenticates a packet with TinyJAMBU-256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 8 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa tiny_jambu_256_aead_decrypt() - */ -int tiny_jambu_256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with TinyJAMBU-256. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 8 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 12 bytes in length. - * \param k Points to the 32 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa tiny_jambu_256_aead_encrypt() - */ -int tiny_jambu_256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu-avr.S b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu-avr.S new file mode 100644 index 0000000..c7f2d1c --- /dev/null +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu-avr.S @@ -0,0 +1,471 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global tiny_jambu_permutation + .type tiny_jambu_permutation, @function +tiny_jambu_permutation: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + movw r26,r24 + movw r30,r22 +.L__stack_usage = 18 + ld r22,X+ + ld r23,X+ + ld r28,X+ + ld r29,X+ + ld r2,X+ + ld r3,X+ + ld r4,X+ + ld r5,X+ + ld r6,X+ + ld r7,X+ + ld r8,X+ + ld r9,X+ + ld r10,X+ + ld r11,X+ + ld r12,X+ + ld r13,X+ + lsl r20 + lsl r20 + mov r19,r1 +19: + movw r24,r4 + movw r16,r6 + mov r15,r3 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r22,r24 + eor r23,r25 + eor r28,r16 + eor r29,r17 + mov r14,r7 + mov r15,r8 + mov r24,r9 + mov r25,r10 + mov r0,r6 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r9 + mov r0,r8 + mov r17,r10 + mov r21,r11 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r11 + mov r17,r12 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r10 + movw r16,r12 + mov r15,r9 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r22,r15 + eor r23,r24 + eor r28,r25 + eor r29,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r22,r14 + eor r23,r15 + eor r28,r24 + eor r29,r25 + movw r24,r8 + movw r16,r10 + mov r15,r7 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r2,r24 + eor r3,r25 + eor r4,r16 + eor r5,r17 + mov r14,r11 + mov r15,r12 + mov r24,r13 + mov r25,r22 + mov r0,r10 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r13 + mov r0,r12 + mov r17,r22 + mov r21,r23 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r23 + mov r17,r28 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r22 + movw r16,r28 + mov r15,r13 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r2,r15 + eor r3,r24 + eor r4,r25 + eor r5,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r2,r14 + eor r3,r15 + eor r4,r24 + eor r5,r25 + movw r24,r12 + movw r16,r22 + mov r15,r11 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r6,r24 + eor r7,r25 + eor r8,r16 + eor r9,r17 + mov r14,r23 + mov r15,r28 + mov r24,r29 + mov r25,r2 + mov r0,r22 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r29 + mov r0,r28 + mov r17,r2 + mov r21,r3 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r3 + mov r17,r4 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r2 + movw r16,r4 + mov r15,r29 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r6,r15 + eor r7,r24 + eor r8,r25 + eor r9,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r6,r14 + eor r7,r15 + eor r8,r24 + eor r9,r25 + movw r24,r28 + movw r16,r2 + mov r15,r23 + lsl r15 + rol r24 + rol r25 + rol r16 + rol r17 + eor r10,r24 + eor r11,r25 + eor r12,r16 + eor r13,r17 + mov r14,r3 + mov r15,r4 + mov r24,r5 + mov r25,r6 + mov r0,r2 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + lsl r0 + rol r14 + rol r15 + rol r24 + rol r25 + mov r16,r5 + mov r0,r4 + mov r17,r6 + mov r21,r7 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + lsl r0 + rol r16 + rol r17 + rol r21 + and r14,r16 + and r15,r17 + and r24,r21 + mov r16,r7 + mov r17,r8 + lsl r16 + rol r17 + lsl r16 + rol r17 + lsl r16 + rol r17 + and r25,r17 + com r14 + com r15 + com r24 + com r25 + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + movw r24,r6 + movw r16,r8 + mov r15,r5 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + lsr r17 + ror r16 + ror r25 + ror r24 + ror r15 + eor r10,r15 + eor r11,r24 + eor r12,r25 + eor r13,r16 + ld r14,Z+ + ld r15,Z+ + ld r24,Z+ + ld r25,Z+ + eor r10,r14 + eor r11,r15 + eor r12,r24 + eor r13,r25 + dec r18 + breq 401f + subi r19,240 + cp r19,r20 + breq 5396f + rjmp 19b +5396: + sub r30,r20 + sbc r31,r1 + mov r19,r1 + rjmp 19b +401: + st -X,r13 + st -X,r12 + st -X,r11 + st -X,r10 + st -X,r9 + st -X,r8 + st -X,r7 + st -X,r6 + st -X,r5 + st -X,r4 + st -X,r3 + st -X,r2 + st -X,r29 + st -X,r28 + st -X,r23 + st -X,r22 + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size tiny_jambu_permutation, .-tiny_jambu_permutation + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c index 7308718..7f6fcf2 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-tinyjambu.c @@ -22,6 +22,8 @@ #include "internal-tinyjambu.h" +#if !defined(__AVR__) + void tiny_jambu_permutation (uint32_t state[TINY_JAMBU_STATE_SIZE], const uint32_t *key, unsigned key_words, unsigned rounds) @@ -64,3 +66,5 @@ void tiny_jambu_permutation state[2] = s2; state[3] = s3; } + +#endif diff --git a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h index e79158c..e30166d 100644 --- a/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h +++ b/tinyjambu/Implementations/crypto_aead/tinyjambu256/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.c b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.h b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/api.h b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/encrypt.c b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/encrypt.c deleted file mode 100644 index 0ed30f7..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "wage.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return wage_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return wage_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-util.h b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.c b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.c deleted file mode 100644 index e9528c9..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.c +++ /dev/null @@ -1,512 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-wage.h" - -/** - * \brief Number of rounds for the WAGE permutation. - */ -#define WAGE_NUM_ROUNDS 111 - -/** - * \brief Define WAGE_64BIT to use the 64-bit version of the WAGE core - * permutation. Undefine to use the 8-bit version instead. - */ -#define WAGE_64BIT 1 - -/** - * \brief RC0 and RC1 round constants for WAGE, interleaved with each other. - */ -static unsigned char const wage_rc[WAGE_NUM_ROUNDS * 2] = { - 0x7f, 0x3f, 0x1f, 0x0f, 0x07, 0x03, 0x01, 0x40, 0x20, 0x10, 0x08, 0x04, - 0x02, 0x41, 0x60, 0x30, 0x18, 0x0c, 0x06, 0x43, 0x21, 0x50, 0x28, 0x14, - 0x0a, 0x45, 0x62, 0x71, 0x78, 0x3c, 0x1e, 0x4f, 0x27, 0x13, 0x09, 0x44, - 0x22, 0x51, 0x68, 0x34, 0x1a, 0x4d, 0x66, 0x73, 0x39, 0x5c, 0x2e, 0x57, - 0x2b, 0x15, 0x4a, 0x65, 0x72, 0x79, 0x7c, 0x3e, 0x5f, 0x2f, 0x17, 0x0b, - 0x05, 0x42, 0x61, 0x70, 0x38, 0x1c, 0x0e, 0x47, 0x23, 0x11, 0x48, 0x24, - 0x12, 0x49, 0x64, 0x32, 0x59, 0x6c, 0x36, 0x5b, 0x2d, 0x56, 0x6b, 0x35, - 0x5a, 0x6d, 0x76, 0x7b, 0x3d, 0x5e, 0x6f, 0x37, 0x1b, 0x0d, 0x46, 0x63, - 0x31, 0x58, 0x2c, 0x16, 0x4b, 0x25, 0x52, 0x69, 0x74, 0x3a, 0x5d, 0x6e, - 0x77, 0x3b, 0x1d, 0x4e, 0x67, 0x33, 0x19, 0x4c, 0x26, 0x53, 0x29, 0x54, - 0x2a, 0x55, 0x6a, 0x75, 0x7a, 0x7d, 0x7e, 0x7f, 0x3f, 0x1f, 0x0f, 0x07, - 0x03, 0x01, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x41, 0x60, 0x30, 0x18, - 0x0c, 0x06, 0x43, 0x21, 0x50, 0x28, 0x14, 0x0a, 0x45, 0x62, 0x71, 0x78, - 0x3c, 0x1e, 0x4f, 0x27, 0x13, 0x09, 0x44, 0x22, 0x51, 0x68, 0x34, 0x1a, - 0x4d, 0x66, 0x73, 0x39, 0x5c, 0x2e, 0x57, 0x2b, 0x15, 0x4a, 0x65, 0x72, - 0x79, 0x7c, 0x3e, 0x5f, 0x2f, 0x17, 0x0b, 0x05, 0x42, 0x61, 0x70, 0x38, - 0x1c, 0x0e, 0x47, 0x23, 0x11, 0x48, 0x24, 0x12, 0x49, 0x64, 0x32, 0x59, - 0x6c, 0x36, 0x5b, 0x2d, 0x56, 0x6b, 0x35, 0x5a, 0x6d, 0x76, 0x7b, 0x3d, - 0x5e, 0x6f, 0x37, 0x1b, 0x0d, 0x46 -}; - -/** - * \brief Apply the WGP permutation to a 7-bit component. - * - * Warning: This is not constant cache. - */ -static unsigned char const wage_wgp[128] = { - 0x00, 0x12, 0x0a, 0x4b, 0x66, 0x0c, 0x48, 0x73, 0x79, 0x3e, 0x61, 0x51, - 0x01, 0x15, 0x17, 0x0e, 0x7e, 0x33, 0x68, 0x36, 0x42, 0x35, 0x37, 0x5e, - 0x53, 0x4c, 0x3f, 0x54, 0x58, 0x6e, 0x56, 0x2a, 0x1d, 0x25, 0x6d, 0x65, - 0x5b, 0x71, 0x2f, 0x20, 0x06, 0x18, 0x29, 0x3a, 0x0d, 0x7a, 0x6c, 0x1b, - 0x19, 0x43, 0x70, 0x41, 0x49, 0x22, 0x77, 0x60, 0x4f, 0x45, 0x55, 0x02, - 0x63, 0x47, 0x75, 0x2d, 0x40, 0x46, 0x7d, 0x5c, 0x7c, 0x59, 0x26, 0x0b, - 0x09, 0x03, 0x57, 0x5d, 0x27, 0x78, 0x30, 0x2e, 0x44, 0x52, 0x3b, 0x08, - 0x67, 0x2c, 0x05, 0x6b, 0x2b, 0x1a, 0x21, 0x38, 0x07, 0x0f, 0x4a, 0x11, - 0x50, 0x6a, 0x28, 0x31, 0x10, 0x4d, 0x5f, 0x72, 0x39, 0x16, 0x5a, 0x13, - 0x04, 0x3c, 0x34, 0x1f, 0x76, 0x1e, 0x14, 0x23, 0x1c, 0x32, 0x4e, 0x7b, - 0x24, 0x74, 0x7f, 0x3d, 0x69, 0x64, 0x62, 0x6f -}; - -/** - * \brief Evaluate the WAGE S-box three times in parallel. - * - * \param x6 The input values to the S-box. - * \return The output values from the S-box. - * - * This function directly evaluates the S-box in bit-sliced form - * using the algorithm from the specification. - */ -STATIC_INLINE uint32_t wage_sbox_parallel_3(uint32_t x6) -{ - uint32_t x0 = x6 >> 6; - uint32_t x1 = x6 >> 5; - uint32_t x2 = x6 >> 4; - uint32_t x3 = x6 >> 3; - uint32_t x4 = x6 >> 2; - uint32_t x5 = x6 >> 1; - x0 ^= (x2 & x3); x3 = ~x3; x3 ^= (x5 & x6); x5 = ~x5; x5 ^= (x2 & x4); - x6 ^= (x0 & x4); x4 = ~x4; x4 ^= (x5 & x1); x5 = ~x5; x5 ^= (x0 & x2); - x1 ^= (x6 & x2); x2 = ~x2; x2 ^= (x5 & x3); x5 = ~x5; x5 ^= (x6 & x0); - x3 ^= (x1 & x0); x0 = ~x0; x0 ^= (x5 & x4); x5 = ~x5; x5 ^= (x1 & x6); - x4 ^= (x3 & x6); x6 = ~x6; x6 ^= (x5 & x2); x5 = ~x5; x5 ^= (x3 & x1); - x2 ^= (x4 & x1); x1 = ~x1; x1 ^= (x5 & x0); x5 = ~x5; x5 ^= (x4 & x3); - x2 = ~x2; x4 = ~x4; - return ((x2 & 0x00010101U) << 6) ^ - ((x6 & 0x00010101U) << 5) ^ - ((x4 & 0x00010101U) << 4) ^ - ((x1 & 0x00010101U) << 3) ^ - ((x3 & 0x00010101U) << 2) ^ - ((x5 & 0x00010101U) << 1) ^ - (x0 & 0x00010101U); -} - -void wage_permute(unsigned char s[WAGE_STATE_SIZE]) -{ -#if defined(WAGE_64BIT) - const unsigned char *rc = wage_rc; - unsigned char round; - uint64_t x0, x1, x2, x3, x4; - uint32_t fb, temp; - - /* Load the state into 64-bit words. Each word will have up to eight - * 7-bit components with the MSB of each component fixed at zero. - * - * x0 = s[0] .. s[7] - * x1 = s[8] .. s[15] - * x2 = s[16] .. s[23] - * x3 = s[24] .. s[31] - * x4 = s[32] .. s[36] - */ - x0 = le_load_word64(s); - x1 = le_load_word64(s + 8); - x2 = le_load_word64(s + 16); - x3 = le_load_word64(s + 24); - x4 = le_load_word32(s + 32) | (((uint64_t)(s[36])) << 32); - - /* Perform all rounds 3 at a time to reduce the state rotation overhead */ - for (round = 0; round < (WAGE_NUM_ROUNDS / 3); ++round, rc += 6) { - /* Calculate the feedback value for the LFSR. - * - * fb = omega(s[0]) ^ s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ - * s[24] ^ s[26] ^ s[30] ^ s[31] ^ WGP(s[36]) ^ RC1[round] - * - * where omega(x) is (x >> 1) if the low bit of x is zero and - * (x >> 1) ^ 0x78 if the low bit of x is one. - */ - /* fb0 = omega(s[0]), fb1 = omega(s[1]), fb2 = omega(s[2]) */ - temp = (uint32_t)x0; - fb = (temp & 0x00010101U) << 6; - fb ^= (fb >> 1); - fb ^= (fb >> 2); - fb ^= (temp >> 1) & 0x003F3F3FU; - /* fb0 ^= s[6], fb1 ^= s[7], fb2 ^= s[8] */ - fb ^= (uint32_t)(x0 >> 48); - fb ^= ((uint32_t)x1) << 16; - /* fb0 ^= s[8], fb1 ^= s[9], fb2 ^= s[10] */ - fb ^= (uint32_t)x1; - /* fb0 ^= s[12], fb1 ^= s[13], fb2 ^= s[14] */ - fb ^= (uint32_t)(x1 >> 32); - /* fb0 ^= s[13], fb1 ^= s[14], fb2 ^= s[15] */ - fb ^= (uint32_t)(x1 >> 40); - /* fb0 ^= s[19], fb1 ^= s[20], fb2 ^= s[21] */ - fb ^= (uint32_t)(x2 >> 24); - /* fb0 ^= s[24], fb1 ^= s[25], fb2 ^= s[26] */ - fb ^= (uint32_t)x3; - /* fb0 ^= s[26], fb1 ^= s[27], fb2 ^= s[28] */ - fb ^= (uint32_t)(x3 >> 16); - /* fb0 ^= s[30], fb1 ^= s[31], fb2 ^= s[32] */ - fb ^= (uint32_t)(x3 >> 48); - fb ^= ((uint32_t)x4) << 16; - /* fb0 ^= s[31], fb1 ^= s[32], fb2 ^= s[33] */ - fb ^= (uint32_t)(x3 >> 56); - fb ^= ((uint32_t)x4) << 8; - /* fb0,1,2 ^= RC1 */ - temp = rc[1] | (((uint32_t)(rc[3])) << 8) | (((uint32_t)(rc[5])) << 16); - fb ^= temp; - /* fb0 ^= WGP(s[36]) */ - fb ^= wage_wgp[(uint8_t)(x4 >> 32)]; - /* fb1 ^= WGP(fb0) */ - fb ^= ((uint32_t)(wage_wgp[fb & 0xFF])) << 8; - /* fb2 ^= WGP(fb1) */ - fb ^= ((uint32_t)(wage_wgp[(fb >> 8) & 0xFF])) << 16; - - /* Apply the S-box and WGP permutation to certain components */ - /* s[5] ^= sbox[s[8]], s[6] ^= sbox[s[9]], s[7] ^= sbox[s[10]] */ - x0 ^= ((uint64_t)wage_sbox_parallel_3((uint32_t)x1)) << 40; - /* s[11] ^= sbox[s[15]], s[12] ^= sbox[s[16]], s[13] ^= sbox[s[17]] */ - x1 ^= ((uint64_t)wage_sbox_parallel_3 - ((uint32_t)((x1 >> 56) | (x2 << 8)))) << 24; - /* s[24] ^= sbox[s[27]], s[25] ^= sbox[s[28]], s[26] ^= sbox[s[29]] */ - x3 ^= (uint64_t)wage_sbox_parallel_3((uint32_t)(x3 >> 24)); - /* s[30] ^= sbox[s[34]], s[31] ^= sbox[s[35]], s[32] ^= sbox[s[36]] */ - temp = wage_sbox_parallel_3((uint32_t)(x4 >> 16)); - x3 ^= ((uint64_t)temp) << 48; - x4 ^= temp >> 16; - /* s[19] ^= WGP[s[18]] ^ RC0 */ - temp = (uint32_t)(x2 >> 16); /* s[18..21] */ - temp ^= ((uint32_t)(wage_wgp[temp & 0x7F])) << 8; - temp ^= ((uint32_t)(rc[0])) << 8; - /* s[20] ^= WGP[s[19]] ^ RC0 */ - temp ^= ((uint32_t)(wage_wgp[(temp >> 8) & 0x7F])) << 16; - temp ^= ((uint32_t)(rc[2])) << 16; - /* s[21] ^= WGP[s[20]] ^ RC0 */ - temp ^= ((uint32_t)(wage_wgp[(temp >> 16) & 0x7F])) << 24; - temp ^= ((uint32_t)(rc[4])) << 24; - temp &= 0x7F7F7F00U; - x2 = (x2 & 0xFFFF000000FFFFFFULL) | (((uint64_t)temp) << 16); - - /* Rotate the components of the state by 3 positions */ - x0 = (x0 >> 24) | (x1 << 40); - x1 = (x1 >> 24) | (x2 << 40); - x2 = (x2 >> 24) | (x3 << 40); - x3 = (x3 >> 24) | (x4 << 40); - x4 = (x4 >> 24) | (((uint64_t)(fb & 0x00FFFFFFU)) << 16); - } - - /* Save the words back to the state */ - le_store_word64(s, x0); - le_store_word64(s + 8, x1); - le_store_word64(s + 16, x2); - le_store_word64(s + 24, x3); - le_store_word32(s + 32, (uint32_t)x4); - s[36] = (unsigned char)(x4 >> 32); -#else /* 8-bit version of WAGE */ - const unsigned char *rc = wage_rc; - unsigned char round, index; - unsigned char fb0, fb1, fb2; - uint32_t temp; - - /* Perform all rounds 3 at a time to reduce the state rotation overhead */ - for (round = 0; round < (WAGE_NUM_ROUNDS / 3); ++round, rc += 6) { - /* Calculate the feedback value for the LFSR. - * - * fb = omega(s[0]) ^ s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ - * s[24] ^ s[26] ^ s[30] ^ s[31] ^ WGP(s[36]) ^ RC1[round] - * - * where omega(x) is (x >> 1) if the low bit of x is zero and - * (x >> 1) ^ 0x78 if the low bit of x is one. - */ - fb0 = (s[0] >> 1) ^ (0x78 & -(s[0] & 0x01)); - fb0 ^= s[6] ^ s[8] ^ s[12] ^ s[13] ^ s[19] ^ - s[24] ^ s[26] ^ s[30] ^ s[31] ^ rc[1]; - fb0 ^= wage_wgp[s[36]]; - fb1 = (s[1] >> 1) ^ (0x78 & -(s[1] & 0x01)); - fb1 ^= s[7] ^ s[9] ^ s[13] ^ s[14] ^ s[20] ^ - s[25] ^ s[27] ^ s[31] ^ s[32] ^ rc[3]; - fb1 ^= wage_wgp[fb0]; - fb2 = (s[2] >> 1) ^ (0x78 & -(s[2] & 0x01)); - fb2 ^= s[8] ^ s[10] ^ s[14] ^ s[15] ^ s[21] ^ - s[26] ^ s[28] ^ s[32] ^ s[33] ^ rc[5]; - fb2 ^= wage_wgp[fb1]; - - /* Apply the S-box and WGP permutation to certain components */ - temp = s[8] | (((uint32_t)(s[9])) << 8) | (((uint32_t)(s[10])) << 16); - temp = wage_sbox_parallel_3(temp); - s[5] ^= (unsigned char)temp; - s[6] ^= (unsigned char)(temp >> 8); - s[7] ^= (unsigned char)(temp >> 16); - temp = s[15] | (((uint32_t)(s[16])) << 8) | (((uint32_t)(s[17])) << 16); - temp = wage_sbox_parallel_3(temp); - s[11] ^= (unsigned char)temp; - s[12] ^= (unsigned char)(temp >> 8); - s[13] ^= (unsigned char)(temp >> 16); - s[19] ^= wage_wgp[s[18]] ^ rc[0]; - s[20] ^= wage_wgp[s[19]] ^ rc[2]; - s[21] ^= wage_wgp[s[20]] ^ rc[4]; - temp = s[27] | (((uint32_t)(s[28])) << 8) | (((uint32_t)(s[29])) << 16); - temp = wage_sbox_parallel_3(temp); - s[24] ^= (unsigned char)temp; - s[25] ^= (unsigned char)(temp >> 8); - s[26] ^= (unsigned char)(temp >> 16); - temp = s[34] | (((uint32_t)(s[35])) << 8) | (((uint32_t)(s[36])) << 16); - temp = wage_sbox_parallel_3(temp); - s[30] ^= (unsigned char)temp; - s[31] ^= (unsigned char)(temp >> 8); - s[32] ^= (unsigned char)(temp >> 16); - - /* Rotate the components of the state by 3 positions */ - for (index = 0; index < WAGE_STATE_SIZE - 3; ++index) - s[index] = s[index + 3]; - s[WAGE_STATE_SIZE - 3] = fb0; - s[WAGE_STATE_SIZE - 2] = fb1; - s[WAGE_STATE_SIZE - 1] = fb2; - } -#endif -} - -/* 7-bit components for the rate: 8, 9, 15, 16, 18, 27, 28, 34, 35, 36 */ - -void wage_absorb - (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], - unsigned char domain) -{ - uint32_t temp; - temp = be_load_word32(data); - s[8] ^= (unsigned char)(temp >> 25); - s[9] ^= (unsigned char)((temp >> 18) & 0x7F); - s[15] ^= (unsigned char)((temp >> 11) & 0x7F); - s[16] ^= (unsigned char)((temp >> 4) & 0x7F); - s[18] ^= (unsigned char)((temp << 3) & 0x7F); - temp = be_load_word32(data + 4); - s[18] ^= (unsigned char)(temp >> 29); - s[27] ^= (unsigned char)((temp >> 22) & 0x7F); - s[28] ^= (unsigned char)((temp >> 15) & 0x7F); - s[34] ^= (unsigned char)((temp >> 8) & 0x7F); - s[35] ^= (unsigned char)((temp >> 1) & 0x7F); - s[36] ^= (unsigned char)((temp << 6) & 0x7F); - s[0] ^= domain; -} - -void wage_get_rate - (const unsigned char s[WAGE_STATE_SIZE], unsigned char data[8]) -{ - uint32_t temp; - temp = ((uint32_t)(s[8])) << 25; - temp |= ((uint32_t)(s[9])) << 18; - temp |= ((uint32_t)(s[15])) << 11; - temp |= ((uint32_t)(s[16])) << 4; - temp |= ((uint32_t)(s[18])) >> 3; - be_store_word32(data, temp); - temp = ((uint32_t)(s[18])) << 29; - temp |= ((uint32_t)(s[27])) << 22; - temp |= ((uint32_t)(s[28])) << 15; - temp |= ((uint32_t)(s[34])) << 8; - temp |= ((uint32_t)(s[35])) << 1; - temp |= ((uint32_t)(s[36])) >> 6; - be_store_word32(data + 4, temp); -} - -void wage_set_rate - (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], - unsigned char domain) -{ - uint32_t temp; - temp = be_load_word32(data); - s[8] = (unsigned char)(temp >> 25); - s[9] = (unsigned char)((temp >> 18) & 0x7F); - s[15] = (unsigned char)((temp >> 11) & 0x7F); - s[16] = (unsigned char)((temp >> 4) & 0x7F); - s[18] = (unsigned char)((temp << 3) & 0x7F); - temp = be_load_word32(data + 4); - s[18] ^= (unsigned char)(temp >> 29); - s[27] = (unsigned char)((temp >> 22) & 0x7F); - s[28] = (unsigned char)((temp >> 15) & 0x7F); - s[34] = (unsigned char)((temp >> 8) & 0x7F); - s[35] = (unsigned char)((temp >> 1) & 0x7F); - s[36] = (unsigned char)(((temp << 6) & 0x40) ^ (s[36] & 0x3F)); - s[0] ^= domain; -} - -/** - * \brief Converts a 128-bit value into an array of 7-bit components. - * - * \param out Points to the output array of 7-bit components. - * \param in Points to the 128-bit value to convert. - */ -static void wage_128bit_to_components - (unsigned char out[19], const unsigned char *in) -{ - uint32_t temp; - temp = be_load_word32(in); - out[0] = (unsigned char)(temp >> 25); - out[1] = (unsigned char)((temp >> 18) & 0x7F); - out[2] = (unsigned char)((temp >> 11) & 0x7F); - out[3] = (unsigned char)((temp >> 4) & 0x7F); - out[4] = (unsigned char)((temp << 3) & 0x7F); - temp = be_load_word32(in + 4); - out[4] ^= (unsigned char)(temp >> 29); - out[5] = (unsigned char)((temp >> 22) & 0x7F); - out[6] = (unsigned char)((temp >> 15) & 0x7F); - out[7] = (unsigned char)((temp >> 8) & 0x7F); - out[8] = (unsigned char)((temp >> 1) & 0x7F); - out[18] = (unsigned char)((temp << 6) & 0x7F); - temp = be_load_word32(in + 8); - out[9] = (unsigned char)(temp >> 25); - out[10] = (unsigned char)((temp >> 18) & 0x7F); - out[11] = (unsigned char)((temp >> 11) & 0x7F); - out[12] = (unsigned char)((temp >> 4) & 0x7F); - out[13] = (unsigned char)((temp << 3) & 0x7F); - temp = be_load_word32(in + 12); - out[13] ^= (unsigned char)(temp >> 29); - out[14] = (unsigned char)((temp >> 22) & 0x7F); - out[15] = (unsigned char)((temp >> 15) & 0x7F); - out[16] = (unsigned char)((temp >> 8) & 0x7F); - out[17] = (unsigned char)((temp >> 1) & 0x7F); - out[18] ^= (unsigned char)((temp << 5) & 0x20); -} - -void wage_absorb_key - (unsigned char s[WAGE_STATE_SIZE], const unsigned char *key) -{ - unsigned char components[19]; - wage_128bit_to_components(components, key); - s[8] ^= components[0]; - s[9] ^= components[1]; - s[15] ^= components[2]; - s[16] ^= components[3]; - s[18] ^= components[4]; - s[27] ^= components[5]; - s[28] ^= components[6]; - s[34] ^= components[7]; - s[35] ^= components[8]; - s[36] ^= components[18] & 0x40; - wage_permute(s); - s[8] ^= components[9]; - s[9] ^= components[10]; - s[15] ^= components[11]; - s[16] ^= components[12]; - s[18] ^= components[13]; - s[27] ^= components[14]; - s[28] ^= components[15]; - s[34] ^= components[16]; - s[35] ^= components[17]; - s[36] ^= (components[18] << 1) & 0x40; - wage_permute(s); -} - -void wage_init - (unsigned char s[WAGE_STATE_SIZE], - const unsigned char *key, const unsigned char *nonce) -{ - unsigned char components[19]; - - /* Initialize the state with the key and nonce */ - wage_128bit_to_components(components, key); - s[0] = components[0]; - s[1] = components[2]; - s[2] = components[4]; - s[3] = components[6]; - s[4] = components[8]; - s[5] = components[10]; - s[6] = components[12]; - s[7] = components[14]; - s[8] = components[16]; - s[18] = components[18]; - s[19] = components[1]; - s[20] = components[3]; - s[21] = components[5]; - s[22] = components[7]; - s[23] = components[9]; - s[24] = components[11]; - s[25] = components[13]; - s[26] = components[15]; - s[27] = components[17]; - wage_128bit_to_components(components, nonce); - s[9] = components[1]; - s[10] = components[3]; - s[11] = components[5]; - s[12] = components[7]; - s[13] = components[9]; - s[14] = components[11]; - s[15] = components[13]; - s[16] = components[17]; - s[17] = components[15]; - s[18] ^= (components[18] >> 2); - s[28] = components[0]; - s[29] = components[2]; - s[30] = components[4]; - s[31] = components[6]; - s[32] = components[8]; - s[33] = components[10]; - s[34] = components[12]; - s[35] = components[14]; - s[36] = components[16]; - - /* Permute the state to absorb the key and nonce */ - wage_permute(s); - - /* Absorb the key again and permute the state */ - wage_absorb_key(s, key); -} - -void wage_extract_tag - (const unsigned char s[WAGE_STATE_SIZE], unsigned char tag[16]) -{ - unsigned char components[19]; - uint32_t temp; - - /* Extract the 7-bit components that make up the tag */ - for (temp = 0; temp < 9; ++temp) { - components[temp * 2] = s[28 + temp]; - components[temp * 2 + 1] = s[ 9 + temp]; - } - components[18] = (s[18] << 2) & 0x60; - - /* Convert from 7-bit component form back into bytes */ - temp = ((uint32_t)(components[0])) << 25; - temp |= ((uint32_t)(components[1])) << 18; - temp |= ((uint32_t)(components[2])) << 11; - temp |= ((uint32_t)(components[3])) << 4; - temp |= ((uint32_t)(components[4])) >> 3; - be_store_word32(tag, temp); - temp = ((uint32_t)(components[4])) << 29; - temp |= ((uint32_t)(components[5])) << 22; - temp |= ((uint32_t)(components[6])) << 15; - temp |= ((uint32_t)(components[7])) << 8; - temp |= ((uint32_t)(components[8])) << 1; - temp |= ((uint32_t)(components[9])) >> 6; - be_store_word32(tag + 4, temp); - temp = ((uint32_t)(components[9])) << 26; - temp |= ((uint32_t)(components[10])) << 19; - temp |= ((uint32_t)(components[11])) << 12; - temp |= ((uint32_t)(components[12])) << 5; - temp |= ((uint32_t)(components[13])) >> 2; - be_store_word32(tag + 8, temp); - temp = ((uint32_t)(components[13])) << 30; - temp |= ((uint32_t)(components[14])) << 23; - temp |= ((uint32_t)(components[15])) << 16; - temp |= ((uint32_t)(components[16])) << 9; - temp |= ((uint32_t)(components[17])) << 2; - temp |= ((uint32_t)(components[18])) >> 5; - be_store_word32(tag + 12, temp); -} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.h b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.h deleted file mode 100644 index a0d23d7..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/internal-wage.h +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_WAGE_H -#define LW_INTERNAL_WAGE_H - -#include "internal-util.h" - -/** - * \file internal-wage.h - * \brief Internal implementation of the WAGE permutation. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/wage - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the WAGE state in bytes. - * - * The state is 259 bits, divided into 37 7-bit components, one per byte. - */ -#define WAGE_STATE_SIZE 37 - -/** - * \brief Permutes the WAGE state. - * - * \param s The WAGE state to be permuted. - */ -void wage_permute(unsigned char s[WAGE_STATE_SIZE]); - -/** - * \brief Absorbs 8 bytes into the WAGE state. - * - * \param s The WAGE state to be permuted. - * \param data The data to be absorbed. - * \param domain The domain separator for the absorbed data. - */ -void wage_absorb - (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], - unsigned char domain); - -/** - * \brief Gets the 8 bytes of the rate from the WAGE state. - * - * \param s The WAGE state to get the bytes from. - * \param data Points to the buffer to receive the extracted bytes. - */ -void wage_get_rate - (const unsigned char s[WAGE_STATE_SIZE], unsigned char data[8]); - -/** - * \brief Sets the 8 bytes of the rate in the WAGE state. - * - * \param s The WAGE state to set the rate in. - * \param data Points to the bytes to set into the rate. - * \param domain The domain separator for the rate data. - */ -void wage_set_rate - (unsigned char s[WAGE_STATE_SIZE], const unsigned char data[8], - unsigned char domain); - -/** - * \brief Absorbs 16 key bytes into the WAGE state. - * - * \param s The WAGE state to be permuted. - * \param key Points to the key data to be absorbed. - */ -void wage_absorb_key - (unsigned char s[WAGE_STATE_SIZE], const unsigned char *key); - -/** - * \brief Initializes the WAGE state with a key and nonce. - * - * \param s The WAGE state to be initialized. - * \param key Points to the 128-bit key. - * \param nonce Points to the 128-bit nonce. - */ -void wage_init - (unsigned char s[WAGE_STATE_SIZE], - const unsigned char *key, const unsigned char *nonce); - -/** - * \brief Extracts the 128-bit authentication tag from the WAGE state. - * - * \param s The WAGE state to extract the tag from. - * \param tag Points to the buffer to receive the extracted tag. - */ -void wage_extract_tag - (const unsigned char s[WAGE_STATE_SIZE], unsigned char tag[16]); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.c b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.c deleted file mode 100644 index 374409b..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.c +++ /dev/null @@ -1,168 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "wage.h" -#include "internal-wage.h" -#include - -aead_cipher_t const wage_cipher = { - "WAGE", - WAGE_KEY_SIZE, - WAGE_NONCE_SIZE, - WAGE_TAG_SIZE, - AEAD_FLAG_NONE, - wage_aead_encrypt, - wage_aead_decrypt -}; - -/** - * \brief Rate of absorbing data into the WAGE state in sponge mode. - */ -#define WAGE_RATE 8 - -/** - * \brief Processes associated data for WAGE. - * - * \param state Points to the WAGE state. - * \param pad Points to an 8-byte temporary buffer for handling padding. - * \param ad Points to the associated data. - * \param adlen Length of the associated data. - */ -static void wage_process_ad - (unsigned char state[WAGE_STATE_SIZE], unsigned char pad[WAGE_RATE], - const unsigned char *ad, unsigned long long adlen) -{ - unsigned temp; - - /* Process as many full blocks as possible */ - while (adlen >= WAGE_RATE) { - wage_absorb(state, ad, 0x40); - wage_permute(state); - ad += WAGE_RATE; - adlen -= WAGE_RATE; - } - - /* Pad and absorb the final block */ - temp = (unsigned)adlen; - memcpy(pad, ad, temp); - pad[temp] = 0x80; - memset(pad + temp + 1, 0, WAGE_RATE - temp - 1); - wage_absorb(state, pad, 0x40); - wage_permute(state); -} - -int wage_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[WAGE_STATE_SIZE]; - unsigned char block[WAGE_RATE]; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + WAGE_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - wage_init(state, k, npub); - if (adlen != 0) - wage_process_ad(state, block, ad, adlen); - - /* Encrypts the plaintext to produce the ciphertext */ - while (mlen >= WAGE_RATE) { - wage_get_rate(state, block); - lw_xor_block(block, m, WAGE_RATE); - wage_set_rate(state, block, 0x20); - wage_permute(state); - memcpy(c, block, WAGE_RATE); - c += WAGE_RATE; - m += WAGE_RATE; - mlen -= WAGE_RATE; - } - temp = (unsigned)mlen; - wage_get_rate(state, block); - lw_xor_block(block, m, temp); - block[temp] ^= 0x80; - wage_set_rate(state, block, 0x20); - wage_permute(state); - memcpy(c, block, temp); - - /* Generate and extract the authentication tag */ - wage_absorb_key(state, k); - wage_extract_tag(state, c + temp); - return 0; -} - -int wage_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - unsigned char state[WAGE_STATE_SIZE]; - unsigned char block[WAGE_TAG_SIZE]; - unsigned char *mtemp = m; - unsigned temp; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < WAGE_TAG_SIZE) - return -1; - *mlen = clen - WAGE_TAG_SIZE; - - /* Initialize the state and absorb the associated data */ - wage_init(state, k, npub); - if (adlen != 0) - wage_process_ad(state, block, ad, adlen); - - /* Decrypts the ciphertext to produce the plaintext */ - clen -= WAGE_TAG_SIZE; - while (clen >= WAGE_RATE) { - wage_get_rate(state, block); - lw_xor_block(block, c, WAGE_RATE); - wage_set_rate(state, c, 0x20); - wage_permute(state); - memcpy(m, block, WAGE_RATE); - c += WAGE_RATE; - m += WAGE_RATE; - clen -= WAGE_RATE; - } - temp = (unsigned)clen; - wage_get_rate(state, block); - lw_xor_block_2_src(block + 8, block, c, temp); - memcpy(block, c, temp); - block[temp] ^= 0x80; - wage_set_rate(state, block, 0x20); - wage_permute(state); - memcpy(m, block + 8, temp); - - /* Generate and check the authentication tag */ - wage_absorb_key(state, k); - wage_extract_tag(state, block); - return aead_check_tag(mtemp, *mlen, block, c + temp, WAGE_TAG_SIZE); -} diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.h b/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.h deleted file mode 100644 index 2a620c4..0000000 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys-avr/wage.h +++ /dev/null @@ -1,127 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_WAGE_H -#define LWCRYPTO_WAGE_H - -#include "aead-common.h" - -/** - * \file wage.h - * \brief WAGE authenticated encryption algorithm. - * - * WAGE is an authenticated encryption algorithm that is built around the - * 259-bit WAGE permutation. The algorithm has a 128-bit key, a 128-bit - * nonce, and a 128-bit authentication tag. It is an evolution of the - * WG series of stream ciphers. - * - * References: https://uwaterloo.ca/communications-security-lab/lwc/wage - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for WAGE. - */ -#define WAGE_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for WAGE. - */ -#define WAGE_TAG_SIZE 16 - -/** - * \brief Size of the nonce for WAGE. - */ -#define WAGE_NONCE_SIZE 16 - -/** - * \brief Meta-information block for the WAGE cipher. - */ -extern aead_cipher_t const wage_cipher; - -/** - * \brief Encrypts and authenticates a packet with WAGE. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa wage_aead_decrypt() - */ -int wage_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with WAGE. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa wage_aead_encrypt() - */ -int wage_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h +++ b/wage/Implementations/crypto_aead/wageae128v1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/api.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/api.h deleted file mode 100644 index b2f8a36..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/api.h +++ /dev/null @@ -1,5 +0,0 @@ -#define CRYPTO_KEYBYTES 16 -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES 16 -#define CRYPTO_ABYTES 16 -#define CRYPTO_NOOVERLAP 1 diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/encrypt.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/encrypt.c deleted file mode 100644 index f7bb1b4..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/encrypt.c +++ /dev/null @@ -1,26 +0,0 @@ - -#include "xoodyak.h" - -int crypto_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - return xoodyak_aead_encrypt - (c, clen, m, mlen, ad, adlen, nsec, npub, k); -} - -int crypto_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - return xoodyak_aead_decrypt - (m, mlen, nsec, c, clen, ad, adlen, npub, k); -} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-util.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo-avr.S b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo-avr.S deleted file mode 100644 index 629c19d..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo-avr.S +++ /dev/null @@ -1,935 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global xoodoo_permute - .type xoodoo_permute, @function -xoodoo_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 -.L__stack_usage = 16 - ldi r18,88 - mov r19,r1 - rcall 34f - ldi r18,56 - rcall 34f - ldi r18,192 - ldi r19,3 - rcall 34f - ldi r18,208 - mov r19,r1 - rcall 34f - ldi r18,32 - ldi r19,1 - rcall 34f - ldi r18,20 - mov r19,r1 - rcall 34f - ldi r18,96 - rcall 34f - ldi r18,44 - rcall 34f - ldi r18,128 - ldi r19,3 - rcall 34f - ldi r18,240 - mov r19,r1 - rcall 34f - ldi r18,160 - ldi r19,1 - rcall 34f - ldi r18,18 - mov r19,r1 - rcall 34f - rjmp 888f -34: - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - ldd r0,Z+28 - eor r6,r0 - ldd r0,Z+29 - eor r7,r0 - ldd r0,Z+30 - eor r8,r0 - ldd r0,Z+31 - eor r9,r0 - ldd r0,Z+44 - eor r6,r0 - ldd r0,Z+45 - eor r7,r0 - ldd r0,Z+46 - eor r8,r0 - ldd r0,Z+47 - eor r9,r0 - ld r20,Z - ldd r21,Z+1 - ldd r22,Z+2 - ldd r23,Z+3 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - ldd r2,Z+32 - ldd r3,Z+33 - ldd r4,Z+34 - ldd r5,Z+35 - movw r10,r20 - movw r12,r22 - eor r10,r26 - eor r11,r27 - eor r12,r28 - eor r13,r29 - eor r10,r2 - eor r11,r3 - eor r12,r4 - eor r13,r5 - movw r14,r6 - movw r24,r8 - mov r0,r1 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - or r9,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r9,r24 - eor r6,r25 - eor r7,r14 - eor r8,r15 - movw r14,r10 - movw r24,r12 - mov r0,r1 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - or r13,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r13,r24 - eor r10,r25 - eor r11,r14 - eor r12,r15 - eor r20,r9 - eor r21,r6 - eor r22,r7 - eor r23,r8 - eor r26,r9 - eor r27,r6 - eor r28,r7 - eor r29,r8 - eor r2,r9 - eor r3,r6 - eor r4,r7 - eor r5,r8 - st Z,r20 - std Z+1,r21 - std Z+2,r22 - std Z+3,r23 - std Z+16,r26 - std Z+17,r27 - std Z+18,r28 - std Z+19,r29 - std Z+32,r2 - std Z+33,r3 - std Z+34,r4 - std Z+35,r5 - ldd r20,Z+4 - ldd r21,Z+5 - ldd r22,Z+6 - ldd r23,Z+7 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r6,r20 - movw r8,r22 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - eor r6,r2 - eor r7,r3 - eor r8,r4 - eor r9,r5 - movw r14,r6 - movw r24,r8 - mov r0,r1 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - or r9,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r9,r24 - eor r6,r25 - eor r7,r14 - eor r8,r15 - eor r20,r13 - eor r21,r10 - eor r22,r11 - eor r23,r12 - eor r26,r13 - eor r27,r10 - eor r28,r11 - eor r29,r12 - eor r2,r13 - eor r3,r10 - eor r4,r11 - eor r5,r12 - std Z+4,r20 - std Z+5,r21 - std Z+6,r22 - std Z+7,r23 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - std Z+36,r2 - std Z+37,r3 - std Z+38,r4 - std Z+39,r5 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r22,Z+10 - ldd r23,Z+11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - ldd r2,Z+40 - ldd r3,Z+41 - ldd r4,Z+42 - ldd r5,Z+43 - movw r10,r20 - movw r12,r22 - eor r10,r26 - eor r11,r27 - eor r12,r28 - eor r13,r29 - eor r10,r2 - eor r11,r3 - eor r12,r4 - eor r13,r5 - movw r14,r10 - movw r24,r12 - mov r0,r1 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - or r13,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r13,r24 - eor r10,r25 - eor r11,r14 - eor r12,r15 - eor r20,r9 - eor r21,r6 - eor r22,r7 - eor r23,r8 - eor r26,r9 - eor r27,r6 - eor r28,r7 - eor r29,r8 - eor r2,r9 - eor r3,r6 - eor r4,r7 - eor r5,r8 - std Z+8,r20 - std Z+9,r21 - std Z+10,r22 - std Z+11,r23 - std Z+24,r26 - std Z+25,r27 - std Z+26,r28 - std Z+27,r29 - std Z+40,r2 - std Z+41,r3 - std Z+42,r4 - std Z+43,r5 - ldd r0,Z+12 - eor r0,r13 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r10 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r11 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r12 - std Z+15,r0 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - eor r6,r13 - eor r7,r10 - eor r8,r11 - eor r9,r12 - ldd r14,Z+44 - ldd r15,Z+45 - ldd r24,Z+46 - ldd r25,Z+47 - eor r14,r13 - eor r15,r10 - eor r24,r11 - eor r25,r12 - ldd r10,Z+24 - ldd r11,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+28,r10 - std Z+29,r11 - std Z+30,r12 - std Z+31,r13 - ldd r10,Z+20 - ldd r11,Z+21 - ldd r12,Z+22 - ldd r13,Z+23 - std Z+24,r10 - std Z+25,r11 - std Z+26,r12 - std Z+27,r13 - ldd r10,Z+16 - ldd r11,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - std Z+20,r10 - std Z+21,r11 - std Z+22,r12 - std Z+23,r13 - std Z+16,r6 - std Z+17,r7 - std Z+18,r8 - std Z+19,r9 - ldd r6,Z+32 - ldd r7,Z+33 - ldd r8,Z+34 - ldd r9,Z+35 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+32,r6 - std Z+33,r7 - std Z+34,r8 - std Z+35,r9 - ldd r6,Z+36 - ldd r7,Z+37 - ldd r8,Z+38 - ldd r9,Z+39 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+36,r6 - std Z+37,r7 - std Z+38,r8 - std Z+39,r9 - ldd r6,Z+40 - ldd r7,Z+41 - ldd r8,Z+42 - ldd r9,Z+43 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+40,r6 - std Z+41,r7 - std Z+42,r8 - std Z+43,r9 - mov r0,r25 - mov r25,r24 - mov r24,r15 - mov r15,r14 - mov r14,r0 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - std Z+44,r14 - std Z+45,r15 - std Z+46,r24 - std Z+47,r25 - ld r20,Z - ldd r21,Z+1 - ldd r22,Z+2 - ldd r23,Z+3 - eor r20,r18 - eor r21,r19 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - ldd r2,Z+32 - ldd r3,Z+33 - ldd r4,Z+34 - ldd r5,Z+35 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - st Z,r20 - std Z+1,r21 - std Z+2,r22 - std Z+3,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+16,r26 - std Z+17,r27 - std Z+18,r28 - std Z+19,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+32,r2 - std Z+33,r3 - std Z+34,r4 - std Z+35,r5 - ldd r20,Z+4 - ldd r21,Z+5 - ldd r22,Z+6 - ldd r23,Z+7 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+4,r20 - std Z+5,r21 - std Z+6,r22 - std Z+7,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+36,r2 - std Z+37,r3 - std Z+38,r4 - std Z+39,r5 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r22,Z+10 - ldd r23,Z+11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - ldd r2,Z+40 - ldd r3,Z+41 - ldd r4,Z+42 - ldd r5,Z+43 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+8,r20 - std Z+9,r21 - std Z+10,r22 - std Z+11,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+24,r26 - std Z+25,r27 - std Z+26,r28 - std Z+27,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+40,r2 - std Z+41,r3 - std Z+42,r4 - std Z+43,r5 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r22,Z+14 - ldd r23,Z+15 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - ldd r2,Z+44 - ldd r3,Z+45 - ldd r4,Z+46 - ldd r5,Z+47 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+12,r20 - std Z+13,r21 - std Z+14,r22 - std Z+15,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+28,r26 - std Z+29,r27 - std Z+30,r28 - std Z+31,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+44,r2 - std Z+45,r3 - std Z+46,r4 - std Z+47,r5 - ldd r6,Z+16 - ldd r7,Z+17 - ldd r8,Z+18 - ldd r9,Z+19 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+16,r6 - std Z+17,r7 - std Z+18,r8 - std Z+19,r9 - ldd r6,Z+20 - ldd r7,Z+21 - ldd r8,Z+22 - ldd r9,Z+23 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+20,r6 - std Z+21,r7 - std Z+22,r8 - std Z+23,r9 - ldd r6,Z+24 - ldd r7,Z+25 - ldd r8,Z+26 - ldd r9,Z+27 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+24,r6 - std Z+25,r7 - std Z+26,r8 - std Z+27,r9 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+28,r6 - std Z+29,r7 - std Z+30,r8 - std Z+31,r9 - ldd r6,Z+40 - ldd r7,Z+41 - ldd r8,Z+42 - ldd r9,Z+43 - ldd r10,Z+44 - ldd r11,Z+45 - ldd r12,Z+46 - ldd r13,Z+47 - ldd r14,Z+32 - ldd r15,Z+33 - ldd r24,Z+34 - ldd r25,Z+35 - std Z+40,r25 - std Z+41,r14 - std Z+42,r15 - std Z+43,r24 - ldd r14,Z+36 - ldd r15,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - std Z+44,r25 - std Z+45,r14 - std Z+46,r15 - std Z+47,r24 - std Z+32,r9 - std Z+33,r6 - std Z+34,r7 - std Z+35,r8 - std Z+36,r13 - std Z+37,r10 - std Z+38,r11 - std Z+39,r12 - ret -888: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size xoodoo_permute, .-xoodoo_permute - -#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.c deleted file mode 100644 index 59bb8bf..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.c +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-xoodoo.h" - -#if !defined(__AVR__) - -void xoodoo_permute(xoodoo_state_t *state) -{ - static uint16_t const rc[XOODOO_ROUNDS] = { - 0x0058, 0x0038, 0x03C0, 0x00D0, 0x0120, 0x0014, - 0x0060, 0x002C, 0x0380, 0x00F0, 0x01A0, 0x0012 - }; - uint8_t round; - uint32_t x00, x01, x02, x03; - uint32_t x10, x11, x12, x13; - uint32_t x20, x21, x22, x23; - uint32_t t1, t2; - - /* Load the state and convert from little-endian byte order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x00 = state->S[0][0]; - x01 = state->S[0][1]; - x02 = state->S[0][2]; - x03 = state->S[0][3]; - x10 = state->S[1][0]; - x11 = state->S[1][1]; - x12 = state->S[1][2]; - x13 = state->S[1][3]; - x20 = state->S[2][0]; - x21 = state->S[2][1]; - x22 = state->S[2][2]; - x23 = state->S[2][3]; -#else - x00 = le_load_word32(state->B); - x01 = le_load_word32(state->B + 4); - x02 = le_load_word32(state->B + 8); - x03 = le_load_word32(state->B + 12); - x10 = le_load_word32(state->B + 16); - x11 = le_load_word32(state->B + 20); - x12 = le_load_word32(state->B + 24); - x13 = le_load_word32(state->B + 28); - x20 = le_load_word32(state->B + 32); - x21 = le_load_word32(state->B + 36); - x22 = le_load_word32(state->B + 40); - x23 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (round = 0; round < XOODOO_ROUNDS; ++round) { - /* Optimization ideas from the Xoodoo implementation here: - * https://github.com/XKCP/XKCP/tree/master/lib/low/Xoodoo/Optimized */ - - /* Step theta: Mix column parity */ - t1 = x03 ^ x13 ^ x23; - t2 = x00 ^ x10 ^ x20; - t1 = leftRotate5(t1) ^ leftRotate14(t1); - t2 = leftRotate5(t2) ^ leftRotate14(t2); - x00 ^= t1; - x10 ^= t1; - x20 ^= t1; - t1 = x01 ^ x11 ^ x21; - t1 = leftRotate5(t1) ^ leftRotate14(t1); - x01 ^= t2; - x11 ^= t2; - x21 ^= t2; - t2 = x02 ^ x12 ^ x22; - t2 = leftRotate5(t2) ^ leftRotate14(t2); - x02 ^= t1; - x12 ^= t1; - x22 ^= t1; - x03 ^= t2; - x13 ^= t2; - x23 ^= t2; - - /* Step rho-west: Plane shift */ - t1 = x13; - x13 = x12; - x12 = x11; - x11 = x10; - x10 = t1; - x20 = leftRotate11(x20); - x21 = leftRotate11(x21); - x22 = leftRotate11(x22); - x23 = leftRotate11(x23); - - /* Step iota: Add the round constant to the state */ - x00 ^= rc[round]; - - /* Step chi: Non-linear layer */ - x00 ^= (~x10) & x20; - x10 ^= (~x20) & x00; - x20 ^= (~x00) & x10; - x01 ^= (~x11) & x21; - x11 ^= (~x21) & x01; - x21 ^= (~x01) & x11; - x02 ^= (~x12) & x22; - x12 ^= (~x22) & x02; - x22 ^= (~x02) & x12; - x03 ^= (~x13) & x23; - x13 ^= (~x23) & x03; - x23 ^= (~x03) & x13; - - /* Step rho-east: Plane shift */ - x10 = leftRotate1(x10); - x11 = leftRotate1(x11); - x12 = leftRotate1(x12); - x13 = leftRotate1(x13); - t1 = leftRotate8(x22); - t2 = leftRotate8(x23); - x22 = leftRotate8(x20); - x23 = leftRotate8(x21); - x20 = t1; - x21 = t2; - } - - /* Convert back into little-endian and store to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0][0] = x00; - state->S[0][1] = x01; - state->S[0][2] = x02; - state->S[0][3] = x03; - state->S[1][0] = x10; - state->S[1][1] = x11; - state->S[1][2] = x12; - state->S[1][3] = x13; - state->S[2][0] = x20; - state->S[2][1] = x21; - state->S[2][2] = x22; - state->S[2][3] = x23; -#else - le_store_word32(state->B, x00); - le_store_word32(state->B + 4, x01); - le_store_word32(state->B + 8, x02); - le_store_word32(state->B + 12, x03); - le_store_word32(state->B + 16, x10); - le_store_word32(state->B + 20, x11); - le_store_word32(state->B + 24, x12); - le_store_word32(state->B + 28, x13); - le_store_word32(state->B + 32, x20); - le_store_word32(state->B + 36, x21); - le_store_word32(state->B + 40, x22); - le_store_word32(state->B + 44, x23); -#endif -} - -#endif /* !__AVR__ */ diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.h deleted file mode 100644 index f6eddd8..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/internal-xoodoo.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_XOODOO_H -#define LW_INTERNAL_XOODOO_H - -#include "internal-util.h" - -/** - * \file internal-xoodoo.h - * \brief Internal implementation of the Xoodoo permutation. - * - * References: https://keccak.team/xoodyak.html - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Number of rows in the Xoodoo state. - */ -#define XOODOO_ROWS 3 - -/** - * \brief Number of columns in the Xoodoo state. - */ -#define XOODOO_COLS 4 - -/** - * \brief Number of rounds for the Xoodoo permutation. - */ -#define XOODOO_ROUNDS 12 - -/** - * \brief State information for the Xoodoo permutation. - */ -typedef union -{ - /** Words of the state */ - uint32_t S[XOODOO_ROWS][XOODOO_COLS]; - - /** Bytes of the state */ - uint8_t B[XOODOO_ROWS * XOODOO_COLS * sizeof(uint32_t)]; - -} xoodoo_state_t; - -/** - * \brief Permutes the Xoodoo state. - * - * \param state The Xoodoo state. - * - * The state will be in little-endian before and after the operation. - */ -void xoodoo_permute(xoodoo_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.c deleted file mode 100644 index 4ad4fce..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.c +++ /dev/null @@ -1,321 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "xoodyak.h" -#include "internal-xoodoo.h" -#include - -aead_cipher_t const xoodyak_cipher = { - "Xoodyak", - XOODYAK_KEY_SIZE, - XOODYAK_NONCE_SIZE, - XOODYAK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - xoodyak_aead_encrypt, - xoodyak_aead_decrypt -}; - -aead_hash_algorithm_t const xoodyak_hash_algorithm = { - "Xoodyak-Hash", - sizeof(xoodyak_hash_state_t), - XOODYAK_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - xoodyak_hash, - (aead_hash_init_t)xoodyak_hash_init, - (aead_hash_update_t)xoodyak_hash_absorb, - (aead_hash_finalize_t)xoodyak_hash_finalize, - (aead_xof_absorb_t)xoodyak_hash_absorb, - (aead_xof_squeeze_t)xoodyak_hash_squeeze -}; - -/** - * \brief Rate for absorbing data into the sponge state. - */ -#define XOODYAK_ABSORB_RATE 44 - -/** - * \brief Rate for squeezing data out of the sponge. - */ -#define XOODYAK_SQUEEZE_RATE 24 - -/** - * \brief Rate for absorbing and squeezing in hashing mode. - */ -#define XOODYAK_HASH_RATE 16 - -/** - * \brief Phase identifier for "up" mode, which indicates that a block - * permutation has just been performed. - */ -#define XOODYAK_PHASE_UP 0 - -/** - * \brief Phase identifier for "down" mode, which indicates that data has - * been absorbed but that a block permutation has not been done yet. - */ -#define XOODYAK_PHASE_DOWN 1 - -/** - * \brief Absorbs data into the Xoodoo permutation state. - * - * \param state Xoodoo permutation state. - * \param phase Points to the current phase, up or down. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - */ -static void xoodyak_absorb - (xoodoo_state_t *state, uint8_t *phase, - const unsigned char *data, unsigned long long len) -{ - uint8_t domain = 0x03; - unsigned temp; - while (len > XOODYAK_ABSORB_RATE) { - if (*phase != XOODYAK_PHASE_UP) - xoodoo_permute(state); - lw_xor_block(state->B, data, XOODYAK_ABSORB_RATE); - state->B[XOODYAK_ABSORB_RATE] ^= 0x01; /* Padding */ - state->B[sizeof(state->B) - 1] ^= domain; - data += XOODYAK_ABSORB_RATE; - len -= XOODYAK_ABSORB_RATE; - domain = 0x00; - *phase = XOODYAK_PHASE_DOWN; - } - temp = (unsigned)len; - if (*phase != XOODYAK_PHASE_UP) - xoodoo_permute(state); - lw_xor_block(state->B, data, temp); - state->B[temp] ^= 0x01; /* Padding */ - state->B[sizeof(state->B) - 1] ^= domain; - *phase = XOODYAK_PHASE_DOWN; -} - -int xoodyak_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - xoodoo_state_t state; - uint8_t phase, domain; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + XOODYAK_TAG_SIZE; - - /* Initialize the state with the key */ - memcpy(state.B, k, XOODYAK_KEY_SIZE); - memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); - state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ - state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ - phase = XOODYAK_PHASE_DOWN; - - /* Absorb the nonce and associated data */ - xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); - xoodyak_absorb(&state, &phase, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - domain = 0x80; - while (mlen > XOODYAK_SQUEEZE_RATE) { - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - lw_xor_block_2_dest(c, state.B, m, XOODYAK_SQUEEZE_RATE); - state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ - c += XOODYAK_SQUEEZE_RATE; - m += XOODYAK_SQUEEZE_RATE; - mlen -= XOODYAK_SQUEEZE_RATE; - domain = 0; - } - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state.B, m, temp); - state.B[temp] ^= 0x01; /* Padding */ - c += temp; - - /* Generate the authentication tag */ - state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ - xoodoo_permute(&state); - memcpy(c, state.B, XOODYAK_TAG_SIZE); - return 0; -} - -int xoodyak_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - xoodoo_state_t state; - uint8_t phase, domain; - unsigned temp; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < XOODYAK_TAG_SIZE) - return -1; - *mlen = clen - XOODYAK_TAG_SIZE; - - /* Initialize the state with the key */ - memcpy(state.B, k, XOODYAK_KEY_SIZE); - memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); - state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ - state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ - phase = XOODYAK_PHASE_DOWN; - - /* Absorb the nonce and associated data */ - xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); - xoodyak_absorb(&state, &phase, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - domain = 0x80; - clen -= XOODYAK_TAG_SIZE; - while (clen > XOODYAK_SQUEEZE_RATE) { - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - lw_xor_block_swap(m, state.B, c, XOODYAK_SQUEEZE_RATE); - state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ - c += XOODYAK_SQUEEZE_RATE; - m += XOODYAK_SQUEEZE_RATE; - clen -= XOODYAK_SQUEEZE_RATE; - domain = 0; - } - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - temp = (unsigned)clen; - lw_xor_block_swap(m, state.B, c, temp); - state.B[temp] ^= 0x01; /* Padding */ - c += temp; - - /* Check the authentication tag */ - state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ - xoodoo_permute(&state); - return aead_check_tag(mtemp, *mlen, state.B, c, XOODYAK_TAG_SIZE); -} - -int xoodyak_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - xoodyak_hash_state_t state; - xoodyak_hash_init(&state); - xoodyak_hash_absorb(&state, in, inlen); - xoodyak_hash_squeeze(&state, out, XOODYAK_HASH_SIZE); - return 0; -} - -#define XOODYAK_HASH_MODE_INIT_ABSORB 0 -#define XOODYAK_HASH_MODE_ABSORB 1 -#define XOODYAK_HASH_MODE_SQUEEZE 2 - -#define xoodoo_hash_permute(state) \ - xoodoo_permute((xoodoo_state_t *)((state)->s.state)) - -void xoodyak_hash_init(xoodyak_hash_state_t *state) -{ - memset(state, 0, sizeof(xoodyak_hash_state_t)); - state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; -} - -void xoodyak_hash_absorb - (xoodyak_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - uint8_t domain; - unsigned temp; - - /* If we were squeezing, then restart the absorb phase */ - if (state->s.mode == XOODYAK_HASH_MODE_SQUEEZE) { - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; - state->s.count = 0; - } - - /* The first block needs a different domain separator to the others */ - domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; - - /* Absorb the input data into the state */ - while (inlen > 0) { - if (state->s.count >= XOODYAK_HASH_RATE) { - state->s.state[XOODYAK_HASH_RATE] ^= 0x01; /* Padding */ - state->s.state[sizeof(state->s.state) - 1] ^= domain; - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_ABSORB; - state->s.count = 0; - domain = 0x00; - } - temp = XOODYAK_HASH_RATE - state->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void xoodyak_hash_squeeze - (xoodyak_hash_state_t *state, unsigned char *out, - unsigned long long outlen) -{ - uint8_t domain; - unsigned temp; - - /* If we were absorbing, then terminate the absorb phase */ - if (state->s.mode != XOODYAK_HASH_MODE_SQUEEZE) { - domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; - state->s.state[state->s.count] ^= 0x01; /* Padding */ - state->s.state[sizeof(state->s.state) - 1] ^= domain; - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_SQUEEZE; - state->s.count = 0; - } - - /* Squeeze data out of the state */ - while (outlen > 0) { - if (state->s.count >= XOODYAK_HASH_RATE) { - /* Padding is always at index 0 for squeezing subsequent - * blocks because the number of bytes we have absorbed - * since the previous block was squeezed out is zero */ - state->s.state[0] ^= 0x01; - xoodoo_hash_permute(state); - state->s.count = 0; - } - temp = XOODYAK_HASH_RATE - state->s.count; - if (temp > outlen) - temp = (unsigned)outlen; - memcpy(out, state->s.state + state->s.count, temp); - state->s.count += temp; - out += temp; - outlen -= temp; - } -} - -void xoodyak_hash_finalize - (xoodyak_hash_state_t *state, unsigned char *out) -{ - xoodyak_hash_squeeze(state, out, XOODYAK_HASH_SIZE); -} diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.h deleted file mode 100644 index f4777d5..0000000 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys-avr/xoodyak.h +++ /dev/null @@ -1,226 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_XOODYAK_H -#define LWCRYPTO_XOODYAK_H - -#include "aead-common.h" - -/** - * \file xoodyak.h - * \brief Xoodyak authenticated encryption algorithm. - * - * Xoodyak is an authenticated encryption and hash algorithm pair based - * around the 384-bit Xoodoo permutation that is similar in structure to - * Keccak but is more efficient than Keccak on 32-bit embedded devices. - * The Cyclist mode of operation is used to convert the permutation - * into a sponge for the higher-level algorithms. - * - * The Xoodyak encryption mode has a 128-bit key, a 128-bit nonce, - * and a 128-bit authentication tag. The Xoodyak hashing mode has a - * 256-bit fixed hash output and can also be used as an extensible - * output function (XOF). - * - * The Xoodyak specification describes a re-keying mechanism where the - * key for one packet is used to derive the key to use on the next packet. - * This provides some resistance against side channel attacks by making - * the session key a moving target. This library does not currently - * implement re-keying. - * - * References: https://keccak.team/xoodyak.html - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Xoodyak. - */ -#define XOODYAK_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Xoodyak. - */ -#define XOODYAK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Xoodyak. - */ -#define XOODYAK_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for Xoodyak. - */ -#define XOODYAK_HASH_SIZE 32 - -/** - * \brief State information for Xoodyak incremental hashing modes. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: absorb or squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} xoodyak_hash_state_t; - -/** - * \brief Meta-information block for the Xoodyak cipher. - */ -extern aead_cipher_t const xoodyak_cipher; - -/** - * \brief Meta-information block for the Xoodyak hash algorithm. - */ -extern aead_hash_algorithm_t const xoodyak_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with Xoodyak. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa xoodyak_aead_decrypt() - */ -int xoodyak_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Xoodyak. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa xoodyak_aead_encrypt() - */ -int xoodyak_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Xoodyak to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * XOODYAK_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int xoodyak_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a Xoodyak hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa xoodyak_hash_absorb(), xoodyak_hash_squeeze(), xoodyak_hash() - */ -void xoodyak_hash_init(xoodyak_hash_state_t *state); - -/** - * \brief Aborbs more input data into a Xoodyak hashing state. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa xoodyak_hash_init(), xoodyak_hash_squeeze() - */ -void xoodyak_hash_absorb - (xoodyak_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Squeezes output data from a Xoodyak hashing state. - * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - * - * \sa xoodyak_hash_init(), xoodyak_hash_absorb() - */ -void xoodyak_hash_squeeze - (xoodyak_hash_state_t *state, unsigned char *out, - unsigned long long outlen); - -/** - * \brief Returns the final hash value from a Xoodyak hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - * - * \note This is a wrapper around xoodyak_hash_squeeze() for a fixed length - * of XOODYAK_HASH_SIZE bytes. - * - * \sa xoodyak_hash_init(), xoodyak_hash_absorb() - */ -void xoodyak_hash_finalize - (xoodyak_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h index e79158c..e30166d 100644 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-util.h @@ -238,6 +238,17 @@ } \ } while (0) +/* Rotation functions need to be optimised for best performance on AVR. + * The most efficient rotations are where the number of bits is 1 or a + * multiple of 8, so we compose the efficient rotations to produce all + * other rotation counts of interest. */ + +#if defined(__AVR__) +#define LW_CRYPTO_ROTATE32_COMPOSED 1 +#else +#define LW_CRYPTO_ROTATE32_COMPOSED 0 +#endif + /* Rotation macros for 32-bit arguments */ /* Generic left rotate */ @@ -254,6 +265,8 @@ (_temp >> (bits)) | (_temp << (32 - (bits))); \ })) +#if !LW_CRYPTO_ROTATE32_COMPOSED + /* Left rotate by a specific number of bits. These macros may be replaced * with more efficient ones on platforms that lack a barrel shifter */ #define leftRotate1(a) (leftRotate((a), 1)) @@ -322,6 +335,138 @@ #define rightRotate30(a) (rightRotate((a), 30)) #define rightRotate31(a) (rightRotate((a), 31)) +#else /* LW_CRYPTO_ROTATE32_COMPOSED */ + +/* Composed rotation macros where 1 and 8 are fast, but others are slow */ + +/* Left rotate by 1 */ +#define leftRotate1(a) (leftRotate((a), 1)) + +/* Left rotate by 2 */ +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +/* Left rotate by 3 */ +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +/* Left rotate by 4 */ +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 5: Rotate left by 8, then right by 3 */ +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 6: Rotate left by 8, then right by 2 */ +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 7: Rotate left by 8, then right by 1 */ +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 8 */ +#define leftRotate8(a) (leftRotate((a), 8)) + +/* Left rotate by 9: Rotate left by 8, then left by 1 */ +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +/* Left rotate by 10: Rotate left by 8, then left by 2 */ +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +/* Left rotate by 11: Rotate left by 8, then left by 3 */ +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +/* Left rotate by 12: Rotate left by 16, then right by 4 */ +#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 13: Rotate left by 16, then right by 3 */ +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 14: Rotate left by 16, then right by 2 */ +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 15: Rotate left by 16, then right by 1 */ +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 16 */ +#define leftRotate16(a) (leftRotate((a), 16)) + +/* Left rotate by 17: Rotate left by 16, then left by 1 */ +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +/* Left rotate by 18: Rotate left by 16, then left by 2 */ +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +/* Left rotate by 19: Rotate left by 16, then left by 3 */ +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +/* Left rotate by 20: Rotate left by 16, then left by 4 */ +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +/* Left rotate by 21: Rotate left by 24, then right by 3 */ +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 22: Rotate left by 24, then right by 2 */ +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 23: Rotate left by 24, then right by 1 */ +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 24 */ +#define leftRotate24(a) (leftRotate((a), 24)) + +/* Left rotate by 25: Rotate left by 24, then left by 1 */ +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +/* Left rotate by 26: Rotate left by 24, then left by 2 */ +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +/* Left rotate by 27: Rotate left by 24, then left by 3 */ +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +/* Left rotate by 28: Rotate right by 4 */ +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +/* Left rotate by 29: Rotate right by 3 */ +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +/* Left rotate by 30: Rotate right by 2 */ +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +/* Left rotate by 31: Rotate right by 1 */ +#define leftRotate31(a) (rightRotate((a), 1)) + +/* Define the 32-bit right rotations in terms of left rotations */ +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ + /* Rotation macros for 64-bit arguments */ /* Generic left rotate */ diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo-avr.S b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo-avr.S new file mode 100644 index 0000000..629c19d --- /dev/null +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo-avr.S @@ -0,0 +1,935 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global xoodoo_permute + .type xoodoo_permute, @function +xoodoo_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 +.L__stack_usage = 16 + ldi r18,88 + mov r19,r1 + rcall 34f + ldi r18,56 + rcall 34f + ldi r18,192 + ldi r19,3 + rcall 34f + ldi r18,208 + mov r19,r1 + rcall 34f + ldi r18,32 + ldi r19,1 + rcall 34f + ldi r18,20 + mov r19,r1 + rcall 34f + ldi r18,96 + rcall 34f + ldi r18,44 + rcall 34f + ldi r18,128 + ldi r19,3 + rcall 34f + ldi r18,240 + mov r19,r1 + rcall 34f + ldi r18,160 + ldi r19,1 + rcall 34f + ldi r18,18 + mov r19,r1 + rcall 34f + rjmp 888f +34: + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + ldd r0,Z+28 + eor r6,r0 + ldd r0,Z+29 + eor r7,r0 + ldd r0,Z+30 + eor r8,r0 + ldd r0,Z+31 + eor r9,r0 + ldd r0,Z+44 + eor r6,r0 + ldd r0,Z+45 + eor r7,r0 + ldd r0,Z+46 + eor r8,r0 + ldd r0,Z+47 + eor r9,r0 + ld r20,Z + ldd r21,Z+1 + ldd r22,Z+2 + ldd r23,Z+3 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + ldd r2,Z+32 + ldd r3,Z+33 + ldd r4,Z+34 + ldd r5,Z+35 + movw r10,r20 + movw r12,r22 + eor r10,r26 + eor r11,r27 + eor r12,r28 + eor r13,r29 + eor r10,r2 + eor r11,r3 + eor r12,r4 + eor r13,r5 + movw r14,r6 + movw r24,r8 + mov r0,r1 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + or r9,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r9,r24 + eor r6,r25 + eor r7,r14 + eor r8,r15 + movw r14,r10 + movw r24,r12 + mov r0,r1 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + or r13,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r13,r24 + eor r10,r25 + eor r11,r14 + eor r12,r15 + eor r20,r9 + eor r21,r6 + eor r22,r7 + eor r23,r8 + eor r26,r9 + eor r27,r6 + eor r28,r7 + eor r29,r8 + eor r2,r9 + eor r3,r6 + eor r4,r7 + eor r5,r8 + st Z,r20 + std Z+1,r21 + std Z+2,r22 + std Z+3,r23 + std Z+16,r26 + std Z+17,r27 + std Z+18,r28 + std Z+19,r29 + std Z+32,r2 + std Z+33,r3 + std Z+34,r4 + std Z+35,r5 + ldd r20,Z+4 + ldd r21,Z+5 + ldd r22,Z+6 + ldd r23,Z+7 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r6,r20 + movw r8,r22 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + eor r6,r2 + eor r7,r3 + eor r8,r4 + eor r9,r5 + movw r14,r6 + movw r24,r8 + mov r0,r1 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + or r9,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r9,r24 + eor r6,r25 + eor r7,r14 + eor r8,r15 + eor r20,r13 + eor r21,r10 + eor r22,r11 + eor r23,r12 + eor r26,r13 + eor r27,r10 + eor r28,r11 + eor r29,r12 + eor r2,r13 + eor r3,r10 + eor r4,r11 + eor r5,r12 + std Z+4,r20 + std Z+5,r21 + std Z+6,r22 + std Z+7,r23 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + std Z+36,r2 + std Z+37,r3 + std Z+38,r4 + std Z+39,r5 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r22,Z+10 + ldd r23,Z+11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + ldd r2,Z+40 + ldd r3,Z+41 + ldd r4,Z+42 + ldd r5,Z+43 + movw r10,r20 + movw r12,r22 + eor r10,r26 + eor r11,r27 + eor r12,r28 + eor r13,r29 + eor r10,r2 + eor r11,r3 + eor r12,r4 + eor r13,r5 + movw r14,r10 + movw r24,r12 + mov r0,r1 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + or r13,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r13,r24 + eor r10,r25 + eor r11,r14 + eor r12,r15 + eor r20,r9 + eor r21,r6 + eor r22,r7 + eor r23,r8 + eor r26,r9 + eor r27,r6 + eor r28,r7 + eor r29,r8 + eor r2,r9 + eor r3,r6 + eor r4,r7 + eor r5,r8 + std Z+8,r20 + std Z+9,r21 + std Z+10,r22 + std Z+11,r23 + std Z+24,r26 + std Z+25,r27 + std Z+26,r28 + std Z+27,r29 + std Z+40,r2 + std Z+41,r3 + std Z+42,r4 + std Z+43,r5 + ldd r0,Z+12 + eor r0,r13 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r10 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r11 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r12 + std Z+15,r0 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + eor r6,r13 + eor r7,r10 + eor r8,r11 + eor r9,r12 + ldd r14,Z+44 + ldd r15,Z+45 + ldd r24,Z+46 + ldd r25,Z+47 + eor r14,r13 + eor r15,r10 + eor r24,r11 + eor r25,r12 + ldd r10,Z+24 + ldd r11,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+28,r10 + std Z+29,r11 + std Z+30,r12 + std Z+31,r13 + ldd r10,Z+20 + ldd r11,Z+21 + ldd r12,Z+22 + ldd r13,Z+23 + std Z+24,r10 + std Z+25,r11 + std Z+26,r12 + std Z+27,r13 + ldd r10,Z+16 + ldd r11,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + std Z+20,r10 + std Z+21,r11 + std Z+22,r12 + std Z+23,r13 + std Z+16,r6 + std Z+17,r7 + std Z+18,r8 + std Z+19,r9 + ldd r6,Z+32 + ldd r7,Z+33 + ldd r8,Z+34 + ldd r9,Z+35 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+32,r6 + std Z+33,r7 + std Z+34,r8 + std Z+35,r9 + ldd r6,Z+36 + ldd r7,Z+37 + ldd r8,Z+38 + ldd r9,Z+39 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+36,r6 + std Z+37,r7 + std Z+38,r8 + std Z+39,r9 + ldd r6,Z+40 + ldd r7,Z+41 + ldd r8,Z+42 + ldd r9,Z+43 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+40,r6 + std Z+41,r7 + std Z+42,r8 + std Z+43,r9 + mov r0,r25 + mov r25,r24 + mov r24,r15 + mov r15,r14 + mov r14,r0 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + std Z+44,r14 + std Z+45,r15 + std Z+46,r24 + std Z+47,r25 + ld r20,Z + ldd r21,Z+1 + ldd r22,Z+2 + ldd r23,Z+3 + eor r20,r18 + eor r21,r19 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + ldd r2,Z+32 + ldd r3,Z+33 + ldd r4,Z+34 + ldd r5,Z+35 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + st Z,r20 + std Z+1,r21 + std Z+2,r22 + std Z+3,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+16,r26 + std Z+17,r27 + std Z+18,r28 + std Z+19,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+32,r2 + std Z+33,r3 + std Z+34,r4 + std Z+35,r5 + ldd r20,Z+4 + ldd r21,Z+5 + ldd r22,Z+6 + ldd r23,Z+7 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+4,r20 + std Z+5,r21 + std Z+6,r22 + std Z+7,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+36,r2 + std Z+37,r3 + std Z+38,r4 + std Z+39,r5 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r22,Z+10 + ldd r23,Z+11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + ldd r2,Z+40 + ldd r3,Z+41 + ldd r4,Z+42 + ldd r5,Z+43 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+8,r20 + std Z+9,r21 + std Z+10,r22 + std Z+11,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+24,r26 + std Z+25,r27 + std Z+26,r28 + std Z+27,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+40,r2 + std Z+41,r3 + std Z+42,r4 + std Z+43,r5 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r22,Z+14 + ldd r23,Z+15 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + ldd r2,Z+44 + ldd r3,Z+45 + ldd r4,Z+46 + ldd r5,Z+47 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+12,r20 + std Z+13,r21 + std Z+14,r22 + std Z+15,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+28,r26 + std Z+29,r27 + std Z+30,r28 + std Z+31,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+44,r2 + std Z+45,r3 + std Z+46,r4 + std Z+47,r5 + ldd r6,Z+16 + ldd r7,Z+17 + ldd r8,Z+18 + ldd r9,Z+19 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+16,r6 + std Z+17,r7 + std Z+18,r8 + std Z+19,r9 + ldd r6,Z+20 + ldd r7,Z+21 + ldd r8,Z+22 + ldd r9,Z+23 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+20,r6 + std Z+21,r7 + std Z+22,r8 + std Z+23,r9 + ldd r6,Z+24 + ldd r7,Z+25 + ldd r8,Z+26 + ldd r9,Z+27 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+24,r6 + std Z+25,r7 + std Z+26,r8 + std Z+27,r9 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+28,r6 + std Z+29,r7 + std Z+30,r8 + std Z+31,r9 + ldd r6,Z+40 + ldd r7,Z+41 + ldd r8,Z+42 + ldd r9,Z+43 + ldd r10,Z+44 + ldd r11,Z+45 + ldd r12,Z+46 + ldd r13,Z+47 + ldd r14,Z+32 + ldd r15,Z+33 + ldd r24,Z+34 + ldd r25,Z+35 + std Z+40,r25 + std Z+41,r14 + std Z+42,r15 + std Z+43,r24 + ldd r14,Z+36 + ldd r15,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + std Z+44,r25 + std Z+45,r14 + std Z+46,r15 + std Z+47,r24 + std Z+32,r9 + std Z+33,r6 + std Z+34,r7 + std Z+35,r8 + std Z+36,r13 + std Z+37,r10 + std Z+38,r11 + std Z+39,r12 + ret +888: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size xoodoo_permute, .-xoodoo_permute + +#endif diff --git a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c index f129833..59bb8bf 100644 --- a/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c +++ b/xoodyak/Implementations/crypto_aead/xoodyakv1/rhys/internal-xoodoo.c @@ -22,6 +22,8 @@ #include "internal-xoodoo.h" +#if !defined(__AVR__) + void xoodoo_permute(xoodoo_state_t *state) { static uint16_t const rc[XOODOO_ROUNDS] = { @@ -160,3 +162,5 @@ void xoodoo_permute(xoodoo_state_t *state) le_store_word32(state->B + 44, x23); #endif } + +#endif /* !__AVR__ */ diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.c deleted file mode 100644 index 84fc53a..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "aead-common.h" - -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = (accum - 1) >> 8; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} - -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned size, int precheck) -{ - /* Set "accum" to -1 if the tags match, or 0 if they don't match */ - int accum = 0; - while (size > 0) { - accum |= (*tag1++ ^ *tag2++); - --size; - } - accum = ((accum - 1) >> 8) & precheck; - - /* Destroy the plaintext if the tag match failed */ - while (plaintext_len > 0) { - *plaintext++ &= accum; - --plaintext_len; - } - - /* If "accum" is 0, return -1, otherwise return 0 */ - return ~accum; -} diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.h deleted file mode 100644 index 2be95eb..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/aead-common.h +++ /dev/null @@ -1,256 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_AEAD_COMMON_H -#define LWCRYPTO_AEAD_COMMON_H - -#include - -/** - * \file aead-common.h - * \brief Definitions that are common across AEAD schemes. - * - * AEAD stands for "Authenticated Encryption with Associated Data". - * It is a standard API pattern for securely encrypting and - * authenticating packets of data. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Encrypts and authenticates a packet with an AEAD scheme. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - */ -typedef int (*aead_cipher_encrypt_t) - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with an AEAD scheme. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - normally not used by AEAD schemes. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet. - * \param k Points to the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - */ -typedef int (*aead_cipher_decrypt_t) - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data. - * - * \param out Buffer to receive the hash output. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -typedef int (*aead_hash_t) - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a hashing operation. - * - * \param state Hash state to be initialized. - */ -typedef void (*aead_hash_init_t)(void *state); - -/** - * \brief Updates a hash state with more input data. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be incorporated into the state. - * \param inlen Length of the input data to be incorporated into the state. - */ -typedef void (*aead_hash_update_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Returns the final hash value from a hashing operation. - * - * \param Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - */ -typedef void (*aead_hash_finalize_t)(void *state, unsigned char *out); - -/** - * \brief Aborbs more input data into an XOF state. - * - * \param state XOF state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa ascon_xof_init(), ascon_xof_squeeze() - */ -typedef void (*aead_xof_absorb_t) - (void *state, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Squeezes output data from an XOF state. - * - * \param state XOF state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - */ -typedef void (*aead_xof_squeeze_t) - (void *state, unsigned char *out, unsigned long long outlen); - -/** - * \brief No special AEAD features. - */ -#define AEAD_FLAG_NONE 0x0000 - -/** - * \brief The natural byte order of the AEAD cipher is little-endian. - * - * If this flag is not present, then the natural byte order of the - * AEAD cipher should be assumed to be big-endian. - * - * The natural byte order may be useful when formatting packet sequence - * numbers as nonces. The application needs to know whether the sequence - * number should be packed into the leading or trailing bytes of the nonce. - */ -#define AEAD_FLAG_LITTLE_ENDIAN 0x0001 - -/** - * \brief Meta-information about an AEAD cipher. - */ -typedef struct -{ - const char *name; /**< Name of the cipher */ - unsigned key_len; /**< Length of the key in bytes */ - unsigned nonce_len; /**< Length of the nonce in bytes */ - unsigned tag_len; /**< Length of the tag in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_cipher_encrypt_t encrypt; /**< AEAD encryption function */ - aead_cipher_decrypt_t decrypt; /**< AEAD decryption function */ - -} aead_cipher_t; - -/** - * \brief Meta-information about a hash algorithm that is related to an AEAD. - * - * Regular hash algorithms should provide the "hash", "init", "update", - * and "finalize" functions. Extensible Output Functions (XOF's) should - * proivde the "hash", "init", "absorb", and "squeeze" functions. - */ -typedef struct -{ - const char *name; /**< Name of the hash algorithm */ - size_t state_size; /**< Size of the incremental state structure */ - unsigned hash_len; /**< Length of the hash in bytes */ - unsigned flags; /**< Flags for extra features */ - aead_hash_t hash; /**< All in one hashing function */ - aead_hash_init_t init; /**< Incremental hash/XOF init function */ - aead_hash_update_t update; /**< Incremental hash update function */ - aead_hash_finalize_t finalize; /**< Incremental hash finalize function */ - aead_xof_absorb_t absorb; /**< Incremental XOF absorb function */ - aead_xof_squeeze_t squeeze; /**< Incremental XOF squeeze function */ - -} aead_hash_algorithm_t; - -/** - * \brief Check an authentication tag in constant time. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - */ -int aead_check_tag - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len); - -/** - * \brief Check an authentication tag in constant time with a previous check. - * - * \param plaintext Points to the plaintext data. - * \param plaintext_len Length of the plaintext in bytes. - * \param tag1 First tag to compare. - * \param tag2 Second tag to compare. - * \param tag_len Length of the tags in bytes. - * \param precheck Set to -1 if previous check succeeded or 0 if it failed. - * - * \return Returns -1 if the tag check failed or 0 if the check succeeded. - * - * If the tag check fails, then the \a plaintext will also be zeroed to - * prevent it from being used accidentally by the application when the - * ciphertext was invalid. - * - * This version can be used to incorporate other information about the - * correctness of the plaintext into the final result. - */ -int aead_check_tag_precheck - (unsigned char *plaintext, unsigned long long plaintext_len, - const unsigned char *tag1, const unsigned char *tag2, - unsigned tag_len, int precheck); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/api.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/api.h deleted file mode 100644 index ae8c7f6..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/api.h +++ /dev/null @@ -1 +0,0 @@ -#define CRYPTO_BYTES 32 diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-util.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-util.h deleted file mode 100644 index e30166d..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-util.h +++ /dev/null @@ -1,702 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_UTIL_H -#define LW_INTERNAL_UTIL_H - -#include - -/* Figure out how to inline functions using this C compiler */ -#if defined(__STDC__) && __STDC_VERSION__ >= 199901L -#define STATIC_INLINE static inline -#elif defined(__GNUC__) || defined(__clang__) -#define STATIC_INLINE static __inline__ -#else -#define STATIC_INLINE static -#endif - -/* Try to figure out whether the CPU is little-endian or big-endian. - * May need to modify this to include new compiler-specific defines. - * Alternatively, define __LITTLE_ENDIAN__ or __BIG_ENDIAN__ in your - * compiler flags when you compile this library */ -#if defined(__x86_64) || defined(__x86_64__) || \ - defined(__i386) || defined(__i386__) || \ - defined(__AVR__) || defined(__arm) || defined(__arm__) || \ - defined(_M_AMD64) || defined(_M_X64) || defined(_M_IX86) || \ - defined(_M_IA64) || defined(_M_ARM) || defined(_M_ARM_FP) || \ - (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 1234) || \ - defined(__LITTLE_ENDIAN__) -#define LW_UTIL_LITTLE_ENDIAN 1 -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == 4321) || \ - defined(__BIG_ENDIAN__) -/* Big endian */ -#else -#error "Cannot determine the endianess of this platform" -#endif - -/* Helper macros to load and store values while converting endian-ness */ - -/* Load a big-endian 32-bit word from a byte buffer */ -#define be_load_word32(ptr) \ - ((((uint32_t)((ptr)[0])) << 24) | \ - (((uint32_t)((ptr)[1])) << 16) | \ - (((uint32_t)((ptr)[2])) << 8) | \ - ((uint32_t)((ptr)[3]))) - -/* Store a big-endian 32-bit word into a byte buffer */ -#define be_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 24); \ - (ptr)[1] = (uint8_t)(_x >> 16); \ - (ptr)[2] = (uint8_t)(_x >> 8); \ - (ptr)[3] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 32-bit word from a byte buffer */ -#define le_load_word32(ptr) \ - ((((uint32_t)((ptr)[3])) << 24) | \ - (((uint32_t)((ptr)[2])) << 16) | \ - (((uint32_t)((ptr)[1])) << 8) | \ - ((uint32_t)((ptr)[0]))) - -/* Store a little-endian 32-bit word into a byte buffer */ -#define le_store_word32(ptr, x) \ - do { \ - uint32_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - } while (0) - -/* Load a big-endian 64-bit word from a byte buffer */ -#define be_load_word64(ptr) \ - ((((uint64_t)((ptr)[0])) << 56) | \ - (((uint64_t)((ptr)[1])) << 48) | \ - (((uint64_t)((ptr)[2])) << 40) | \ - (((uint64_t)((ptr)[3])) << 32) | \ - (((uint64_t)((ptr)[4])) << 24) | \ - (((uint64_t)((ptr)[5])) << 16) | \ - (((uint64_t)((ptr)[6])) << 8) | \ - ((uint64_t)((ptr)[7]))) - -/* Store a big-endian 64-bit word into a byte buffer */ -#define be_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 56); \ - (ptr)[1] = (uint8_t)(_x >> 48); \ - (ptr)[2] = (uint8_t)(_x >> 40); \ - (ptr)[3] = (uint8_t)(_x >> 32); \ - (ptr)[4] = (uint8_t)(_x >> 24); \ - (ptr)[5] = (uint8_t)(_x >> 16); \ - (ptr)[6] = (uint8_t)(_x >> 8); \ - (ptr)[7] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 64-bit word from a byte buffer */ -#define le_load_word64(ptr) \ - ((((uint64_t)((ptr)[7])) << 56) | \ - (((uint64_t)((ptr)[6])) << 48) | \ - (((uint64_t)((ptr)[5])) << 40) | \ - (((uint64_t)((ptr)[4])) << 32) | \ - (((uint64_t)((ptr)[3])) << 24) | \ - (((uint64_t)((ptr)[2])) << 16) | \ - (((uint64_t)((ptr)[1])) << 8) | \ - ((uint64_t)((ptr)[0]))) - -/* Store a little-endian 64-bit word into a byte buffer */ -#define le_store_word64(ptr, x) \ - do { \ - uint64_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - (ptr)[2] = (uint8_t)(_x >> 16); \ - (ptr)[3] = (uint8_t)(_x >> 24); \ - (ptr)[4] = (uint8_t)(_x >> 32); \ - (ptr)[5] = (uint8_t)(_x >> 40); \ - (ptr)[6] = (uint8_t)(_x >> 48); \ - (ptr)[7] = (uint8_t)(_x >> 56); \ - } while (0) - -/* Load a big-endian 16-bit word from a byte buffer */ -#define be_load_word16(ptr) \ - ((((uint16_t)((ptr)[0])) << 8) | \ - ((uint16_t)((ptr)[1]))) - -/* Store a big-endian 16-bit word into a byte buffer */ -#define be_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)(_x >> 8); \ - (ptr)[1] = (uint8_t)_x; \ - } while (0) - -/* Load a little-endian 16-bit word from a byte buffer */ -#define le_load_word16(ptr) \ - ((((uint16_t)((ptr)[1])) << 8) | \ - ((uint16_t)((ptr)[0]))) - -/* Store a little-endian 16-bit word into a byte buffer */ -#define le_store_word16(ptr, x) \ - do { \ - uint16_t _x = (x); \ - (ptr)[0] = (uint8_t)_x; \ - (ptr)[1] = (uint8_t)(_x >> 8); \ - } while (0) - -/* XOR a source byte buffer against a destination */ -#define lw_xor_block(dest, src, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ ^= *_src++; \ - --_len; \ - } \ - } while (0) - -/* XOR two source byte buffers and put the result in a destination buffer */ -#define lw_xor_block_2_src(dest, src1, src2, len) \ - do { \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest++ = *_src1++ ^ *_src2++; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time */ -#define lw_xor_block_2_dest(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - *_dest2++ = (*_dest++ ^= *_src++); \ - --_len; \ - } \ - } while (0) - -/* XOR two byte buffers and write to a destination which at the same - * time copying the contents of src2 to dest2 */ -#define lw_xor_block_copy_src(dest2, dest, src1, src2, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src1 = (src1); \ - const unsigned char *_src2 = (src2); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src2++; \ - *_dest2++ = _temp; \ - *_dest++ = *_src1++ ^ _temp; \ - --_len; \ - } \ - } while (0) - -/* XOR a source byte buffer against a destination and write to another - * destination at the same time. This version swaps the source value - * into the "dest" buffer */ -#define lw_xor_block_swap(dest2, dest, src, len) \ - do { \ - unsigned char *_dest2 = (dest2); \ - unsigned char *_dest = (dest); \ - const unsigned char *_src = (src); \ - unsigned _len = (len); \ - while (_len > 0) { \ - unsigned char _temp = *_src++; \ - *_dest2++ = *_dest ^ _temp; \ - *_dest++ = _temp; \ - --_len; \ - } \ - } while (0) - -/* Rotation functions need to be optimised for best performance on AVR. - * The most efficient rotations are where the number of bits is 1 or a - * multiple of 8, so we compose the efficient rotations to produce all - * other rotation counts of interest. */ - -#if defined(__AVR__) -#define LW_CRYPTO_ROTATE32_COMPOSED 1 -#else -#define LW_CRYPTO_ROTATE32_COMPOSED 0 -#endif - -/* Rotation macros for 32-bit arguments */ - -/* Generic left rotate */ -#define leftRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (32 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate(a, bits) \ - (__extension__ ({ \ - uint32_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (32 - (bits))); \ - })) - -#if !LW_CRYPTO_ROTATE32_COMPOSED - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1(a) (leftRotate((a), 1)) -#define leftRotate2(a) (leftRotate((a), 2)) -#define leftRotate3(a) (leftRotate((a), 3)) -#define leftRotate4(a) (leftRotate((a), 4)) -#define leftRotate5(a) (leftRotate((a), 5)) -#define leftRotate6(a) (leftRotate((a), 6)) -#define leftRotate7(a) (leftRotate((a), 7)) -#define leftRotate8(a) (leftRotate((a), 8)) -#define leftRotate9(a) (leftRotate((a), 9)) -#define leftRotate10(a) (leftRotate((a), 10)) -#define leftRotate11(a) (leftRotate((a), 11)) -#define leftRotate12(a) (leftRotate((a), 12)) -#define leftRotate13(a) (leftRotate((a), 13)) -#define leftRotate14(a) (leftRotate((a), 14)) -#define leftRotate15(a) (leftRotate((a), 15)) -#define leftRotate16(a) (leftRotate((a), 16)) -#define leftRotate17(a) (leftRotate((a), 17)) -#define leftRotate18(a) (leftRotate((a), 18)) -#define leftRotate19(a) (leftRotate((a), 19)) -#define leftRotate20(a) (leftRotate((a), 20)) -#define leftRotate21(a) (leftRotate((a), 21)) -#define leftRotate22(a) (leftRotate((a), 22)) -#define leftRotate23(a) (leftRotate((a), 23)) -#define leftRotate24(a) (leftRotate((a), 24)) -#define leftRotate25(a) (leftRotate((a), 25)) -#define leftRotate26(a) (leftRotate((a), 26)) -#define leftRotate27(a) (leftRotate((a), 27)) -#define leftRotate28(a) (leftRotate((a), 28)) -#define leftRotate29(a) (leftRotate((a), 29)) -#define leftRotate30(a) (leftRotate((a), 30)) -#define leftRotate31(a) (leftRotate((a), 31)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1(a) (rightRotate((a), 1)) -#define rightRotate2(a) (rightRotate((a), 2)) -#define rightRotate3(a) (rightRotate((a), 3)) -#define rightRotate4(a) (rightRotate((a), 4)) -#define rightRotate5(a) (rightRotate((a), 5)) -#define rightRotate6(a) (rightRotate((a), 6)) -#define rightRotate7(a) (rightRotate((a), 7)) -#define rightRotate8(a) (rightRotate((a), 8)) -#define rightRotate9(a) (rightRotate((a), 9)) -#define rightRotate10(a) (rightRotate((a), 10)) -#define rightRotate11(a) (rightRotate((a), 11)) -#define rightRotate12(a) (rightRotate((a), 12)) -#define rightRotate13(a) (rightRotate((a), 13)) -#define rightRotate14(a) (rightRotate((a), 14)) -#define rightRotate15(a) (rightRotate((a), 15)) -#define rightRotate16(a) (rightRotate((a), 16)) -#define rightRotate17(a) (rightRotate((a), 17)) -#define rightRotate18(a) (rightRotate((a), 18)) -#define rightRotate19(a) (rightRotate((a), 19)) -#define rightRotate20(a) (rightRotate((a), 20)) -#define rightRotate21(a) (rightRotate((a), 21)) -#define rightRotate22(a) (rightRotate((a), 22)) -#define rightRotate23(a) (rightRotate((a), 23)) -#define rightRotate24(a) (rightRotate((a), 24)) -#define rightRotate25(a) (rightRotate((a), 25)) -#define rightRotate26(a) (rightRotate((a), 26)) -#define rightRotate27(a) (rightRotate((a), 27)) -#define rightRotate28(a) (rightRotate((a), 28)) -#define rightRotate29(a) (rightRotate((a), 29)) -#define rightRotate30(a) (rightRotate((a), 30)) -#define rightRotate31(a) (rightRotate((a), 31)) - -#else /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Composed rotation macros where 1 and 8 are fast, but others are slow */ - -/* Left rotate by 1 */ -#define leftRotate1(a) (leftRotate((a), 1)) - -/* Left rotate by 2 */ -#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) - -/* Left rotate by 3 */ -#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) - -/* Left rotate by 4 */ -#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 5: Rotate left by 8, then right by 3 */ -#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 6: Rotate left by 8, then right by 2 */ -#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 7: Rotate left by 8, then right by 1 */ -#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 8 */ -#define leftRotate8(a) (leftRotate((a), 8)) - -/* Left rotate by 9: Rotate left by 8, then left by 1 */ -#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) - -/* Left rotate by 10: Rotate left by 8, then left by 2 */ -#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) - -/* Left rotate by 11: Rotate left by 8, then left by 3 */ -#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) - -/* Left rotate by 12: Rotate left by 16, then right by 4 */ -#define leftRotate12(a) (rightRotate(rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 13: Rotate left by 16, then right by 3 */ -#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 14: Rotate left by 16, then right by 2 */ -#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 15: Rotate left by 16, then right by 1 */ -#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 16 */ -#define leftRotate16(a) (leftRotate((a), 16)) - -/* Left rotate by 17: Rotate left by 16, then left by 1 */ -#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) - -/* Left rotate by 18: Rotate left by 16, then left by 2 */ -#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) - -/* Left rotate by 19: Rotate left by 16, then left by 3 */ -#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) - -/* Left rotate by 20: Rotate left by 16, then left by 4 */ -#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) - -/* Left rotate by 21: Rotate left by 24, then right by 3 */ -#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 22: Rotate left by 24, then right by 2 */ -#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 23: Rotate left by 24, then right by 1 */ -#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 24 */ -#define leftRotate24(a) (leftRotate((a), 24)) - -/* Left rotate by 25: Rotate left by 24, then left by 1 */ -#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) - -/* Left rotate by 26: Rotate left by 24, then left by 2 */ -#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) - -/* Left rotate by 27: Rotate left by 24, then left by 3 */ -#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) - -/* Left rotate by 28: Rotate right by 4 */ -#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) - -/* Left rotate by 29: Rotate right by 3 */ -#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) - -/* Left rotate by 30: Rotate right by 2 */ -#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) - -/* Left rotate by 31: Rotate right by 1 */ -#define leftRotate31(a) (rightRotate((a), 1)) - -/* Define the 32-bit right rotations in terms of left rotations */ -#define rightRotate1(a) (leftRotate31((a))) -#define rightRotate2(a) (leftRotate30((a))) -#define rightRotate3(a) (leftRotate29((a))) -#define rightRotate4(a) (leftRotate28((a))) -#define rightRotate5(a) (leftRotate27((a))) -#define rightRotate6(a) (leftRotate26((a))) -#define rightRotate7(a) (leftRotate25((a))) -#define rightRotate8(a) (leftRotate24((a))) -#define rightRotate9(a) (leftRotate23((a))) -#define rightRotate10(a) (leftRotate22((a))) -#define rightRotate11(a) (leftRotate21((a))) -#define rightRotate12(a) (leftRotate20((a))) -#define rightRotate13(a) (leftRotate19((a))) -#define rightRotate14(a) (leftRotate18((a))) -#define rightRotate15(a) (leftRotate17((a))) -#define rightRotate16(a) (leftRotate16((a))) -#define rightRotate17(a) (leftRotate15((a))) -#define rightRotate18(a) (leftRotate14((a))) -#define rightRotate19(a) (leftRotate13((a))) -#define rightRotate20(a) (leftRotate12((a))) -#define rightRotate21(a) (leftRotate11((a))) -#define rightRotate22(a) (leftRotate10((a))) -#define rightRotate23(a) (leftRotate9((a))) -#define rightRotate24(a) (leftRotate8((a))) -#define rightRotate25(a) (leftRotate7((a))) -#define rightRotate26(a) (leftRotate6((a))) -#define rightRotate27(a) (leftRotate5((a))) -#define rightRotate28(a) (leftRotate4((a))) -#define rightRotate29(a) (leftRotate3((a))) -#define rightRotate30(a) (leftRotate2((a))) -#define rightRotate31(a) (leftRotate1((a))) - -#endif /* LW_CRYPTO_ROTATE32_COMPOSED */ - -/* Rotation macros for 64-bit arguments */ - -/* Generic left rotate */ -#define leftRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (64 - (bits))); \ - })) - -/* Generic right rotate */ -#define rightRotate_64(a, bits) \ - (__extension__ ({ \ - uint64_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (64 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_64(a) (leftRotate_64((a), 1)) -#define leftRotate2_64(a) (leftRotate_64((a), 2)) -#define leftRotate3_64(a) (leftRotate_64((a), 3)) -#define leftRotate4_64(a) (leftRotate_64((a), 4)) -#define leftRotate5_64(a) (leftRotate_64((a), 5)) -#define leftRotate6_64(a) (leftRotate_64((a), 6)) -#define leftRotate7_64(a) (leftRotate_64((a), 7)) -#define leftRotate8_64(a) (leftRotate_64((a), 8)) -#define leftRotate9_64(a) (leftRotate_64((a), 9)) -#define leftRotate10_64(a) (leftRotate_64((a), 10)) -#define leftRotate11_64(a) (leftRotate_64((a), 11)) -#define leftRotate12_64(a) (leftRotate_64((a), 12)) -#define leftRotate13_64(a) (leftRotate_64((a), 13)) -#define leftRotate14_64(a) (leftRotate_64((a), 14)) -#define leftRotate15_64(a) (leftRotate_64((a), 15)) -#define leftRotate16_64(a) (leftRotate_64((a), 16)) -#define leftRotate17_64(a) (leftRotate_64((a), 17)) -#define leftRotate18_64(a) (leftRotate_64((a), 18)) -#define leftRotate19_64(a) (leftRotate_64((a), 19)) -#define leftRotate20_64(a) (leftRotate_64((a), 20)) -#define leftRotate21_64(a) (leftRotate_64((a), 21)) -#define leftRotate22_64(a) (leftRotate_64((a), 22)) -#define leftRotate23_64(a) (leftRotate_64((a), 23)) -#define leftRotate24_64(a) (leftRotate_64((a), 24)) -#define leftRotate25_64(a) (leftRotate_64((a), 25)) -#define leftRotate26_64(a) (leftRotate_64((a), 26)) -#define leftRotate27_64(a) (leftRotate_64((a), 27)) -#define leftRotate28_64(a) (leftRotate_64((a), 28)) -#define leftRotate29_64(a) (leftRotate_64((a), 29)) -#define leftRotate30_64(a) (leftRotate_64((a), 30)) -#define leftRotate31_64(a) (leftRotate_64((a), 31)) -#define leftRotate32_64(a) (leftRotate_64((a), 32)) -#define leftRotate33_64(a) (leftRotate_64((a), 33)) -#define leftRotate34_64(a) (leftRotate_64((a), 34)) -#define leftRotate35_64(a) (leftRotate_64((a), 35)) -#define leftRotate36_64(a) (leftRotate_64((a), 36)) -#define leftRotate37_64(a) (leftRotate_64((a), 37)) -#define leftRotate38_64(a) (leftRotate_64((a), 38)) -#define leftRotate39_64(a) (leftRotate_64((a), 39)) -#define leftRotate40_64(a) (leftRotate_64((a), 40)) -#define leftRotate41_64(a) (leftRotate_64((a), 41)) -#define leftRotate42_64(a) (leftRotate_64((a), 42)) -#define leftRotate43_64(a) (leftRotate_64((a), 43)) -#define leftRotate44_64(a) (leftRotate_64((a), 44)) -#define leftRotate45_64(a) (leftRotate_64((a), 45)) -#define leftRotate46_64(a) (leftRotate_64((a), 46)) -#define leftRotate47_64(a) (leftRotate_64((a), 47)) -#define leftRotate48_64(a) (leftRotate_64((a), 48)) -#define leftRotate49_64(a) (leftRotate_64((a), 49)) -#define leftRotate50_64(a) (leftRotate_64((a), 50)) -#define leftRotate51_64(a) (leftRotate_64((a), 51)) -#define leftRotate52_64(a) (leftRotate_64((a), 52)) -#define leftRotate53_64(a) (leftRotate_64((a), 53)) -#define leftRotate54_64(a) (leftRotate_64((a), 54)) -#define leftRotate55_64(a) (leftRotate_64((a), 55)) -#define leftRotate56_64(a) (leftRotate_64((a), 56)) -#define leftRotate57_64(a) (leftRotate_64((a), 57)) -#define leftRotate58_64(a) (leftRotate_64((a), 58)) -#define leftRotate59_64(a) (leftRotate_64((a), 59)) -#define leftRotate60_64(a) (leftRotate_64((a), 60)) -#define leftRotate61_64(a) (leftRotate_64((a), 61)) -#define leftRotate62_64(a) (leftRotate_64((a), 62)) -#define leftRotate63_64(a) (leftRotate_64((a), 63)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_64(a) (rightRotate_64((a), 1)) -#define rightRotate2_64(a) (rightRotate_64((a), 2)) -#define rightRotate3_64(a) (rightRotate_64((a), 3)) -#define rightRotate4_64(a) (rightRotate_64((a), 4)) -#define rightRotate5_64(a) (rightRotate_64((a), 5)) -#define rightRotate6_64(a) (rightRotate_64((a), 6)) -#define rightRotate7_64(a) (rightRotate_64((a), 7)) -#define rightRotate8_64(a) (rightRotate_64((a), 8)) -#define rightRotate9_64(a) (rightRotate_64((a), 9)) -#define rightRotate10_64(a) (rightRotate_64((a), 10)) -#define rightRotate11_64(a) (rightRotate_64((a), 11)) -#define rightRotate12_64(a) (rightRotate_64((a), 12)) -#define rightRotate13_64(a) (rightRotate_64((a), 13)) -#define rightRotate14_64(a) (rightRotate_64((a), 14)) -#define rightRotate15_64(a) (rightRotate_64((a), 15)) -#define rightRotate16_64(a) (rightRotate_64((a), 16)) -#define rightRotate17_64(a) (rightRotate_64((a), 17)) -#define rightRotate18_64(a) (rightRotate_64((a), 18)) -#define rightRotate19_64(a) (rightRotate_64((a), 19)) -#define rightRotate20_64(a) (rightRotate_64((a), 20)) -#define rightRotate21_64(a) (rightRotate_64((a), 21)) -#define rightRotate22_64(a) (rightRotate_64((a), 22)) -#define rightRotate23_64(a) (rightRotate_64((a), 23)) -#define rightRotate24_64(a) (rightRotate_64((a), 24)) -#define rightRotate25_64(a) (rightRotate_64((a), 25)) -#define rightRotate26_64(a) (rightRotate_64((a), 26)) -#define rightRotate27_64(a) (rightRotate_64((a), 27)) -#define rightRotate28_64(a) (rightRotate_64((a), 28)) -#define rightRotate29_64(a) (rightRotate_64((a), 29)) -#define rightRotate30_64(a) (rightRotate_64((a), 30)) -#define rightRotate31_64(a) (rightRotate_64((a), 31)) -#define rightRotate32_64(a) (rightRotate_64((a), 32)) -#define rightRotate33_64(a) (rightRotate_64((a), 33)) -#define rightRotate34_64(a) (rightRotate_64((a), 34)) -#define rightRotate35_64(a) (rightRotate_64((a), 35)) -#define rightRotate36_64(a) (rightRotate_64((a), 36)) -#define rightRotate37_64(a) (rightRotate_64((a), 37)) -#define rightRotate38_64(a) (rightRotate_64((a), 38)) -#define rightRotate39_64(a) (rightRotate_64((a), 39)) -#define rightRotate40_64(a) (rightRotate_64((a), 40)) -#define rightRotate41_64(a) (rightRotate_64((a), 41)) -#define rightRotate42_64(a) (rightRotate_64((a), 42)) -#define rightRotate43_64(a) (rightRotate_64((a), 43)) -#define rightRotate44_64(a) (rightRotate_64((a), 44)) -#define rightRotate45_64(a) (rightRotate_64((a), 45)) -#define rightRotate46_64(a) (rightRotate_64((a), 46)) -#define rightRotate47_64(a) (rightRotate_64((a), 47)) -#define rightRotate48_64(a) (rightRotate_64((a), 48)) -#define rightRotate49_64(a) (rightRotate_64((a), 49)) -#define rightRotate50_64(a) (rightRotate_64((a), 50)) -#define rightRotate51_64(a) (rightRotate_64((a), 51)) -#define rightRotate52_64(a) (rightRotate_64((a), 52)) -#define rightRotate53_64(a) (rightRotate_64((a), 53)) -#define rightRotate54_64(a) (rightRotate_64((a), 54)) -#define rightRotate55_64(a) (rightRotate_64((a), 55)) -#define rightRotate56_64(a) (rightRotate_64((a), 56)) -#define rightRotate57_64(a) (rightRotate_64((a), 57)) -#define rightRotate58_64(a) (rightRotate_64((a), 58)) -#define rightRotate59_64(a) (rightRotate_64((a), 59)) -#define rightRotate60_64(a) (rightRotate_64((a), 60)) -#define rightRotate61_64(a) (rightRotate_64((a), 61)) -#define rightRotate62_64(a) (rightRotate_64((a), 62)) -#define rightRotate63_64(a) (rightRotate_64((a), 63)) - -/* Rotate a 16-bit value left by a number of bits */ -#define leftRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (16 - (bits))); \ - })) - -/* Rotate a 16-bit value right by a number of bits */ -#define rightRotate_16(a, bits) \ - (__extension__ ({ \ - uint16_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (16 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_16(a) (leftRotate_16((a), 1)) -#define leftRotate2_16(a) (leftRotate_16((a), 2)) -#define leftRotate3_16(a) (leftRotate_16((a), 3)) -#define leftRotate4_16(a) (leftRotate_16((a), 4)) -#define leftRotate5_16(a) (leftRotate_16((a), 5)) -#define leftRotate6_16(a) (leftRotate_16((a), 6)) -#define leftRotate7_16(a) (leftRotate_16((a), 7)) -#define leftRotate8_16(a) (leftRotate_16((a), 8)) -#define leftRotate9_16(a) (leftRotate_16((a), 9)) -#define leftRotate10_16(a) (leftRotate_16((a), 10)) -#define leftRotate11_16(a) (leftRotate_16((a), 11)) -#define leftRotate12_16(a) (leftRotate_16((a), 12)) -#define leftRotate13_16(a) (leftRotate_16((a), 13)) -#define leftRotate14_16(a) (leftRotate_16((a), 14)) -#define leftRotate15_16(a) (leftRotate_16((a), 15)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_16(a) (rightRotate_16((a), 1)) -#define rightRotate2_16(a) (rightRotate_16((a), 2)) -#define rightRotate3_16(a) (rightRotate_16((a), 3)) -#define rightRotate4_16(a) (rightRotate_16((a), 4)) -#define rightRotate5_16(a) (rightRotate_16((a), 5)) -#define rightRotate6_16(a) (rightRotate_16((a), 6)) -#define rightRotate7_16(a) (rightRotate_16((a), 7)) -#define rightRotate8_16(a) (rightRotate_16((a), 8)) -#define rightRotate9_16(a) (rightRotate_16((a), 9)) -#define rightRotate10_16(a) (rightRotate_16((a), 10)) -#define rightRotate11_16(a) (rightRotate_16((a), 11)) -#define rightRotate12_16(a) (rightRotate_16((a), 12)) -#define rightRotate13_16(a) (rightRotate_16((a), 13)) -#define rightRotate14_16(a) (rightRotate_16((a), 14)) -#define rightRotate15_16(a) (rightRotate_16((a), 15)) - -/* Rotate an 8-bit value left by a number of bits */ -#define leftRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp << (bits)) | (_temp >> (8 - (bits))); \ - })) - -/* Rotate an 8-bit value right by a number of bits */ -#define rightRotate_8(a, bits) \ - (__extension__ ({ \ - uint8_t _temp = (a); \ - (_temp >> (bits)) | (_temp << (8 - (bits))); \ - })) - -/* Left rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define leftRotate1_8(a) (leftRotate_8((a), 1)) -#define leftRotate2_8(a) (leftRotate_8((a), 2)) -#define leftRotate3_8(a) (leftRotate_8((a), 3)) -#define leftRotate4_8(a) (leftRotate_8((a), 4)) -#define leftRotate5_8(a) (leftRotate_8((a), 5)) -#define leftRotate6_8(a) (leftRotate_8((a), 6)) -#define leftRotate7_8(a) (leftRotate_8((a), 7)) - -/* Right rotate by a specific number of bits. These macros may be replaced - * with more efficient ones on platforms that lack a barrel shifter */ -#define rightRotate1_8(a) (rightRotate_8((a), 1)) -#define rightRotate2_8(a) (rightRotate_8((a), 2)) -#define rightRotate3_8(a) (rightRotate_8((a), 3)) -#define rightRotate4_8(a) (rightRotate_8((a), 4)) -#define rightRotate5_8(a) (rightRotate_8((a), 5)) -#define rightRotate6_8(a) (rightRotate_8((a), 6)) -#define rightRotate7_8(a) (rightRotate_8((a), 7)) - -#endif diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo-avr.S b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo-avr.S deleted file mode 100644 index 629c19d..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo-avr.S +++ /dev/null @@ -1,935 +0,0 @@ -#if defined(__AVR__) -#include -/* Automatically generated - do not edit */ - - .text -.global xoodoo_permute - .type xoodoo_permute, @function -xoodoo_permute: - push r28 - push r29 - push r2 - push r3 - push r4 - push r5 - push r6 - push r7 - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - movw r30,r24 -.L__stack_usage = 16 - ldi r18,88 - mov r19,r1 - rcall 34f - ldi r18,56 - rcall 34f - ldi r18,192 - ldi r19,3 - rcall 34f - ldi r18,208 - mov r19,r1 - rcall 34f - ldi r18,32 - ldi r19,1 - rcall 34f - ldi r18,20 - mov r19,r1 - rcall 34f - ldi r18,96 - rcall 34f - ldi r18,44 - rcall 34f - ldi r18,128 - ldi r19,3 - rcall 34f - ldi r18,240 - mov r19,r1 - rcall 34f - ldi r18,160 - ldi r19,1 - rcall 34f - ldi r18,18 - mov r19,r1 - rcall 34f - rjmp 888f -34: - ldd r6,Z+12 - ldd r7,Z+13 - ldd r8,Z+14 - ldd r9,Z+15 - ldd r0,Z+28 - eor r6,r0 - ldd r0,Z+29 - eor r7,r0 - ldd r0,Z+30 - eor r8,r0 - ldd r0,Z+31 - eor r9,r0 - ldd r0,Z+44 - eor r6,r0 - ldd r0,Z+45 - eor r7,r0 - ldd r0,Z+46 - eor r8,r0 - ldd r0,Z+47 - eor r9,r0 - ld r20,Z - ldd r21,Z+1 - ldd r22,Z+2 - ldd r23,Z+3 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - ldd r2,Z+32 - ldd r3,Z+33 - ldd r4,Z+34 - ldd r5,Z+35 - movw r10,r20 - movw r12,r22 - eor r10,r26 - eor r11,r27 - eor r12,r28 - eor r13,r29 - eor r10,r2 - eor r11,r3 - eor r12,r4 - eor r13,r5 - movw r14,r6 - movw r24,r8 - mov r0,r1 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - or r9,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r9,r24 - eor r6,r25 - eor r7,r14 - eor r8,r15 - movw r14,r10 - movw r24,r12 - mov r0,r1 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - or r13,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r13,r24 - eor r10,r25 - eor r11,r14 - eor r12,r15 - eor r20,r9 - eor r21,r6 - eor r22,r7 - eor r23,r8 - eor r26,r9 - eor r27,r6 - eor r28,r7 - eor r29,r8 - eor r2,r9 - eor r3,r6 - eor r4,r7 - eor r5,r8 - st Z,r20 - std Z+1,r21 - std Z+2,r22 - std Z+3,r23 - std Z+16,r26 - std Z+17,r27 - std Z+18,r28 - std Z+19,r29 - std Z+32,r2 - std Z+33,r3 - std Z+34,r4 - std Z+35,r5 - ldd r20,Z+4 - ldd r21,Z+5 - ldd r22,Z+6 - ldd r23,Z+7 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r6,r20 - movw r8,r22 - eor r6,r26 - eor r7,r27 - eor r8,r28 - eor r9,r29 - eor r6,r2 - eor r7,r3 - eor r8,r4 - eor r9,r5 - movw r14,r6 - movw r24,r8 - mov r0,r1 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - lsr r9 - ror r8 - ror r7 - ror r6 - ror r0 - or r9,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r9,r24 - eor r6,r25 - eor r7,r14 - eor r8,r15 - eor r20,r13 - eor r21,r10 - eor r22,r11 - eor r23,r12 - eor r26,r13 - eor r27,r10 - eor r28,r11 - eor r29,r12 - eor r2,r13 - eor r3,r10 - eor r4,r11 - eor r5,r12 - std Z+4,r20 - std Z+5,r21 - std Z+6,r22 - std Z+7,r23 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - std Z+36,r2 - std Z+37,r3 - std Z+38,r4 - std Z+39,r5 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r22,Z+10 - ldd r23,Z+11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - ldd r2,Z+40 - ldd r3,Z+41 - ldd r4,Z+42 - ldd r5,Z+43 - movw r10,r20 - movw r12,r22 - eor r10,r26 - eor r11,r27 - eor r12,r28 - eor r13,r29 - eor r10,r2 - eor r11,r3 - eor r12,r4 - eor r13,r5 - movw r14,r10 - movw r24,r12 - mov r0,r1 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - lsr r13 - ror r12 - ror r11 - ror r10 - ror r0 - or r13,r0 - mov r0,r1 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - lsr r25 - ror r24 - ror r15 - ror r14 - ror r0 - or r25,r0 - eor r13,r24 - eor r10,r25 - eor r11,r14 - eor r12,r15 - eor r20,r9 - eor r21,r6 - eor r22,r7 - eor r23,r8 - eor r26,r9 - eor r27,r6 - eor r28,r7 - eor r29,r8 - eor r2,r9 - eor r3,r6 - eor r4,r7 - eor r5,r8 - std Z+8,r20 - std Z+9,r21 - std Z+10,r22 - std Z+11,r23 - std Z+24,r26 - std Z+25,r27 - std Z+26,r28 - std Z+27,r29 - std Z+40,r2 - std Z+41,r3 - std Z+42,r4 - std Z+43,r5 - ldd r0,Z+12 - eor r0,r13 - std Z+12,r0 - ldd r0,Z+13 - eor r0,r10 - std Z+13,r0 - ldd r0,Z+14 - eor r0,r11 - std Z+14,r0 - ldd r0,Z+15 - eor r0,r12 - std Z+15,r0 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - eor r6,r13 - eor r7,r10 - eor r8,r11 - eor r9,r12 - ldd r14,Z+44 - ldd r15,Z+45 - ldd r24,Z+46 - ldd r25,Z+47 - eor r14,r13 - eor r15,r10 - eor r24,r11 - eor r25,r12 - ldd r10,Z+24 - ldd r11,Z+25 - ldd r12,Z+26 - ldd r13,Z+27 - std Z+28,r10 - std Z+29,r11 - std Z+30,r12 - std Z+31,r13 - ldd r10,Z+20 - ldd r11,Z+21 - ldd r12,Z+22 - ldd r13,Z+23 - std Z+24,r10 - std Z+25,r11 - std Z+26,r12 - std Z+27,r13 - ldd r10,Z+16 - ldd r11,Z+17 - ldd r12,Z+18 - ldd r13,Z+19 - std Z+20,r10 - std Z+21,r11 - std Z+22,r12 - std Z+23,r13 - std Z+16,r6 - std Z+17,r7 - std Z+18,r8 - std Z+19,r9 - ldd r6,Z+32 - ldd r7,Z+33 - ldd r8,Z+34 - ldd r9,Z+35 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+32,r6 - std Z+33,r7 - std Z+34,r8 - std Z+35,r9 - ldd r6,Z+36 - ldd r7,Z+37 - ldd r8,Z+38 - ldd r9,Z+39 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+36,r6 - std Z+37,r7 - std Z+38,r8 - std Z+39,r9 - ldd r6,Z+40 - ldd r7,Z+41 - ldd r8,Z+42 - ldd r9,Z+43 - mov r0,r9 - mov r9,r8 - mov r8,r7 - mov r7,r6 - mov r6,r0 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+40,r6 - std Z+41,r7 - std Z+42,r8 - std Z+43,r9 - mov r0,r25 - mov r25,r24 - mov r24,r15 - mov r15,r14 - mov r14,r0 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - lsl r14 - rol r15 - rol r24 - rol r25 - adc r14,r1 - std Z+44,r14 - std Z+45,r15 - std Z+46,r24 - std Z+47,r25 - ld r20,Z - ldd r21,Z+1 - ldd r22,Z+2 - ldd r23,Z+3 - eor r20,r18 - eor r21,r19 - ldd r26,Z+16 - ldd r27,Z+17 - ldd r28,Z+18 - ldd r29,Z+19 - ldd r2,Z+32 - ldd r3,Z+33 - ldd r4,Z+34 - ldd r5,Z+35 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - st Z,r20 - std Z+1,r21 - std Z+2,r22 - std Z+3,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+16,r26 - std Z+17,r27 - std Z+18,r28 - std Z+19,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+32,r2 - std Z+33,r3 - std Z+34,r4 - std Z+35,r5 - ldd r20,Z+4 - ldd r21,Z+5 - ldd r22,Z+6 - ldd r23,Z+7 - ldd r26,Z+20 - ldd r27,Z+21 - ldd r28,Z+22 - ldd r29,Z+23 - ldd r2,Z+36 - ldd r3,Z+37 - ldd r4,Z+38 - ldd r5,Z+39 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+4,r20 - std Z+5,r21 - std Z+6,r22 - std Z+7,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+20,r26 - std Z+21,r27 - std Z+22,r28 - std Z+23,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+36,r2 - std Z+37,r3 - std Z+38,r4 - std Z+39,r5 - ldd r20,Z+8 - ldd r21,Z+9 - ldd r22,Z+10 - ldd r23,Z+11 - ldd r26,Z+24 - ldd r27,Z+25 - ldd r28,Z+26 - ldd r29,Z+27 - ldd r2,Z+40 - ldd r3,Z+41 - ldd r4,Z+42 - ldd r5,Z+43 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+8,r20 - std Z+9,r21 - std Z+10,r22 - std Z+11,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+24,r26 - std Z+25,r27 - std Z+26,r28 - std Z+27,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+40,r2 - std Z+41,r3 - std Z+42,r4 - std Z+43,r5 - ldd r20,Z+12 - ldd r21,Z+13 - ldd r22,Z+14 - ldd r23,Z+15 - ldd r26,Z+28 - ldd r27,Z+29 - ldd r28,Z+30 - ldd r29,Z+31 - ldd r2,Z+44 - ldd r3,Z+45 - ldd r4,Z+46 - ldd r5,Z+47 - movw r6,r2 - movw r8,r4 - mov r0,r26 - com r0 - and r6,r0 - mov r0,r27 - com r0 - and r7,r0 - mov r0,r28 - com r0 - and r8,r0 - mov r0,r29 - com r0 - and r9,r0 - eor r20,r6 - eor r21,r7 - eor r22,r8 - eor r23,r9 - std Z+12,r20 - std Z+13,r21 - std Z+14,r22 - std Z+15,r23 - movw r6,r20 - movw r8,r22 - mov r0,r2 - com r0 - and r6,r0 - mov r0,r3 - com r0 - and r7,r0 - mov r0,r4 - com r0 - and r8,r0 - mov r0,r5 - com r0 - and r9,r0 - eor r26,r6 - eor r27,r7 - eor r28,r8 - eor r29,r9 - std Z+28,r26 - std Z+29,r27 - std Z+30,r28 - std Z+31,r29 - mov r0,r20 - com r0 - and r26,r0 - mov r0,r21 - com r0 - and r27,r0 - mov r0,r22 - com r0 - and r28,r0 - mov r0,r23 - com r0 - and r29,r0 - eor r2,r26 - eor r3,r27 - eor r4,r28 - eor r5,r29 - std Z+44,r2 - std Z+45,r3 - std Z+46,r4 - std Z+47,r5 - ldd r6,Z+16 - ldd r7,Z+17 - ldd r8,Z+18 - ldd r9,Z+19 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+16,r6 - std Z+17,r7 - std Z+18,r8 - std Z+19,r9 - ldd r6,Z+20 - ldd r7,Z+21 - ldd r8,Z+22 - ldd r9,Z+23 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+20,r6 - std Z+21,r7 - std Z+22,r8 - std Z+23,r9 - ldd r6,Z+24 - ldd r7,Z+25 - ldd r8,Z+26 - ldd r9,Z+27 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+24,r6 - std Z+25,r7 - std Z+26,r8 - std Z+27,r9 - ldd r6,Z+28 - ldd r7,Z+29 - ldd r8,Z+30 - ldd r9,Z+31 - lsl r6 - rol r7 - rol r8 - rol r9 - adc r6,r1 - std Z+28,r6 - std Z+29,r7 - std Z+30,r8 - std Z+31,r9 - ldd r6,Z+40 - ldd r7,Z+41 - ldd r8,Z+42 - ldd r9,Z+43 - ldd r10,Z+44 - ldd r11,Z+45 - ldd r12,Z+46 - ldd r13,Z+47 - ldd r14,Z+32 - ldd r15,Z+33 - ldd r24,Z+34 - ldd r25,Z+35 - std Z+40,r25 - std Z+41,r14 - std Z+42,r15 - std Z+43,r24 - ldd r14,Z+36 - ldd r15,Z+37 - ldd r24,Z+38 - ldd r25,Z+39 - std Z+44,r25 - std Z+45,r14 - std Z+46,r15 - std Z+47,r24 - std Z+32,r9 - std Z+33,r6 - std Z+34,r7 - std Z+35,r8 - std Z+36,r13 - std Z+37,r10 - std Z+38,r11 - std Z+39,r12 - ret -888: - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - pop r7 - pop r6 - pop r5 - pop r4 - pop r3 - pop r2 - pop r29 - pop r28 - ret - .size xoodoo_permute, .-xoodoo_permute - -#endif diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.c deleted file mode 100644 index 59bb8bf..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.c +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "internal-xoodoo.h" - -#if !defined(__AVR__) - -void xoodoo_permute(xoodoo_state_t *state) -{ - static uint16_t const rc[XOODOO_ROUNDS] = { - 0x0058, 0x0038, 0x03C0, 0x00D0, 0x0120, 0x0014, - 0x0060, 0x002C, 0x0380, 0x00F0, 0x01A0, 0x0012 - }; - uint8_t round; - uint32_t x00, x01, x02, x03; - uint32_t x10, x11, x12, x13; - uint32_t x20, x21, x22, x23; - uint32_t t1, t2; - - /* Load the state and convert from little-endian byte order */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - x00 = state->S[0][0]; - x01 = state->S[0][1]; - x02 = state->S[0][2]; - x03 = state->S[0][3]; - x10 = state->S[1][0]; - x11 = state->S[1][1]; - x12 = state->S[1][2]; - x13 = state->S[1][3]; - x20 = state->S[2][0]; - x21 = state->S[2][1]; - x22 = state->S[2][2]; - x23 = state->S[2][3]; -#else - x00 = le_load_word32(state->B); - x01 = le_load_word32(state->B + 4); - x02 = le_load_word32(state->B + 8); - x03 = le_load_word32(state->B + 12); - x10 = le_load_word32(state->B + 16); - x11 = le_load_word32(state->B + 20); - x12 = le_load_word32(state->B + 24); - x13 = le_load_word32(state->B + 28); - x20 = le_load_word32(state->B + 32); - x21 = le_load_word32(state->B + 36); - x22 = le_load_word32(state->B + 40); - x23 = le_load_word32(state->B + 44); -#endif - - /* Perform all permutation rounds */ - for (round = 0; round < XOODOO_ROUNDS; ++round) { - /* Optimization ideas from the Xoodoo implementation here: - * https://github.com/XKCP/XKCP/tree/master/lib/low/Xoodoo/Optimized */ - - /* Step theta: Mix column parity */ - t1 = x03 ^ x13 ^ x23; - t2 = x00 ^ x10 ^ x20; - t1 = leftRotate5(t1) ^ leftRotate14(t1); - t2 = leftRotate5(t2) ^ leftRotate14(t2); - x00 ^= t1; - x10 ^= t1; - x20 ^= t1; - t1 = x01 ^ x11 ^ x21; - t1 = leftRotate5(t1) ^ leftRotate14(t1); - x01 ^= t2; - x11 ^= t2; - x21 ^= t2; - t2 = x02 ^ x12 ^ x22; - t2 = leftRotate5(t2) ^ leftRotate14(t2); - x02 ^= t1; - x12 ^= t1; - x22 ^= t1; - x03 ^= t2; - x13 ^= t2; - x23 ^= t2; - - /* Step rho-west: Plane shift */ - t1 = x13; - x13 = x12; - x12 = x11; - x11 = x10; - x10 = t1; - x20 = leftRotate11(x20); - x21 = leftRotate11(x21); - x22 = leftRotate11(x22); - x23 = leftRotate11(x23); - - /* Step iota: Add the round constant to the state */ - x00 ^= rc[round]; - - /* Step chi: Non-linear layer */ - x00 ^= (~x10) & x20; - x10 ^= (~x20) & x00; - x20 ^= (~x00) & x10; - x01 ^= (~x11) & x21; - x11 ^= (~x21) & x01; - x21 ^= (~x01) & x11; - x02 ^= (~x12) & x22; - x12 ^= (~x22) & x02; - x22 ^= (~x02) & x12; - x03 ^= (~x13) & x23; - x13 ^= (~x23) & x03; - x23 ^= (~x03) & x13; - - /* Step rho-east: Plane shift */ - x10 = leftRotate1(x10); - x11 = leftRotate1(x11); - x12 = leftRotate1(x12); - x13 = leftRotate1(x13); - t1 = leftRotate8(x22); - t2 = leftRotate8(x23); - x22 = leftRotate8(x20); - x23 = leftRotate8(x21); - x20 = t1; - x21 = t2; - } - - /* Convert back into little-endian and store to the output state */ -#if defined(LW_UTIL_LITTLE_ENDIAN) - state->S[0][0] = x00; - state->S[0][1] = x01; - state->S[0][2] = x02; - state->S[0][3] = x03; - state->S[1][0] = x10; - state->S[1][1] = x11; - state->S[1][2] = x12; - state->S[1][3] = x13; - state->S[2][0] = x20; - state->S[2][1] = x21; - state->S[2][2] = x22; - state->S[2][3] = x23; -#else - le_store_word32(state->B, x00); - le_store_word32(state->B + 4, x01); - le_store_word32(state->B + 8, x02); - le_store_word32(state->B + 12, x03); - le_store_word32(state->B + 16, x10); - le_store_word32(state->B + 20, x11); - le_store_word32(state->B + 24, x12); - le_store_word32(state->B + 28, x13); - le_store_word32(state->B + 32, x20); - le_store_word32(state->B + 36, x21); - le_store_word32(state->B + 40, x22); - le_store_word32(state->B + 44, x23); -#endif -} - -#endif /* !__AVR__ */ diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.h deleted file mode 100644 index f6eddd8..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/internal-xoodoo.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LW_INTERNAL_XOODOO_H -#define LW_INTERNAL_XOODOO_H - -#include "internal-util.h" - -/** - * \file internal-xoodoo.h - * \brief Internal implementation of the Xoodoo permutation. - * - * References: https://keccak.team/xoodyak.html - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Number of rows in the Xoodoo state. - */ -#define XOODOO_ROWS 3 - -/** - * \brief Number of columns in the Xoodoo state. - */ -#define XOODOO_COLS 4 - -/** - * \brief Number of rounds for the Xoodoo permutation. - */ -#define XOODOO_ROUNDS 12 - -/** - * \brief State information for the Xoodoo permutation. - */ -typedef union -{ - /** Words of the state */ - uint32_t S[XOODOO_ROWS][XOODOO_COLS]; - - /** Bytes of the state */ - uint8_t B[XOODOO_ROWS * XOODOO_COLS * sizeof(uint32_t)]; - -} xoodoo_state_t; - -/** - * \brief Permutes the Xoodoo state. - * - * \param state The Xoodoo state. - * - * The state will be in little-endian before and after the operation. - */ -void xoodoo_permute(xoodoo_state_t *state); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.c deleted file mode 100644 index 4ad4fce..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.c +++ /dev/null @@ -1,321 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#include "xoodyak.h" -#include "internal-xoodoo.h" -#include - -aead_cipher_t const xoodyak_cipher = { - "Xoodyak", - XOODYAK_KEY_SIZE, - XOODYAK_NONCE_SIZE, - XOODYAK_TAG_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - xoodyak_aead_encrypt, - xoodyak_aead_decrypt -}; - -aead_hash_algorithm_t const xoodyak_hash_algorithm = { - "Xoodyak-Hash", - sizeof(xoodyak_hash_state_t), - XOODYAK_HASH_SIZE, - AEAD_FLAG_LITTLE_ENDIAN, - xoodyak_hash, - (aead_hash_init_t)xoodyak_hash_init, - (aead_hash_update_t)xoodyak_hash_absorb, - (aead_hash_finalize_t)xoodyak_hash_finalize, - (aead_xof_absorb_t)xoodyak_hash_absorb, - (aead_xof_squeeze_t)xoodyak_hash_squeeze -}; - -/** - * \brief Rate for absorbing data into the sponge state. - */ -#define XOODYAK_ABSORB_RATE 44 - -/** - * \brief Rate for squeezing data out of the sponge. - */ -#define XOODYAK_SQUEEZE_RATE 24 - -/** - * \brief Rate for absorbing and squeezing in hashing mode. - */ -#define XOODYAK_HASH_RATE 16 - -/** - * \brief Phase identifier for "up" mode, which indicates that a block - * permutation has just been performed. - */ -#define XOODYAK_PHASE_UP 0 - -/** - * \brief Phase identifier for "down" mode, which indicates that data has - * been absorbed but that a block permutation has not been done yet. - */ -#define XOODYAK_PHASE_DOWN 1 - -/** - * \brief Absorbs data into the Xoodoo permutation state. - * - * \param state Xoodoo permutation state. - * \param phase Points to the current phase, up or down. - * \param data Points to the data to be absorbed. - * \param len Length of the data to be absorbed. - */ -static void xoodyak_absorb - (xoodoo_state_t *state, uint8_t *phase, - const unsigned char *data, unsigned long long len) -{ - uint8_t domain = 0x03; - unsigned temp; - while (len > XOODYAK_ABSORB_RATE) { - if (*phase != XOODYAK_PHASE_UP) - xoodoo_permute(state); - lw_xor_block(state->B, data, XOODYAK_ABSORB_RATE); - state->B[XOODYAK_ABSORB_RATE] ^= 0x01; /* Padding */ - state->B[sizeof(state->B) - 1] ^= domain; - data += XOODYAK_ABSORB_RATE; - len -= XOODYAK_ABSORB_RATE; - domain = 0x00; - *phase = XOODYAK_PHASE_DOWN; - } - temp = (unsigned)len; - if (*phase != XOODYAK_PHASE_UP) - xoodoo_permute(state); - lw_xor_block(state->B, data, temp); - state->B[temp] ^= 0x01; /* Padding */ - state->B[sizeof(state->B) - 1] ^= domain; - *phase = XOODYAK_PHASE_DOWN; -} - -int xoodyak_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) -{ - xoodoo_state_t state; - uint8_t phase, domain; - unsigned temp; - (void)nsec; - - /* Set the length of the returned ciphertext */ - *clen = mlen + XOODYAK_TAG_SIZE; - - /* Initialize the state with the key */ - memcpy(state.B, k, XOODYAK_KEY_SIZE); - memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); - state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ - state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ - phase = XOODYAK_PHASE_DOWN; - - /* Absorb the nonce and associated data */ - xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); - xoodyak_absorb(&state, &phase, ad, adlen); - - /* Encrypt the plaintext to produce the ciphertext */ - domain = 0x80; - while (mlen > XOODYAK_SQUEEZE_RATE) { - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - lw_xor_block_2_dest(c, state.B, m, XOODYAK_SQUEEZE_RATE); - state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ - c += XOODYAK_SQUEEZE_RATE; - m += XOODYAK_SQUEEZE_RATE; - mlen -= XOODYAK_SQUEEZE_RATE; - domain = 0; - } - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - temp = (unsigned)mlen; - lw_xor_block_2_dest(c, state.B, m, temp); - state.B[temp] ^= 0x01; /* Padding */ - c += temp; - - /* Generate the authentication tag */ - state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ - xoodoo_permute(&state); - memcpy(c, state.B, XOODYAK_TAG_SIZE); - return 0; -} - -int xoodyak_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) -{ - xoodoo_state_t state; - uint8_t phase, domain; - unsigned temp; - unsigned char *mtemp = m; - (void)nsec; - - /* Validate the ciphertext length and set the return "mlen" value */ - if (clen < XOODYAK_TAG_SIZE) - return -1; - *mlen = clen - XOODYAK_TAG_SIZE; - - /* Initialize the state with the key */ - memcpy(state.B, k, XOODYAK_KEY_SIZE); - memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); - state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ - state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ - phase = XOODYAK_PHASE_DOWN; - - /* Absorb the nonce and associated data */ - xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); - xoodyak_absorb(&state, &phase, ad, adlen); - - /* Decrypt the ciphertext to produce the plaintext */ - domain = 0x80; - clen -= XOODYAK_TAG_SIZE; - while (clen > XOODYAK_SQUEEZE_RATE) { - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - lw_xor_block_swap(m, state.B, c, XOODYAK_SQUEEZE_RATE); - state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ - c += XOODYAK_SQUEEZE_RATE; - m += XOODYAK_SQUEEZE_RATE; - clen -= XOODYAK_SQUEEZE_RATE; - domain = 0; - } - state.B[sizeof(state.B) - 1] ^= domain; - xoodoo_permute(&state); - temp = (unsigned)clen; - lw_xor_block_swap(m, state.B, c, temp); - state.B[temp] ^= 0x01; /* Padding */ - c += temp; - - /* Check the authentication tag */ - state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ - xoodoo_permute(&state); - return aead_check_tag(mtemp, *mlen, state.B, c, XOODYAK_TAG_SIZE); -} - -int xoodyak_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen) -{ - xoodyak_hash_state_t state; - xoodyak_hash_init(&state); - xoodyak_hash_absorb(&state, in, inlen); - xoodyak_hash_squeeze(&state, out, XOODYAK_HASH_SIZE); - return 0; -} - -#define XOODYAK_HASH_MODE_INIT_ABSORB 0 -#define XOODYAK_HASH_MODE_ABSORB 1 -#define XOODYAK_HASH_MODE_SQUEEZE 2 - -#define xoodoo_hash_permute(state) \ - xoodoo_permute((xoodoo_state_t *)((state)->s.state)) - -void xoodyak_hash_init(xoodyak_hash_state_t *state) -{ - memset(state, 0, sizeof(xoodyak_hash_state_t)); - state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; -} - -void xoodyak_hash_absorb - (xoodyak_hash_state_t *state, const unsigned char *in, - unsigned long long inlen) -{ - uint8_t domain; - unsigned temp; - - /* If we were squeezing, then restart the absorb phase */ - if (state->s.mode == XOODYAK_HASH_MODE_SQUEEZE) { - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; - state->s.count = 0; - } - - /* The first block needs a different domain separator to the others */ - domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; - - /* Absorb the input data into the state */ - while (inlen > 0) { - if (state->s.count >= XOODYAK_HASH_RATE) { - state->s.state[XOODYAK_HASH_RATE] ^= 0x01; /* Padding */ - state->s.state[sizeof(state->s.state) - 1] ^= domain; - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_ABSORB; - state->s.count = 0; - domain = 0x00; - } - temp = XOODYAK_HASH_RATE - state->s.count; - if (temp > inlen) - temp = (unsigned)inlen; - lw_xor_block(state->s.state + state->s.count, in, temp); - state->s.count += temp; - in += temp; - inlen -= temp; - } -} - -void xoodyak_hash_squeeze - (xoodyak_hash_state_t *state, unsigned char *out, - unsigned long long outlen) -{ - uint8_t domain; - unsigned temp; - - /* If we were absorbing, then terminate the absorb phase */ - if (state->s.mode != XOODYAK_HASH_MODE_SQUEEZE) { - domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; - state->s.state[state->s.count] ^= 0x01; /* Padding */ - state->s.state[sizeof(state->s.state) - 1] ^= domain; - xoodoo_hash_permute(state); - state->s.mode = XOODYAK_HASH_MODE_SQUEEZE; - state->s.count = 0; - } - - /* Squeeze data out of the state */ - while (outlen > 0) { - if (state->s.count >= XOODYAK_HASH_RATE) { - /* Padding is always at index 0 for squeezing subsequent - * blocks because the number of bytes we have absorbed - * since the previous block was squeezed out is zero */ - state->s.state[0] ^= 0x01; - xoodoo_hash_permute(state); - state->s.count = 0; - } - temp = XOODYAK_HASH_RATE - state->s.count; - if (temp > outlen) - temp = (unsigned)outlen; - memcpy(out, state->s.state + state->s.count, temp); - state->s.count += temp; - out += temp; - outlen -= temp; - } -} - -void xoodyak_hash_finalize - (xoodyak_hash_state_t *state, unsigned char *out) -{ - xoodyak_hash_squeeze(state, out, XOODYAK_HASH_SIZE); -} diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.h deleted file mode 100644 index f4777d5..0000000 --- a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/xoodyak.h +++ /dev/null @@ -1,226 +0,0 @@ -/* - * Copyright (C) 2020 Southern Storm Software, Pty Ltd. - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifndef LWCRYPTO_XOODYAK_H -#define LWCRYPTO_XOODYAK_H - -#include "aead-common.h" - -/** - * \file xoodyak.h - * \brief Xoodyak authenticated encryption algorithm. - * - * Xoodyak is an authenticated encryption and hash algorithm pair based - * around the 384-bit Xoodoo permutation that is similar in structure to - * Keccak but is more efficient than Keccak on 32-bit embedded devices. - * The Cyclist mode of operation is used to convert the permutation - * into a sponge for the higher-level algorithms. - * - * The Xoodyak encryption mode has a 128-bit key, a 128-bit nonce, - * and a 128-bit authentication tag. The Xoodyak hashing mode has a - * 256-bit fixed hash output and can also be used as an extensible - * output function (XOF). - * - * The Xoodyak specification describes a re-keying mechanism where the - * key for one packet is used to derive the key to use on the next packet. - * This provides some resistance against side channel attacks by making - * the session key a moving target. This library does not currently - * implement re-keying. - * - * References: https://keccak.team/xoodyak.html - */ - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * \brief Size of the key for Xoodyak. - */ -#define XOODYAK_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for Xoodyak. - */ -#define XOODYAK_TAG_SIZE 16 - -/** - * \brief Size of the nonce for Xoodyak. - */ -#define XOODYAK_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for Xoodyak. - */ -#define XOODYAK_HASH_SIZE 32 - -/** - * \brief State information for Xoodyak incremental hashing modes. - */ -typedef union -{ - struct { - unsigned char state[48]; /**< Current hash state */ - unsigned char count; /**< Number of bytes in the current block */ - unsigned char mode; /**< Hash mode: absorb or squeeze */ - } s; /**< State */ - unsigned long long align; /**< For alignment of this structure */ - -} xoodyak_hash_state_t; - -/** - * \brief Meta-information block for the Xoodyak cipher. - */ -extern aead_cipher_t const xoodyak_cipher; - -/** - * \brief Meta-information block for the Xoodyak hash algorithm. - */ -extern aead_hash_algorithm_t const xoodyak_hash_algorithm; - -/** - * \brief Encrypts and authenticates a packet with Xoodyak. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. - * - * \return 0 on success, or a negative value if there was an error in - * the parameters. - * - * \sa xoodyak_aead_decrypt() - */ -int xoodyak_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Decrypts and authenticates a packet with Xoodyak. - * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. - * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. - * - * \sa xoodyak_aead_encrypt() - */ -int xoodyak_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); - -/** - * \brief Hashes a block of input data with Xoodyak to generate a hash value. - * - * \param out Buffer to receive the hash output which must be at least - * XOODYAK_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. - * - * \return Returns zero on success or -1 if there was an error in the - * parameters. - */ -int xoodyak_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); - -/** - * \brief Initializes the state for a Xoodyak hashing operation. - * - * \param state Hash state to be initialized. - * - * \sa xoodyak_hash_absorb(), xoodyak_hash_squeeze(), xoodyak_hash() - */ -void xoodyak_hash_init(xoodyak_hash_state_t *state); - -/** - * \brief Aborbs more input data into a Xoodyak hashing state. - * - * \param state Hash state to be updated. - * \param in Points to the input data to be absorbed into the state. - * \param inlen Length of the input data to be absorbed into the state. - * - * \sa xoodyak_hash_init(), xoodyak_hash_squeeze() - */ -void xoodyak_hash_absorb - (xoodyak_hash_state_t *state, const unsigned char *in, - unsigned long long inlen); - -/** - * \brief Squeezes output data from a Xoodyak hashing state. - * - * \param state Hash state to squeeze the output data from. - * \param out Points to the output buffer to receive the squeezed data. - * \param outlen Number of bytes of data to squeeze out of the state. - * - * \sa xoodyak_hash_init(), xoodyak_hash_absorb() - */ -void xoodyak_hash_squeeze - (xoodyak_hash_state_t *state, unsigned char *out, - unsigned long long outlen); - -/** - * \brief Returns the final hash value from a Xoodyak hashing operation. - * - * \param state Hash state to be finalized. - * \param out Points to the output buffer to receive the hash value. - * - * \note This is a wrapper around xoodyak_hash_squeeze() for a fixed length - * of XOODYAK_HASH_SIZE bytes. - * - * \sa xoodyak_hash_init(), xoodyak_hash_absorb() - */ -void xoodyak_hash_finalize - (xoodyak_hash_state_t *state, unsigned char *out); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/aead-common.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/aead-common.c similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/aead-common.c rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/aead-common.c diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/aead-common.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/aead-common.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/aead-common.h rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/aead-common.h diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/api.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/api.h new file mode 100644 index 0000000..ae8c7f6 --- /dev/null +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/api.h @@ -0,0 +1 @@ +#define CRYPTO_BYTES 32 diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/hash.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/hash.c similarity index 100% rename from xoodyak/Implementations/crypto_hash/xoodyakv1/rhys-avr/hash.c rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/hash.c diff --git a/forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-util.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-util.h similarity index 100% rename from forkae/Implementations/crypto_aead/paefforkskinnyb64t192n48v1/rhys-avr/internal-util.h rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-util.h diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo-avr.S b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo-avr.S new file mode 100644 index 0000000..629c19d --- /dev/null +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo-avr.S @@ -0,0 +1,935 @@ +#if defined(__AVR__) +#include +/* Automatically generated - do not edit */ + + .text +.global xoodoo_permute + .type xoodoo_permute, @function +xoodoo_permute: + push r28 + push r29 + push r2 + push r3 + push r4 + push r5 + push r6 + push r7 + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + movw r30,r24 +.L__stack_usage = 16 + ldi r18,88 + mov r19,r1 + rcall 34f + ldi r18,56 + rcall 34f + ldi r18,192 + ldi r19,3 + rcall 34f + ldi r18,208 + mov r19,r1 + rcall 34f + ldi r18,32 + ldi r19,1 + rcall 34f + ldi r18,20 + mov r19,r1 + rcall 34f + ldi r18,96 + rcall 34f + ldi r18,44 + rcall 34f + ldi r18,128 + ldi r19,3 + rcall 34f + ldi r18,240 + mov r19,r1 + rcall 34f + ldi r18,160 + ldi r19,1 + rcall 34f + ldi r18,18 + mov r19,r1 + rcall 34f + rjmp 888f +34: + ldd r6,Z+12 + ldd r7,Z+13 + ldd r8,Z+14 + ldd r9,Z+15 + ldd r0,Z+28 + eor r6,r0 + ldd r0,Z+29 + eor r7,r0 + ldd r0,Z+30 + eor r8,r0 + ldd r0,Z+31 + eor r9,r0 + ldd r0,Z+44 + eor r6,r0 + ldd r0,Z+45 + eor r7,r0 + ldd r0,Z+46 + eor r8,r0 + ldd r0,Z+47 + eor r9,r0 + ld r20,Z + ldd r21,Z+1 + ldd r22,Z+2 + ldd r23,Z+3 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + ldd r2,Z+32 + ldd r3,Z+33 + ldd r4,Z+34 + ldd r5,Z+35 + movw r10,r20 + movw r12,r22 + eor r10,r26 + eor r11,r27 + eor r12,r28 + eor r13,r29 + eor r10,r2 + eor r11,r3 + eor r12,r4 + eor r13,r5 + movw r14,r6 + movw r24,r8 + mov r0,r1 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + or r9,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r9,r24 + eor r6,r25 + eor r7,r14 + eor r8,r15 + movw r14,r10 + movw r24,r12 + mov r0,r1 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + or r13,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r13,r24 + eor r10,r25 + eor r11,r14 + eor r12,r15 + eor r20,r9 + eor r21,r6 + eor r22,r7 + eor r23,r8 + eor r26,r9 + eor r27,r6 + eor r28,r7 + eor r29,r8 + eor r2,r9 + eor r3,r6 + eor r4,r7 + eor r5,r8 + st Z,r20 + std Z+1,r21 + std Z+2,r22 + std Z+3,r23 + std Z+16,r26 + std Z+17,r27 + std Z+18,r28 + std Z+19,r29 + std Z+32,r2 + std Z+33,r3 + std Z+34,r4 + std Z+35,r5 + ldd r20,Z+4 + ldd r21,Z+5 + ldd r22,Z+6 + ldd r23,Z+7 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r6,r20 + movw r8,r22 + eor r6,r26 + eor r7,r27 + eor r8,r28 + eor r9,r29 + eor r6,r2 + eor r7,r3 + eor r8,r4 + eor r9,r5 + movw r14,r6 + movw r24,r8 + mov r0,r1 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + lsr r9 + ror r8 + ror r7 + ror r6 + ror r0 + or r9,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r9,r24 + eor r6,r25 + eor r7,r14 + eor r8,r15 + eor r20,r13 + eor r21,r10 + eor r22,r11 + eor r23,r12 + eor r26,r13 + eor r27,r10 + eor r28,r11 + eor r29,r12 + eor r2,r13 + eor r3,r10 + eor r4,r11 + eor r5,r12 + std Z+4,r20 + std Z+5,r21 + std Z+6,r22 + std Z+7,r23 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + std Z+36,r2 + std Z+37,r3 + std Z+38,r4 + std Z+39,r5 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r22,Z+10 + ldd r23,Z+11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + ldd r2,Z+40 + ldd r3,Z+41 + ldd r4,Z+42 + ldd r5,Z+43 + movw r10,r20 + movw r12,r22 + eor r10,r26 + eor r11,r27 + eor r12,r28 + eor r13,r29 + eor r10,r2 + eor r11,r3 + eor r12,r4 + eor r13,r5 + movw r14,r10 + movw r24,r12 + mov r0,r1 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + lsr r13 + ror r12 + ror r11 + ror r10 + ror r0 + or r13,r0 + mov r0,r1 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + lsr r25 + ror r24 + ror r15 + ror r14 + ror r0 + or r25,r0 + eor r13,r24 + eor r10,r25 + eor r11,r14 + eor r12,r15 + eor r20,r9 + eor r21,r6 + eor r22,r7 + eor r23,r8 + eor r26,r9 + eor r27,r6 + eor r28,r7 + eor r29,r8 + eor r2,r9 + eor r3,r6 + eor r4,r7 + eor r5,r8 + std Z+8,r20 + std Z+9,r21 + std Z+10,r22 + std Z+11,r23 + std Z+24,r26 + std Z+25,r27 + std Z+26,r28 + std Z+27,r29 + std Z+40,r2 + std Z+41,r3 + std Z+42,r4 + std Z+43,r5 + ldd r0,Z+12 + eor r0,r13 + std Z+12,r0 + ldd r0,Z+13 + eor r0,r10 + std Z+13,r0 + ldd r0,Z+14 + eor r0,r11 + std Z+14,r0 + ldd r0,Z+15 + eor r0,r12 + std Z+15,r0 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + eor r6,r13 + eor r7,r10 + eor r8,r11 + eor r9,r12 + ldd r14,Z+44 + ldd r15,Z+45 + ldd r24,Z+46 + ldd r25,Z+47 + eor r14,r13 + eor r15,r10 + eor r24,r11 + eor r25,r12 + ldd r10,Z+24 + ldd r11,Z+25 + ldd r12,Z+26 + ldd r13,Z+27 + std Z+28,r10 + std Z+29,r11 + std Z+30,r12 + std Z+31,r13 + ldd r10,Z+20 + ldd r11,Z+21 + ldd r12,Z+22 + ldd r13,Z+23 + std Z+24,r10 + std Z+25,r11 + std Z+26,r12 + std Z+27,r13 + ldd r10,Z+16 + ldd r11,Z+17 + ldd r12,Z+18 + ldd r13,Z+19 + std Z+20,r10 + std Z+21,r11 + std Z+22,r12 + std Z+23,r13 + std Z+16,r6 + std Z+17,r7 + std Z+18,r8 + std Z+19,r9 + ldd r6,Z+32 + ldd r7,Z+33 + ldd r8,Z+34 + ldd r9,Z+35 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+32,r6 + std Z+33,r7 + std Z+34,r8 + std Z+35,r9 + ldd r6,Z+36 + ldd r7,Z+37 + ldd r8,Z+38 + ldd r9,Z+39 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+36,r6 + std Z+37,r7 + std Z+38,r8 + std Z+39,r9 + ldd r6,Z+40 + ldd r7,Z+41 + ldd r8,Z+42 + ldd r9,Z+43 + mov r0,r9 + mov r9,r8 + mov r8,r7 + mov r7,r6 + mov r6,r0 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+40,r6 + std Z+41,r7 + std Z+42,r8 + std Z+43,r9 + mov r0,r25 + mov r25,r24 + mov r24,r15 + mov r15,r14 + mov r14,r0 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + lsl r14 + rol r15 + rol r24 + rol r25 + adc r14,r1 + std Z+44,r14 + std Z+45,r15 + std Z+46,r24 + std Z+47,r25 + ld r20,Z + ldd r21,Z+1 + ldd r22,Z+2 + ldd r23,Z+3 + eor r20,r18 + eor r21,r19 + ldd r26,Z+16 + ldd r27,Z+17 + ldd r28,Z+18 + ldd r29,Z+19 + ldd r2,Z+32 + ldd r3,Z+33 + ldd r4,Z+34 + ldd r5,Z+35 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + st Z,r20 + std Z+1,r21 + std Z+2,r22 + std Z+3,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+16,r26 + std Z+17,r27 + std Z+18,r28 + std Z+19,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+32,r2 + std Z+33,r3 + std Z+34,r4 + std Z+35,r5 + ldd r20,Z+4 + ldd r21,Z+5 + ldd r22,Z+6 + ldd r23,Z+7 + ldd r26,Z+20 + ldd r27,Z+21 + ldd r28,Z+22 + ldd r29,Z+23 + ldd r2,Z+36 + ldd r3,Z+37 + ldd r4,Z+38 + ldd r5,Z+39 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+4,r20 + std Z+5,r21 + std Z+6,r22 + std Z+7,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+20,r26 + std Z+21,r27 + std Z+22,r28 + std Z+23,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+36,r2 + std Z+37,r3 + std Z+38,r4 + std Z+39,r5 + ldd r20,Z+8 + ldd r21,Z+9 + ldd r22,Z+10 + ldd r23,Z+11 + ldd r26,Z+24 + ldd r27,Z+25 + ldd r28,Z+26 + ldd r29,Z+27 + ldd r2,Z+40 + ldd r3,Z+41 + ldd r4,Z+42 + ldd r5,Z+43 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+8,r20 + std Z+9,r21 + std Z+10,r22 + std Z+11,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+24,r26 + std Z+25,r27 + std Z+26,r28 + std Z+27,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+40,r2 + std Z+41,r3 + std Z+42,r4 + std Z+43,r5 + ldd r20,Z+12 + ldd r21,Z+13 + ldd r22,Z+14 + ldd r23,Z+15 + ldd r26,Z+28 + ldd r27,Z+29 + ldd r28,Z+30 + ldd r29,Z+31 + ldd r2,Z+44 + ldd r3,Z+45 + ldd r4,Z+46 + ldd r5,Z+47 + movw r6,r2 + movw r8,r4 + mov r0,r26 + com r0 + and r6,r0 + mov r0,r27 + com r0 + and r7,r0 + mov r0,r28 + com r0 + and r8,r0 + mov r0,r29 + com r0 + and r9,r0 + eor r20,r6 + eor r21,r7 + eor r22,r8 + eor r23,r9 + std Z+12,r20 + std Z+13,r21 + std Z+14,r22 + std Z+15,r23 + movw r6,r20 + movw r8,r22 + mov r0,r2 + com r0 + and r6,r0 + mov r0,r3 + com r0 + and r7,r0 + mov r0,r4 + com r0 + and r8,r0 + mov r0,r5 + com r0 + and r9,r0 + eor r26,r6 + eor r27,r7 + eor r28,r8 + eor r29,r9 + std Z+28,r26 + std Z+29,r27 + std Z+30,r28 + std Z+31,r29 + mov r0,r20 + com r0 + and r26,r0 + mov r0,r21 + com r0 + and r27,r0 + mov r0,r22 + com r0 + and r28,r0 + mov r0,r23 + com r0 + and r29,r0 + eor r2,r26 + eor r3,r27 + eor r4,r28 + eor r5,r29 + std Z+44,r2 + std Z+45,r3 + std Z+46,r4 + std Z+47,r5 + ldd r6,Z+16 + ldd r7,Z+17 + ldd r8,Z+18 + ldd r9,Z+19 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+16,r6 + std Z+17,r7 + std Z+18,r8 + std Z+19,r9 + ldd r6,Z+20 + ldd r7,Z+21 + ldd r8,Z+22 + ldd r9,Z+23 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+20,r6 + std Z+21,r7 + std Z+22,r8 + std Z+23,r9 + ldd r6,Z+24 + ldd r7,Z+25 + ldd r8,Z+26 + ldd r9,Z+27 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+24,r6 + std Z+25,r7 + std Z+26,r8 + std Z+27,r9 + ldd r6,Z+28 + ldd r7,Z+29 + ldd r8,Z+30 + ldd r9,Z+31 + lsl r6 + rol r7 + rol r8 + rol r9 + adc r6,r1 + std Z+28,r6 + std Z+29,r7 + std Z+30,r8 + std Z+31,r9 + ldd r6,Z+40 + ldd r7,Z+41 + ldd r8,Z+42 + ldd r9,Z+43 + ldd r10,Z+44 + ldd r11,Z+45 + ldd r12,Z+46 + ldd r13,Z+47 + ldd r14,Z+32 + ldd r15,Z+33 + ldd r24,Z+34 + ldd r25,Z+35 + std Z+40,r25 + std Z+41,r14 + std Z+42,r15 + std Z+43,r24 + ldd r14,Z+36 + ldd r15,Z+37 + ldd r24,Z+38 + ldd r25,Z+39 + std Z+44,r25 + std Z+45,r14 + std Z+46,r15 + std Z+47,r24 + std Z+32,r9 + std Z+33,r6 + std Z+34,r7 + std Z+35,r8 + std Z+36,r13 + std Z+37,r10 + std Z+38,r11 + std Z+39,r12 + ret +888: + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + pop r7 + pop r6 + pop r5 + pop r4 + pop r3 + pop r2 + pop r29 + pop r28 + ret + .size xoodoo_permute, .-xoodoo_permute + +#endif diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.c new file mode 100644 index 0000000..59bb8bf --- /dev/null +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.c @@ -0,0 +1,166 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "internal-xoodoo.h" + +#if !defined(__AVR__) + +void xoodoo_permute(xoodoo_state_t *state) +{ + static uint16_t const rc[XOODOO_ROUNDS] = { + 0x0058, 0x0038, 0x03C0, 0x00D0, 0x0120, 0x0014, + 0x0060, 0x002C, 0x0380, 0x00F0, 0x01A0, 0x0012 + }; + uint8_t round; + uint32_t x00, x01, x02, x03; + uint32_t x10, x11, x12, x13; + uint32_t x20, x21, x22, x23; + uint32_t t1, t2; + + /* Load the state and convert from little-endian byte order */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + x00 = state->S[0][0]; + x01 = state->S[0][1]; + x02 = state->S[0][2]; + x03 = state->S[0][3]; + x10 = state->S[1][0]; + x11 = state->S[1][1]; + x12 = state->S[1][2]; + x13 = state->S[1][3]; + x20 = state->S[2][0]; + x21 = state->S[2][1]; + x22 = state->S[2][2]; + x23 = state->S[2][3]; +#else + x00 = le_load_word32(state->B); + x01 = le_load_word32(state->B + 4); + x02 = le_load_word32(state->B + 8); + x03 = le_load_word32(state->B + 12); + x10 = le_load_word32(state->B + 16); + x11 = le_load_word32(state->B + 20); + x12 = le_load_word32(state->B + 24); + x13 = le_load_word32(state->B + 28); + x20 = le_load_word32(state->B + 32); + x21 = le_load_word32(state->B + 36); + x22 = le_load_word32(state->B + 40); + x23 = le_load_word32(state->B + 44); +#endif + + /* Perform all permutation rounds */ + for (round = 0; round < XOODOO_ROUNDS; ++round) { + /* Optimization ideas from the Xoodoo implementation here: + * https://github.com/XKCP/XKCP/tree/master/lib/low/Xoodoo/Optimized */ + + /* Step theta: Mix column parity */ + t1 = x03 ^ x13 ^ x23; + t2 = x00 ^ x10 ^ x20; + t1 = leftRotate5(t1) ^ leftRotate14(t1); + t2 = leftRotate5(t2) ^ leftRotate14(t2); + x00 ^= t1; + x10 ^= t1; + x20 ^= t1; + t1 = x01 ^ x11 ^ x21; + t1 = leftRotate5(t1) ^ leftRotate14(t1); + x01 ^= t2; + x11 ^= t2; + x21 ^= t2; + t2 = x02 ^ x12 ^ x22; + t2 = leftRotate5(t2) ^ leftRotate14(t2); + x02 ^= t1; + x12 ^= t1; + x22 ^= t1; + x03 ^= t2; + x13 ^= t2; + x23 ^= t2; + + /* Step rho-west: Plane shift */ + t1 = x13; + x13 = x12; + x12 = x11; + x11 = x10; + x10 = t1; + x20 = leftRotate11(x20); + x21 = leftRotate11(x21); + x22 = leftRotate11(x22); + x23 = leftRotate11(x23); + + /* Step iota: Add the round constant to the state */ + x00 ^= rc[round]; + + /* Step chi: Non-linear layer */ + x00 ^= (~x10) & x20; + x10 ^= (~x20) & x00; + x20 ^= (~x00) & x10; + x01 ^= (~x11) & x21; + x11 ^= (~x21) & x01; + x21 ^= (~x01) & x11; + x02 ^= (~x12) & x22; + x12 ^= (~x22) & x02; + x22 ^= (~x02) & x12; + x03 ^= (~x13) & x23; + x13 ^= (~x23) & x03; + x23 ^= (~x03) & x13; + + /* Step rho-east: Plane shift */ + x10 = leftRotate1(x10); + x11 = leftRotate1(x11); + x12 = leftRotate1(x12); + x13 = leftRotate1(x13); + t1 = leftRotate8(x22); + t2 = leftRotate8(x23); + x22 = leftRotate8(x20); + x23 = leftRotate8(x21); + x20 = t1; + x21 = t2; + } + + /* Convert back into little-endian and store to the output state */ +#if defined(LW_UTIL_LITTLE_ENDIAN) + state->S[0][0] = x00; + state->S[0][1] = x01; + state->S[0][2] = x02; + state->S[0][3] = x03; + state->S[1][0] = x10; + state->S[1][1] = x11; + state->S[1][2] = x12; + state->S[1][3] = x13; + state->S[2][0] = x20; + state->S[2][1] = x21; + state->S[2][2] = x22; + state->S[2][3] = x23; +#else + le_store_word32(state->B, x00); + le_store_word32(state->B + 4, x01); + le_store_word32(state->B + 8, x02); + le_store_word32(state->B + 12, x03); + le_store_word32(state->B + 16, x10); + le_store_word32(state->B + 20, x11); + le_store_word32(state->B + 24, x12); + le_store_word32(state->B + 28, x13); + le_store_word32(state->B + 32, x20); + le_store_word32(state->B + 36, x21); + le_store_word32(state->B + 40, x22); + le_store_word32(state->B + 44, x23); +#endif +} + +#endif /* !__AVR__ */ diff --git a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.h similarity index 65% rename from ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.h rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.h index d3fa3ca..f6eddd8 100644 --- a/ascon/Implementations/crypto_hash/asconhashv12/rhys-avr/internal-ascon.h +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/internal-xoodoo.h @@ -20,17 +20,16 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LW_INTERNAL_ASCON_H -#define LW_INTERNAL_ASCON_H +#ifndef LW_INTERNAL_XOODOO_H +#define LW_INTERNAL_XOODOO_H #include "internal-util.h" /** - * \file internal-ascon.h - * \brief Internal implementation of the ASCON permutation. + * \file internal-xoodoo.h + * \brief Internal implementation of the Xoodoo permutation. * - * References: http://competitions.cr.yp.to/round3/asconv12.pdf, - * http://ascon.iaik.tugraz.at/ + * References: https://keccak.team/xoodyak.html */ #ifdef __cplusplus @@ -38,24 +37,41 @@ extern "C" { #endif /** - * \brief Structure of the internal state of the ASCON permutation. + * \brief Number of rows in the Xoodoo state. + */ +#define XOODOO_ROWS 3 + +/** + * \brief Number of columns in the Xoodoo state. + */ +#define XOODOO_COLS 4 + +/** + * \brief Number of rounds for the Xoodoo permutation. + */ +#define XOODOO_ROUNDS 12 + +/** + * \brief State information for the Xoodoo permutation. */ typedef union { - uint64_t S[5]; /**< Words of the state */ - uint8_t B[40]; /**< Bytes of the state */ + /** Words of the state */ + uint32_t S[XOODOO_ROWS][XOODOO_COLS]; + + /** Bytes of the state */ + uint8_t B[XOODOO_ROWS * XOODOO_COLS * sizeof(uint32_t)]; -} ascon_state_t; +} xoodoo_state_t; /** - * \brief Permutes the ASCON state. + * \brief Permutes the Xoodoo state. * - * \param state The ASCON state to be permuted. - * \param first_round The first round (of 12) to be performed; 0, 4, or 6. + * \param state The Xoodoo state. * - * The input and output \a state will be in big-endian byte order. + * The state will be in little-endian before and after the operation. */ -void ascon_permute(ascon_state_t *state, uint8_t first_round); +void xoodoo_permute(xoodoo_state_t *state); #ifdef __cplusplus } diff --git a/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.c b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.c new file mode 100644 index 0000000..4ad4fce --- /dev/null +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.c @@ -0,0 +1,321 @@ +/* + * Copyright (C) 2020 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "xoodyak.h" +#include "internal-xoodoo.h" +#include + +aead_cipher_t const xoodyak_cipher = { + "Xoodyak", + XOODYAK_KEY_SIZE, + XOODYAK_NONCE_SIZE, + XOODYAK_TAG_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + xoodyak_aead_encrypt, + xoodyak_aead_decrypt +}; + +aead_hash_algorithm_t const xoodyak_hash_algorithm = { + "Xoodyak-Hash", + sizeof(xoodyak_hash_state_t), + XOODYAK_HASH_SIZE, + AEAD_FLAG_LITTLE_ENDIAN, + xoodyak_hash, + (aead_hash_init_t)xoodyak_hash_init, + (aead_hash_update_t)xoodyak_hash_absorb, + (aead_hash_finalize_t)xoodyak_hash_finalize, + (aead_xof_absorb_t)xoodyak_hash_absorb, + (aead_xof_squeeze_t)xoodyak_hash_squeeze +}; + +/** + * \brief Rate for absorbing data into the sponge state. + */ +#define XOODYAK_ABSORB_RATE 44 + +/** + * \brief Rate for squeezing data out of the sponge. + */ +#define XOODYAK_SQUEEZE_RATE 24 + +/** + * \brief Rate for absorbing and squeezing in hashing mode. + */ +#define XOODYAK_HASH_RATE 16 + +/** + * \brief Phase identifier for "up" mode, which indicates that a block + * permutation has just been performed. + */ +#define XOODYAK_PHASE_UP 0 + +/** + * \brief Phase identifier for "down" mode, which indicates that data has + * been absorbed but that a block permutation has not been done yet. + */ +#define XOODYAK_PHASE_DOWN 1 + +/** + * \brief Absorbs data into the Xoodoo permutation state. + * + * \param state Xoodoo permutation state. + * \param phase Points to the current phase, up or down. + * \param data Points to the data to be absorbed. + * \param len Length of the data to be absorbed. + */ +static void xoodyak_absorb + (xoodoo_state_t *state, uint8_t *phase, + const unsigned char *data, unsigned long long len) +{ + uint8_t domain = 0x03; + unsigned temp; + while (len > XOODYAK_ABSORB_RATE) { + if (*phase != XOODYAK_PHASE_UP) + xoodoo_permute(state); + lw_xor_block(state->B, data, XOODYAK_ABSORB_RATE); + state->B[XOODYAK_ABSORB_RATE] ^= 0x01; /* Padding */ + state->B[sizeof(state->B) - 1] ^= domain; + data += XOODYAK_ABSORB_RATE; + len -= XOODYAK_ABSORB_RATE; + domain = 0x00; + *phase = XOODYAK_PHASE_DOWN; + } + temp = (unsigned)len; + if (*phase != XOODYAK_PHASE_UP) + xoodoo_permute(state); + lw_xor_block(state->B, data, temp); + state->B[temp] ^= 0x01; /* Padding */ + state->B[sizeof(state->B) - 1] ^= domain; + *phase = XOODYAK_PHASE_DOWN; +} + +int xoodyak_aead_encrypt + (unsigned char *c, unsigned long long *clen, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + xoodoo_state_t state; + uint8_t phase, domain; + unsigned temp; + (void)nsec; + + /* Set the length of the returned ciphertext */ + *clen = mlen + XOODYAK_TAG_SIZE; + + /* Initialize the state with the key */ + memcpy(state.B, k, XOODYAK_KEY_SIZE); + memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); + state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ + state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ + phase = XOODYAK_PHASE_DOWN; + + /* Absorb the nonce and associated data */ + xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); + xoodyak_absorb(&state, &phase, ad, adlen); + + /* Encrypt the plaintext to produce the ciphertext */ + domain = 0x80; + while (mlen > XOODYAK_SQUEEZE_RATE) { + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + lw_xor_block_2_dest(c, state.B, m, XOODYAK_SQUEEZE_RATE); + state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ + c += XOODYAK_SQUEEZE_RATE; + m += XOODYAK_SQUEEZE_RATE; + mlen -= XOODYAK_SQUEEZE_RATE; + domain = 0; + } + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + temp = (unsigned)mlen; + lw_xor_block_2_dest(c, state.B, m, temp); + state.B[temp] ^= 0x01; /* Padding */ + c += temp; + + /* Generate the authentication tag */ + state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ + xoodoo_permute(&state); + memcpy(c, state.B, XOODYAK_TAG_SIZE); + return 0; +} + +int xoodyak_aead_decrypt + (unsigned char *m, unsigned long long *mlen, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + xoodoo_state_t state; + uint8_t phase, domain; + unsigned temp; + unsigned char *mtemp = m; + (void)nsec; + + /* Validate the ciphertext length and set the return "mlen" value */ + if (clen < XOODYAK_TAG_SIZE) + return -1; + *mlen = clen - XOODYAK_TAG_SIZE; + + /* Initialize the state with the key */ + memcpy(state.B, k, XOODYAK_KEY_SIZE); + memset(state.B + XOODYAK_KEY_SIZE, 0, sizeof(state.B) - XOODYAK_KEY_SIZE); + state.B[XOODYAK_KEY_SIZE + 1] = 0x01; /* Padding */ + state.B[sizeof(state.B) - 1] = 0x02; /* Domain separation */ + phase = XOODYAK_PHASE_DOWN; + + /* Absorb the nonce and associated data */ + xoodyak_absorb(&state, &phase, npub, XOODYAK_NONCE_SIZE); + xoodyak_absorb(&state, &phase, ad, adlen); + + /* Decrypt the ciphertext to produce the plaintext */ + domain = 0x80; + clen -= XOODYAK_TAG_SIZE; + while (clen > XOODYAK_SQUEEZE_RATE) { + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + lw_xor_block_swap(m, state.B, c, XOODYAK_SQUEEZE_RATE); + state.B[XOODYAK_SQUEEZE_RATE] ^= 0x01; /* Padding */ + c += XOODYAK_SQUEEZE_RATE; + m += XOODYAK_SQUEEZE_RATE; + clen -= XOODYAK_SQUEEZE_RATE; + domain = 0; + } + state.B[sizeof(state.B) - 1] ^= domain; + xoodoo_permute(&state); + temp = (unsigned)clen; + lw_xor_block_swap(m, state.B, c, temp); + state.B[temp] ^= 0x01; /* Padding */ + c += temp; + + /* Check the authentication tag */ + state.B[sizeof(state.B) - 1] ^= 0x40; /* Domain separation */ + xoodoo_permute(&state); + return aead_check_tag(mtemp, *mlen, state.B, c, XOODYAK_TAG_SIZE); +} + +int xoodyak_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen) +{ + xoodyak_hash_state_t state; + xoodyak_hash_init(&state); + xoodyak_hash_absorb(&state, in, inlen); + xoodyak_hash_squeeze(&state, out, XOODYAK_HASH_SIZE); + return 0; +} + +#define XOODYAK_HASH_MODE_INIT_ABSORB 0 +#define XOODYAK_HASH_MODE_ABSORB 1 +#define XOODYAK_HASH_MODE_SQUEEZE 2 + +#define xoodoo_hash_permute(state) \ + xoodoo_permute((xoodoo_state_t *)((state)->s.state)) + +void xoodyak_hash_init(xoodyak_hash_state_t *state) +{ + memset(state, 0, sizeof(xoodyak_hash_state_t)); + state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; +} + +void xoodyak_hash_absorb + (xoodyak_hash_state_t *state, const unsigned char *in, + unsigned long long inlen) +{ + uint8_t domain; + unsigned temp; + + /* If we were squeezing, then restart the absorb phase */ + if (state->s.mode == XOODYAK_HASH_MODE_SQUEEZE) { + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_INIT_ABSORB; + state->s.count = 0; + } + + /* The first block needs a different domain separator to the others */ + domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; + + /* Absorb the input data into the state */ + while (inlen > 0) { + if (state->s.count >= XOODYAK_HASH_RATE) { + state->s.state[XOODYAK_HASH_RATE] ^= 0x01; /* Padding */ + state->s.state[sizeof(state->s.state) - 1] ^= domain; + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_ABSORB; + state->s.count = 0; + domain = 0x00; + } + temp = XOODYAK_HASH_RATE - state->s.count; + if (temp > inlen) + temp = (unsigned)inlen; + lw_xor_block(state->s.state + state->s.count, in, temp); + state->s.count += temp; + in += temp; + inlen -= temp; + } +} + +void xoodyak_hash_squeeze + (xoodyak_hash_state_t *state, unsigned char *out, + unsigned long long outlen) +{ + uint8_t domain; + unsigned temp; + + /* If we were absorbing, then terminate the absorb phase */ + if (state->s.mode != XOODYAK_HASH_MODE_SQUEEZE) { + domain = (state->s.mode == XOODYAK_HASH_MODE_INIT_ABSORB) ? 0x01 : 0x00; + state->s.state[state->s.count] ^= 0x01; /* Padding */ + state->s.state[sizeof(state->s.state) - 1] ^= domain; + xoodoo_hash_permute(state); + state->s.mode = XOODYAK_HASH_MODE_SQUEEZE; + state->s.count = 0; + } + + /* Squeeze data out of the state */ + while (outlen > 0) { + if (state->s.count >= XOODYAK_HASH_RATE) { + /* Padding is always at index 0 for squeezing subsequent + * blocks because the number of bytes we have absorbed + * since the previous block was squeezed out is zero */ + state->s.state[0] ^= 0x01; + xoodoo_hash_permute(state); + state->s.count = 0; + } + temp = XOODYAK_HASH_RATE - state->s.count; + if (temp > outlen) + temp = (unsigned)outlen; + memcpy(out, state->s.state + state->s.count, temp); + state->s.count += temp; + out += temp; + outlen -= temp; + } +} + +void xoodyak_hash_finalize + (xoodyak_hash_state_t *state, unsigned char *out) +{ + xoodyak_hash_squeeze(state, out, XOODYAK_HASH_SIZE); +} diff --git a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.h b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.h similarity index 52% rename from drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.h rename to xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.h index 12e18c3..f4777d5 100644 --- a/drygascon/Implementations/crypto_hash/drygascon128/rhys-avr/drygascon.h +++ b/xoodyak/Implementations/crypto_hash/xoodyakv1/rhys/xoodyak.h @@ -20,31 +20,33 @@ * DEALINGS IN THE SOFTWARE. */ -#ifndef LWCRYPTO_DRYGASCON_H -#define LWCRYPTO_DRYGASCON_H +#ifndef LWCRYPTO_XOODYAK_H +#define LWCRYPTO_XOODYAK_H #include "aead-common.h" /** - * \file drygascon.h - * \brief DryGASCON authenticated encryption algorithm. + * \file xoodyak.h + * \brief Xoodyak authenticated encryption algorithm. * - * DryGASCON is a family of authenticated encryption algorithms based - * around a generalised version of the ASCON permutation. DryGASCON - * is designed to provide some protection against power analysis. + * Xoodyak is an authenticated encryption and hash algorithm pair based + * around the 384-bit Xoodoo permutation that is similar in structure to + * Keccak but is more efficient than Keccak on 32-bit embedded devices. + * The Cyclist mode of operation is used to convert the permutation + * into a sponge for the higher-level algorithms. * - * There are four algorithms in the DryGASCON family: + * The Xoodyak encryption mode has a 128-bit key, a 128-bit nonce, + * and a 128-bit authentication tag. The Xoodyak hashing mode has a + * 256-bit fixed hash output and can also be used as an extensible + * output function (XOF). * - * \li DryGASCON128 is an authenticated encryption algorithm with a - * 128-bit key, a 128-bit nonce, and a 128-bit authentication tag. - * \li DryGASCON256 is an authenticated encryption algorithm with a - * 256-bit key, a 128-bit nonce, and a 128-256 authentication tag. - * \li DryGASCON128-HASH is a hash algorithm with a 256-bit output. - * \li DryGASCON256-HASH is a hash algorithm with a 512-bit output. + * The Xoodyak specification describes a re-keying mechanism where the + * key for one packet is used to derive the key to use on the next packet. + * This provides some resistance against side channel attacks by making + * the session key a moving target. This library does not currently + * implement re-keying. * - * DryGASCON128 and DryGASCON128-HASH are the primary members of the family. - * - * References: https://github.com/sebastien-riou/DryGASCON + * References: https://keccak.team/xoodyak.html */ #ifdef __cplusplus @@ -52,67 +54,51 @@ extern "C" { #endif /** - * \brief Size of the key for DryGASCON128. - */ -#define DRYGASCON128_KEY_SIZE 16 - -/** - * \brief Size of the authentication tag for DryGASCON128. - */ -#define DRYGASCON128_TAG_SIZE 16 - -/** - * \brief Size of the nonce for DryGASCON128. - */ -#define DRYGASCON128_NONCE_SIZE 16 - -/** - * \brief Size of the hash output for DryGASCON128-HASH. + * \brief Size of the key for Xoodyak. */ -#define DRYGASCON128_HASH_SIZE 32 +#define XOODYAK_KEY_SIZE 16 /** - * \brief Size of the key for DryGASCON256. + * \brief Size of the authentication tag for Xoodyak. */ -#define DRYGASCON256_KEY_SIZE 32 +#define XOODYAK_TAG_SIZE 16 /** - * \brief Size of the authentication tag for DryGASCON256. + * \brief Size of the nonce for Xoodyak. */ -#define DRYGASCON256_TAG_SIZE 32 +#define XOODYAK_NONCE_SIZE 16 /** - * \brief Size of the nonce for DryGASCON256. + * \brief Size of the hash output for Xoodyak. */ -#define DRYGASCON256_NONCE_SIZE 16 +#define XOODYAK_HASH_SIZE 32 /** - * \brief Size of the hash output for DryGASCON256-HASH. + * \brief State information for Xoodyak incremental hashing modes. */ -#define DRYGASCON256_HASH_SIZE 64 +typedef union +{ + struct { + unsigned char state[48]; /**< Current hash state */ + unsigned char count; /**< Number of bytes in the current block */ + unsigned char mode; /**< Hash mode: absorb or squeeze */ + } s; /**< State */ + unsigned long long align; /**< For alignment of this structure */ -/** - * \brief Meta-information block for the DryGASCON128 cipher. - */ -extern aead_cipher_t const drygascon128_cipher; - -/** - * \brief Meta-information block for the DryGASCON256 cipher. - */ -extern aead_cipher_t const drygascon256_cipher; +} xoodyak_hash_state_t; /** - * \brief Meta-information block for DryGASCON128-HASH. + * \brief Meta-information block for the Xoodyak cipher. */ -extern aead_hash_algorithm_t const drygascon128_hash_algorithm; +extern aead_cipher_t const xoodyak_cipher; /** - * \brief Meta-information block for DryGASCON256-HASH. + * \brief Meta-information block for the Xoodyak hash algorithm. */ -extern aead_hash_algorithm_t const drygascon256_hash_algorithm; +extern aead_hash_algorithm_t const xoodyak_hash_algorithm; /** - * \brief Encrypts and authenticates a packet with DryGASCON128. + * \brief Encrypts and authenticates a packet with Xoodyak. * * \param c Buffer to receive the output. * \param clen On exit, set to the length of the output which includes @@ -130,9 +116,9 @@ extern aead_hash_algorithm_t const drygascon256_hash_algorithm; * \return 0 on success, or a negative value if there was an error in * the parameters. * - * \sa drygascon128_aead_decrypt() + * \sa xoodyak_aead_decrypt() */ -int drygascon128_aead_encrypt +int xoodyak_aead_encrypt (unsigned char *c, unsigned long long *clen, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, @@ -141,7 +127,7 @@ int drygascon128_aead_encrypt const unsigned char *k); /** - * \brief Decrypts and authenticates a packet with DryGASCON128. + * \brief Decrypts and authenticates a packet with Xoodyak. * * \param m Buffer to receive the plaintext message on output. * \param mlen Receives the length of the plaintext message on output. @@ -160,9 +146,9 @@ int drygascon128_aead_encrypt * \return 0 on success, -1 if the authentication tag was incorrect, * or some other negative number if there was an error in the parameters. * - * \sa drygascon128_aead_encrypt() + * \sa xoodyak_aead_encrypt() */ -int drygascon128_aead_decrypt +int xoodyak_aead_decrypt (unsigned char *m, unsigned long long *mlen, unsigned char *nsec, const unsigned char *c, unsigned long long clen, @@ -171,91 +157,67 @@ int drygascon128_aead_decrypt const unsigned char *k); /** - * \brief Encrypts and authenticates a packet with DryGASCON256. - * - * \param c Buffer to receive the output. - * \param clen On exit, set to the length of the output which includes - * the ciphertext and the 16 byte authentication tag. - * \param m Buffer that contains the plaintext message to encrypt. - * \param mlen Length of the plaintext message in bytes. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param nsec Secret nonce - not used by this algorithm. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to encrypt the packet. + * \brief Hashes a block of input data with Xoodyak to generate a hash value. * - * \return 0 on success, or a negative value if there was an error in - * the parameters. + * \param out Buffer to receive the hash output which must be at least + * XOODYAK_HASH_SIZE bytes in length. + * \param in Points to the input data to be hashed. + * \param inlen Length of the input data in bytes. * - * \sa drygascon256_aead_decrypt() + * \return Returns zero on success or -1 if there was an error in the + * parameters. */ -int drygascon256_aead_encrypt - (unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +int xoodyak_hash + (unsigned char *out, const unsigned char *in, unsigned long long inlen); /** - * \brief Decrypts and authenticates a packet with DryGASCON256. + * \brief Initializes the state for a Xoodyak hashing operation. * - * \param m Buffer to receive the plaintext message on output. - * \param mlen Receives the length of the plaintext message on output. - * \param nsec Secret nonce - not used by this algorithm. - * \param c Buffer that contains the ciphertext and authentication - * tag to decrypt. - * \param clen Length of the input data in bytes, which includes the - * ciphertext and the 16 byte authentication tag. - * \param ad Buffer that contains associated data to authenticate - * along with the packet but which does not need to be encrypted. - * \param adlen Length of the associated data in bytes. - * \param npub Points to the public nonce for the packet which must - * be 16 bytes in length. - * \param k Points to the 16 bytes of the key to use to decrypt the packet. + * \param state Hash state to be initialized. * - * \return 0 on success, -1 if the authentication tag was incorrect, - * or some other negative number if there was an error in the parameters. + * \sa xoodyak_hash_absorb(), xoodyak_hash_squeeze(), xoodyak_hash() + */ +void xoodyak_hash_init(xoodyak_hash_state_t *state); + +/** + * \brief Aborbs more input data into a Xoodyak hashing state. * - * \sa drygascon256_aead_encrypt() + * \param state Hash state to be updated. + * \param in Points to the input data to be absorbed into the state. + * \param inlen Length of the input data to be absorbed into the state. + * + * \sa xoodyak_hash_init(), xoodyak_hash_squeeze() */ -int drygascon256_aead_decrypt - (unsigned char *m, unsigned long long *mlen, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k); +void xoodyak_hash_absorb + (xoodyak_hash_state_t *state, const unsigned char *in, + unsigned long long inlen); /** - * \brief Hashes a block of input data with DRYGASCON128. + * \brief Squeezes output data from a Xoodyak hashing state. * - * \param out Buffer to receive the hash output which must be at least - * DRYGASCON128_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. + * \param state Hash state to squeeze the output data from. + * \param out Points to the output buffer to receive the squeezed data. + * \param outlen Number of bytes of data to squeeze out of the state. * - * \return Returns zero on success or -1 if there was an error in the - * parameters. + * \sa xoodyak_hash_init(), xoodyak_hash_absorb() */ -int drygascon128_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); +void xoodyak_hash_squeeze + (xoodyak_hash_state_t *state, unsigned char *out, + unsigned long long outlen); /** - * \brief Hashes a block of input data with DRYGASCON256. + * \brief Returns the final hash value from a Xoodyak hashing operation. * - * \param out Buffer to receive the hash output which must be at least - * DRYGASCON256_HASH_SIZE bytes in length. - * \param in Points to the input data to be hashed. - * \param inlen Length of the input data in bytes. + * \param state Hash state to be finalized. + * \param out Points to the output buffer to receive the hash value. * - * \return Returns zero on success or -1 if there was an error in the - * parameters. + * \note This is a wrapper around xoodyak_hash_squeeze() for a fixed length + * of XOODYAK_HASH_SIZE bytes. + * + * \sa xoodyak_hash_init(), xoodyak_hash_absorb() */ -int drygascon256_hash - (unsigned char *out, const unsigned char *in, unsigned long long inlen); +void xoodyak_hash_finalize + (xoodyak_hash_state_t *state, unsigned char *out); #ifdef __cplusplus }